ssh-agent: add macOS support

modules/services/ssh-agent.nix

@@ -23,7 +23,8 @@ in
       default = "ssh-agent";
       example = "ssh-agent/socket";
       description = ''
-        The agent's socket; interpreted as a suffix to {env}`$XDG_RUNTIME_DIR`.
+        The agent's socket; interpreted as a suffix to {env}`$XDG_RUNTIME_DIR`
+        on Linux and `$(getconf DARWIN_USER_TEMP_DIR)` on macOS.
       '';
     };
 
@@ -45,26 +46,38 @@ in
     enableNushellIntegration = lib.hm.shell.mkNushellIntegrationOption { inherit config; };
   };
 
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.enable (
-    assertions = [
+    lib.mkMerge [
-      (lib.hm.assertions.assertPlatform "services.ssh-agent" pkgs lib.platforms.linux)
+      {
-    ];
-
         programs =
           let
+            socketPath =
+              if pkgs.stdenv.isDarwin then
+                "$(${lib.getExe pkgs.getconf} DARWIN_USER_TEMP_DIR)/${cfg.socket}"
+              else
+                "$XDG_RUNTIME_DIR/${cfg.socket}";
+
             bashIntegration = ''
               if [ -z "$SSH_AUTH_SOCK" ]; then
-            export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/${cfg.socket}
+                export SSH_AUTH_SOCK=${socketPath}
               fi
             '';
 
             fishIntegration = ''
               if test -z "$SSH_AUTH_SOCK"
-            set -x SSH_AUTH_SOCK $XDG_RUNTIME_DIR/${cfg.socket}
+                set -x SSH_AUTH_SOCK ${socketPath}
               end
             '';
 
-        nushellIntegration = ''
+            nushellIntegration =
+              if pkgs.stdenv.isDarwin then
+                ''
+                  if "SSH_AUTH_SOCK" not-in $env {
+                    $env.SSH_AUTH_SOCK = $"(${lib.getExe pkgs.getconf} DARWIN_USER_TEMP_DIR)/${cfg.socket}"
+                  }
+                ''
+              else
+                ''
                   if "SSH_AUTH_SOCK" not-in $env {
                     $env.SSH_AUTH_SOCK = $"($env.XDG_RUNTIME_DIR)/${cfg.socket}"
                   }
@@ -79,7 +92,9 @@ in
 
             nushell.extraConfig = lib.mkIf cfg.enableNushellIntegration nushellIntegration;
           };
+      }
 
+      (lib.mkIf pkgs.stdenv.isLinux {
         systemd.user.services.ssh-agent = {
           Install.WantedBy = [ "default.target" ];
           Unit = {
@@ -92,5 +107,30 @@ in
             ) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
           }";
         };
+      })
+
+      (lib.mkIf pkgs.stdenv.isDarwin {
+        launchd.agents.ssh-agent = {
+          enable = true;
+          config = {
+            ProgramArguments = [
+              (lib.getExe pkgs.bash)
+              "-c"
+              ''${lib.getExe' cfg.package "ssh-agent"} -D -a "$(${lib.getExe pkgs.getconf} DARWIN_USER_TEMP_DIR)/${cfg.socket}"${
+                lib.optionalString (
+                  cfg.defaultMaximumIdentityLifetime != null
+                ) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
+              }''
+            ];
+            KeepAlive = {
+              Crashed = true;
+              SuccessfulExit = false;
             };
+            ProcessType = "Background";
+            RunAtLoad = true;
+          };
+        };
+      })
+    ]
+  );
 }

tests/darwinScrublist.nix

@@ -50,6 +50,7 @@ let
     "feh"
     "fzf"
     "gallery-dl"
+    "getconf"
     "gh"
     "gh-dash"
     "ghostty"
@@ -125,6 +126,7 @@ let
     "ollama"
     "onlyoffice-desktopeditors"
     "opencode"
+    "openssh"
     "openstackclient"
     "papis"
     "patdiff"

tests/modules/services/ssh-agent/darwin/bash-integration.nix

@@ -0,0 +1,14 @@
+{
+  services.ssh-agent = {
+    enable = true;
+    enableBashIntegration = true;
+  };
+
+  programs.bash.enable = true;
+
+  nmt.script = ''
+    assertFileContains \
+      home-files/.bashrc \
+      'export SSH_AUTH_SOCK=$(@getconf-system_cmds@/bin/getconf DARWIN_USER_TEMP_DIR)/ssh-agent'
+  '';
+}

tests/modules/services/ssh-agent/darwin/basic-service-expected.plist

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>KeepAlive</key>
+	<dict>
+		<key>Crashed</key>
+		<true/>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict>
+	<key>Label</key>
+	<string>org.nix-community.home.ssh-agent</string>
+	<key>ProcessType</key>
+	<string>Background</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>@bash-interactive@/bin/bash</string>
+		<string>-c</string>
+		<string>@openssh@/bin/ssh-agent -D -a &quot;$(@getconf-system_cmds@/bin/getconf DARWIN_USER_TEMP_DIR)/ssh-agent&quot;</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+</dict>
+</plist>

tests/modules/services/ssh-agent/darwin/basic-service.nix

@@ -0,0 +1,14 @@
+{ config, ... }:
+
+{
+  services.ssh-agent = {
+    enable = true;
+    package = config.lib.test.mkStubPackage { outPath = "@openssh@"; };
+  };
+
+  nmt.script = ''
+    assertFileContent \
+      LaunchAgents/org.nix-community.home.ssh-agent.plist \
+      ${./basic-service-expected.plist}
+  '';
+}

tests/modules/services/ssh-agent/darwin/default.nix

@@ -0,0 +1,6 @@
+{
+  ssh-agent-darwin-basic-service = ./basic-service.nix;
+  ssh-agent-darwin-timeout-service = ./timeout-service.nix;
+  ssh-agent-darwin-bash-integration = ./bash-integration.nix;
+  ssh-agent-darwin-nushell-integration = ./nushell-integration.nix;
+}

tests/modules/services/ssh-agent/darwin/nushell-integration.nix

@@ -0,0 +1,14 @@
+{
+  services.ssh-agent = {
+    enable = true;
+    enableNushellIntegration = true;
+  };
+
+  programs.nushell.enable = true;
+
+  nmt.script = ''
+    assertFileContains \
+      home-files/.config/nushell/config.nu \
+      '$env.SSH_AUTH_SOCK = $"(@getconf-system_cmds@/bin/getconf DARWIN_USER_TEMP_DIR)/ssh-agent"'
+  '';
+}

tests/modules/services/ssh-agent/darwin/timeout-service-expected.plist

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>KeepAlive</key>
+	<dict>
+		<key>Crashed</key>
+		<true/>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict>
+	<key>Label</key>
+	<string>org.nix-community.home.ssh-agent</string>
+	<key>ProcessType</key>
+	<string>Background</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>@bash-interactive@/bin/bash</string>
+		<string>-c</string>
+		<string>@openssh@/bin/ssh-agent -D -a &quot;$(@getconf-system_cmds@/bin/getconf DARWIN_USER_TEMP_DIR)/ssh-agent&quot; -t 1337</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+</dict>
+</plist>

tests/modules/services/ssh-agent/darwin/timeout-service.nix

@@ -0,0 +1,15 @@
+{ config, ... }:
+
+{
+  services.ssh-agent = {
+    enable = true;
+    defaultMaximumIdentityLifetime = 1337;
+    package = config.lib.test.mkStubPackage { outPath = "@openssh@"; };
+  };
+
+  nmt.script = ''
+    assertFileContent \
+      LaunchAgents/org.nix-community.home.ssh-agent.plist \
+      ${./timeout-service-expected.plist}
+  '';
+}

tests/modules/services/ssh-agent/default.nix

@@ -3,7 +3,5 @@
   pkgs,
   ...
 }:
-lib.optionalAttrs pkgs.stdenv.hostPlatform.isLinux {
+(lib.optionalAttrs pkgs.stdenv.hostPlatform.isLinux (import ./linux))
-  ssh-agent-basic-service = ./basic-service.nix;
+// (lib.optionalAttrs pkgs.stdenv.hostPlatform.isDarwin (import ./darwin))
-  ssh-agent-timeout-service = ./timeout-service.nix;
-}

tests/modules/services/ssh-agent/linux/default.nix

@@ -0,0 +1,4 @@
+{
+  ssh-agent-basic-service = ./basic-service.nix;
+  ssh-agent-timeout-service = ./timeout-service.nix;
+}