Start ssh-agent as a user unit

This has some advantages:

* You get ssh-agent regardless of how you logged in. Previously it was
  only started for X11 sessions.

* All sessions of a user share the same agent. So if you added a key
  on tty1, it will also be available on tty2.

* Systemd will restart ssh-agent if it dies.

* $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is
  more secure than /tmp.

For bonus points, we should patch ssh-agent to support socket-based
activation...

1 files changed, 33 insertions, 0 deletions

diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix
index 27db667e4402..005c77d255cb 100644
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@@ -47,7 +47,20 @@ in
           for help.
         '';
       };
+
+      startAgent = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to start the OpenSSH agent when you log in.  The OpenSSH agent
+          remembers private keys for you so that you don't have to type in
+          passphrases every time you make an SSH connection.  Use
+          <command>ssh-add</command> to add a key to the agent.
+        '';
+      };
+
     };
+
   };
 
   config = {
@@ -71,5 +84,25 @@ in
           target = "ssh/ssh_config";
         }
       ];
+
+    # FIXME: this should really be socket-activated for über-awesomeness.
+    systemd.user.services.ssh-agent =
+      { enable = cfg.startAgent;
+        description = "SSH Agent";
+        wantedBy = [ "default.target" ];
+        serviceConfig =
+          { ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent";
+            Type = "forking";
+            Restart = "on-failure";
+          };
+      };
+
+    environment.extraInit = optionalString cfg.startAgent
+      ''
+        if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
+          export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
+        fi
+      '';
+
   };
 }