nixfiles/modules/nix-ssh-agent.nix

{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.nix.ssh-agent;
in {
  options.nix.ssh-agent = {
    sock = lib.mkOption {
      description = "SSH agent socket for Nix to use";
      default = "/run/user/1000/ssh-agent";
      type = lib.types.str;
    };
  };

  config = lib.mkIf (cfg.sock != null) {
    systemd.services.ssh-agent-nix-proxy = {
      wantedBy = [ "nix-daemon.service" ];
      partOf = [ "nix-daemon.service" ];
      serviceConfig = {
        ExecStart = "${pkgs.socat}/bin/socat UNIX-LISTEN:/run/nix-ssh-agent,mode=770,group=nixbld,user=root,reuseaddr,fork UNIX-CONNECT:${cfg.sock}";
        Restart = "always";
      };
    };

    systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/nix-ssh-agent";
  };
}