GPG Smartcard for SSH

I have a hard time figuring out how to configure SSH authentication using my GPG Smartcard. I have the following (NixOS & Home-Manager) configuration:

{ self, ... }: {
  home-manager.users.mentos = {
    programs.gpg = {
      enable = true;
      mutableKeys = false;
      mutableTrust = false;
      publicKeys = [
          source = "${self}/static/gpg_pub.asc";
          trust = "ultimate";
    services.gpg-agent = {
      enable = true;
      enableSshSupport = true;
    # Set environment variables = ''
      set -e SSH_AGENT_PID
      set -x GPG_TTY (tty)
      set -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket)

  # Enable Smartcard/Nitrokey
  hardware.gpgSmartcards.enable = true;
  hardware.nitrokey.enable = true;
  users.users.mentos.extraGroups = [ "nitrokey" ];

After a reboot SSH_AUTH_SOCK outputs /run/user/1000/keyring/ssh.
After manually running set -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket), the variable outputs /run/user/1000/gnupg/S.gpg-agent.ssh

Also ssh-add -L doesn’t have anything before I run the above command manually.

What the heck? Does my interactiveShellInit even run?!

Okay, but even after running it manually and my key showing up in ssh-add -L I can’t connect to servers: sign_and_send_pubkey: signing failed ... agent refused operation.

The ssh command takes a while tho, so I assume its interacting with the card already. (gpg --card-status works btw)

My assumption is, that there is a issue with the pinentry not showing up. While tinkering with this config I sometimes got a (gtk2?) pinentry dialog where my cursor was a little black point and I couldn’t interact with the dialog. I’m on Gnome so the gnome3 pinentry flavor should be used automatically. But I also tried setting it explicitly, which didn’t make any difference.

I have no idea anymore at this point… SOS please help. :smiling_face_with_tear:

Well… setting this part in NixOS config instead of Home Manager:

programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;

actually brings up the unusable gtk2 dialog reliable… at least. And setting it up manually to gnome3 works too…

Why isn’t it working with home-manager? Its literally the same config, just on user level?!

edit: Could it have something to do with that I enable fish through NixOS (because I want every user to use fish shell by default) and then configure it through Home-Manager? How the world looks in my imagination, this shouldn’t be a problem - or is it in Nix world?

You need to disable gnome keyring I remember. It has its own magic with ssh agent as I recall.

services.gnome.gnome-keyring.enable = lib.mkForce false;