Issue Using 1Password SSH Agent and Private Nix Flake Input

I have been having some strange behavior with the interactions between using 1Password as my identity agent for SSH and attempting to access a private flake input over git+ssh.

Here is the snippet of flake.nix that attempts to include from a private SSH git repo:

inputs.privateflake = {
  type = "git";
  url = "ssh://git@private-github/org/private-repo.git";
  ref = "main";
  inputs.nixpkgs.follows = "nixpkgs";
};

Here is what my ~/.ssh/config file looks like:

Host private-github
    HostName github.com
    User git
    IdentityFile ${publicKeyFiles.privateGitHub}
    IdentitiesOnly yes
    IdentityAgent ${onePassPath}

(1Password identity agent expects public keys to be set as the identity file)

I have other ssh keys in my 1Password account, but to use them I specifically reference them on the command line.

Here is the strange behavior:
When I run ssh git@private-github, 1Password prompts me for the account/password associated with the correct SSH key. The prompt looks like this:

However, when I run nix flake update it prompts me for the incorrect key. I have to deny the incorrect keys until 1Password requests the password for the correct key, which I can then approve. nix can then get access to the remote.

This is a bit problematic, as if the account associated with the incorrect SSH key is logged in, 1Password will default to providing that key (does not show that password prompt above, so I cannot Deny it), which will cause nix to fail to get repository access.

The weirdest part is that this bug only happens on some of my computers. Some default to the correct key and this never comes up, but they all have the exact same ssh and 1Password config. I suspect this is just the order 1Password chooses to attempt keys when unsure.

Entirely possible that this is a bug on 1Password’s end, so please let me know if I should turn to them instead, but the fact that the correct prompt always happens when calling ssh on the command line implies to me something about my NixOS config is wrong.

This appears to be a 1Password issue. I tinkered around a while with my ~/.config/1Password/ssh/agent.toml file and got it to prioritize the correct key, which somehow made it refer to the correct key for that ssh host.