NIX_SSHOPTS=-t is still a bit flaky. This thread is filled with people for whom it doesn’t work for some reason: Remote nixos-rebuild: sudo askpass problem
I never did dig into why it’s broken. deploy-rs doesn’t fix it either, it’s some quirk of ssh+sudo.