Setting an environment variable in gnome-shell through configuration.nix

morphismz · October 24, 2025, 8:03pm

I am new to nixos and trying to set up my gpg-agent to handle ssh. I am following this guide: Setting up GnuPG + Yubikey on NixOS for SSH authentication (the relevant section is GPG/SSH Agent).

The guide suggests putting

  environment.shellInit = ''
    gpg-connect-agent /bye
    export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
  '';

in my configuration.nix. After reboot, gpg-agent is running. And, if I switch to a tty, SSH_AUTH_SOCK is set to the correct value.

However, I’m using the gnome desktop environment. After booting and logging into my user through gnome, SSH_AUTH_SOCK is not set to the correct value. Its set to the standard ssh value.

I’m not 100% sure why that is. Is this because the gnome-shell does not see the variable exported in shellInit? Or is this because gnome overwrites with value? In any case, does anybody have some tips for setting an environment variable in a gnome-shell through the configuration file?

TLATER · October 24, 2025, 8:23pm

I would not recommend this. The upstream module already configures this variable correctly for you, assuming you’ve enabled startAgent like that guide tells you to: nixpkgs/nixos/modules/programs/ssh.nix at c8aa8cc00a5cb57fada0851a038d35c08a36a2bb · NixOS/nixpkgs · GitHub

In the intervening 8 years yubico has also moved on, you should be using yubioath-flutter instead of what that guide suggests. I’d be hesitant to follow a guide that old anyway at this point, there are a handful things that strike me as weird, though it’s possible things worked differently at the time.

I don’t know for certain what gpg defaults are these days, but you should probably also almost certainly be using an elliptic curve key rather than an RSA one, which I suspect gpg still configures by default. E.g. codeberg refuses such keys.

I’d wager this is a login/interactive shell thing. Does bash -l help?

morphismz · October 24, 2025, 8:46pm

okay, thanks for tips. They’re a bit tangential to my question though. I’m not following the guide to set up gpg keys and stuff. Right now I’m mostly focused on trying to set the SSH_AUTH_SOCK variable. I’m still not sure I see how to do that? The SSH_AUTH_SOCK is not be correctly set. Yes I have disables ssh startAgent.

I think gnome key-ring is overwirtting SSH_AUTH_SOCK. So I’ll try to disable that.

TLATER · October 24, 2025, 8:48pm

Well, then enable startAgent and don’t try to manually configure it. programs.ssh.startAgent configures this correctly, alongside the systemd service for the gpg agent.

That’s also a reasonable guess!

morphismz · October 24, 2025, 8:50pm

hmm, maybe I’m a bit confused. I have

programs.ssh.startAgent = false;

to prevent the ssh agent from starting and conflicting with the gpg agent. Is that not what that line does?

TLATER · October 24, 2025, 8:52pm

Ah, whoops, sorry, that was my mind completely misinterpreting that option. For some reason I interpreted ssh as gpg, which makes no sense.

I’d instead recommend setting programs.gnupg.agent.enableSSHSupport and related options (including programs.gnupg.agent.enable). This should also install gnupg for you so you don’t have to add that separately. Manually launching the gpg-agent in an initExtra block when you can use systemd to do it (and upstream has a module to do all of that for you) is just way too brittle.

morphismz · October 24, 2025, 9:02pm

Following, Disable ssh-agent from gnome-keyring on Gnome - #7 by ryan27996

I disabled the gnome keyring ssh-agent and that solved the problem. I don’t use the key ring, so this works for me.