Yubikey-agent not running on login

According to man configuration.nix, enabling services.yubikey-agent should start yubikey-agent on login:

services.yubikey-agent.enable
	   Whether to start yubikey-agent when you log in. Also sets SSH_AUTH_SOCK to point
	   at yubikey-agent.

	   Note that yubikey-agent will use whatever pinentry is specified in
	   programs.gnupg.agent.pinentryFlavor.

	   Type: boolean

	   Default: false

	   Declared by:
	       <nixpkgs/nixos/modules/services/security/yubikey-agent.nix>

But this doesn’t seem to be working any more for me, even after restart:

➤ grep yubikey-agent /etc/nixos/configuration.nix
  services.yubikey-agent.enable = true; # used for SSH agent
➤ ssh-add -l
Error connecting to agent: Connection refused
➤ pgrep -f yubikey || echo "not found"
not found

Further confusing me is that systemctl can’t even find the yubikey-agent.service:

➤ systemctl start yubikey-agent.service
Failed to start yubikey-agent.service: Unit yubikey-agent.service not found.

It looks like it’s in the right place to me:

➤ ls -l /run/current-system/sw/lib/systemd/user/yubikey-agent.service
lrwxrwxrwx 1 root root 102 Dec 31  1969 /run/current-system/sw/lib/systemd/user/yubikey-agent.service -> /nix/store/x7ln7dxjyfakn9cq8g1lwhlbmmyx0bzy-yubikey-agent-0.1.6/lib/systemd/user/yubikey-agent.service
➤ cat /run/current-system/sw/lib/systemd/user/yubikey-agent.service
[Unit]
Description=Seamless ssh-agent for YubiKeys
Documentation=https://filippo.io/yubikey-agent

[Service]
ExecStart=/nix/store/x7ln7dxjyfakn9cq8g1lwhlbmmyx0bzy-yubikey-agent-0.1.6/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
ExecReload=/bin/kill -HUP $MAINPID
IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
NoNewPrivileges=yes
KeyringMode=private
UMask=0177
RuntimeDirectory=yubikey-agent

[Install]
WantedBy=default.target

This is on NixOS 22.11:

➤ sudo nix-channel --list
nixos https://nixos.org/channels/nixos-22.11

(Crosspost from unix.stackexchange)

systemctl --user. It’s a user service, not a system one.

Same error with systemctl --user start yubikey-agent:

Failed to start yubikey-agent.service: Unit yubikey-agent.service not found.

Reading up on systemd’s search path in man systemd.unit, it doesn’t look like there’s any reason for it to look in /run/current-system/sw/lib/systemd. It looks in /run/current-system/sw/share/systemd because of XDG_DATA_DIRS, but nothing points it at lib. It does look in /usr/lib/systemd, but that’s a hardcoded path in systemd, and doesn’t get redirected on nixos.

Looking at the code for the module you’re using, it looks like it adds the service through the systemd.user.services option, which should place a unit file in /etc/systemd/user, where it should be picked up normally. The one that comes from the upstream package is intentionally ignored.

Is there a unit file in /etc/systemd/user?

Yup! And a /etc/systemd/user/yubikey-agent.service.d/overrides.conf:

➤ ls -l /etc/systemd/user/yubikey-agent.service
lrwxrwxrwx 1 root root 102 Dec 31  1969 /etc/systemd/user/yubikey-agent.service -> /nix/store/x7ln7dxjyfakn9cq8g1lwhlbmmyx0bzy-yubikey-agent-0.1.6/lib/systemd/user/yubikey-agent.service
➤ cat /etc/systemd/user/yubikey-agent.service
[Unit]
Description=Seamless ssh-agent for YubiKeys
Documentation=https://filippo.io/yubikey-agent

[Service]
ExecStart=/nix/store/x7ln7dxjyfakn9cq8g1lwhlbmmyx0bzy-yubikey-agent-0.1.6/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
ExecReload=/bin/kill -HUP $MAINPID
IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
NoNewPrivileges=yes
KeyringMode=private
UMask=0177
RuntimeDirectory=yubikey-agent

[Install]
WantedBy=default.target
➤ ls /etc/systemd/user/yubikey-agent.service.d
overrides.conf@
➤ ls -l /etc/systemd/user/yubikey-agent.service.d/overrides.conf
lrwxrwxrwx 1 root root 92 Dec 31  1969 /etc/systemd/user/yubikey-agent.service.d/overrides.conf -> /nix/store/7hvpksn2ba29n12x404rsla3a77yybls-unit-yubikey-agent.service/yubikey-agent.service
➤ cat /etc/systemd/user/yubikey-agent.service.d/overrides.conf
[Unit]

[Service]
Environment="LOCALE_ARCHIVE=/nix/store/x19hsscsw1rr6948336fcnpgrqdbznaw-glibc-locales-2.35-224/lib/locale/locale-archive"
Environment="PATH=/nix/store/8zz8ijf1p5wx1gh262k9pxgbr674rdbi-pinentry-1.2.0-gnome3/bin:/nix/store/ngw3m00r391w31n13q4m2x06amx4mqri-coreutils-9.1/bin:/nix/store/vmm828xyvm8pjwjbx33n7z9r45vv1lk3-findutils-4.9.0/bin:/nix/store/njz77ksdp38vy6wyb9bq70dzfjxm5im0-gnugrep-3.7/bin:/nix/store/scmjiz80b1hh521k06z4fgbkl6r5k84p-gnused-4.8/bin:/nix/store/3g57m8gjkqajvwcqkw7dxmd9d7vnkcv9-systemd-251.10/bin:/nix/store/8zz8ijf1p5wx1gh262k9pxgbr674rdbi-pinentry-1.2.0-gnome3/sbin:/nix/store/ngw3m00r391w31n13q4m2x06amx4mqri-coreutils-9.1/sbin:/nix/store/vmm828xyvm8pjwjbx33n7z9r45vv1lk3-findutils-4.9.0/sbin:/nix/store/njz77ksdp38vy6wyb9bq70dzfjxm5im0-gnugrep-3.7/sbin:/nix/store/scmjiz80b1hh521k06z4fgbkl6r5k84p-gnused-4.8/sbin:/nix/store/3g57m8gjkqajvwcqkw7dxmd9d7vnkcv9-systemd-251.10/sbin"
Environment="TZDIR=/nix/store/p9h078icxj3axz7f6vxyb1jmi2yx94wa-tzdata-2022g/share/zoneinfo"

Well, systemctl --user start yubikey-agent should absolutely be finding that file, unless some kind of containerization technology is changing the view of the filesystem… I’m out of ideas.

Figured it out today!

Checked journalctl after a reboot and saw a complaint about ~/.config/systemd/user/yubikey-agent.service:

➤ journalctl -S 2023-04-10 -g yubikey
-- Boot 8f2a505387e3406bb1c2cc54bdcdc5e9 --
Apr 10 08:47:00 johrlac kernel: usb 1-3: Product: YubiKey OTP+FIDO+CCID
Apr 10 08:47:00 johrlac kernel: input: Yubico YubiKey OTP+FIDO+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:1050:0407.0001/input/input9
Apr 10 08:47:00 johrlac kernel: hid-generic 0003:1050:0407.0001: input,hidraw0: USB HID v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-3/input0
Apr 10 08:47:00 johrlac kernel: hid-generic 0003:1050:0407.0002: hiddev96,hidraw1: USB HID v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-3/input1
Apr 10 08:47:40 johrlac systemd[1908]: yubikey-agent.service: Failed to open /home/rampion/.config/systemd/user/yubikey-agent.service: No such file or directory

~/.config/systemd/user/yubikey-agent.service was a symlink to a missing file in my nix store.

➤ readlink ~/.config/systemd/user/yubikey-agent.service
/nix/store/irkv07kbhilji142b4fmh6hlfqayn9p0-yubikey-agent-0.1.5/lib/systemd/user/yubikey-agent.service
➤ ls $(readlink ~/.config/systemd/user/yubikey-agent.service)
ls: cannot access '/nix/store/irkv07kbhilji142b4fmh6hlfqayn9p0-yubikey-agent-0.1.5/lib/systemd/user/yubikey-agent.service': No such file or directory

After another NixOS user told me they didn’t have any such file, I deleted it and rebooted, and yubikey-agent was started successfully.

From checking my diary, this symlink was created back when I ran systemctl --user enable --now yubikey-agent when originally setting up my yubikey, rather than just setting services.yubikey-agent.enable = true in my configuration.nix.