Use ssh-agent

home/home/default.nix

@@ -23,15 +23,6 @@ in
 {
   home.stateVersion = "20.09";
 
-  programs.git = {
-    signing = {
-      key = "~/.ssh/dadada-git-signing";
-      signByDefault = true;
-    };
-    userEmail = "dadada@dadada.li";
-    userName = "dadada";
-  };
-
   programs.gpg.settings.default-key = "99658A3EB5CD7C13";
 
   dadada.home =

home/modules/git.nix

@@ -5,6 +5,12 @@
 }:
 with lib; let
   cfg = config.dadada.home.git;
+  allowedSigners = pkgs.writeTextFile {
+    name = "allowed-signers";
+    text = ''
+      dadada@dadada.li sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKu+pA5Vy0QPHJMjn2S5DCsqKg2UvDhOsBwvvJLf4HbyAAAABHNzaDo= dadada <dadada@dadada.li>
+    '';
+  };
 in
 {
   options.dadada.home.git = {
@@ -14,6 +20,20 @@ in
     programs.git = {
       enable = true;
       extraConfig = {
+        commit = {
+          gpgSign = true;
+          verbose = true;
+        };
+        gpg = {
+          format = "ssh";
+          ssh.allowedSignersFile = "${allowedSigners}";
+        };
+        tag.gpgSign = true;
+        user = {
+          email = "dadada@dadada.li";
+          name = "dadada";
+          signingKey = "key::sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKu+pA5Vy0QPHJMjn2S5DCsqKg2UvDhOsBwvvJLf4HbyAAAABHNzaDo= dadada <dadada@dadada.li>";
+        };
         core = {
           whitespace = {
             tab-in-indent = true;
@@ -42,10 +62,7 @@ in
           branch = true;
           showUntrackedFiled = "all";
         };
-        commit.verbose = true;
         log.date = "iso8601-local";
-        tag.gpgSign = true;
-        gpg.format = "ssh";
         pull = {
           prune = true;
           ff = "only";

nixos/modules/profiles/laptop.nix

@@ -15,6 +15,8 @@ with lib; {
   networking.domain = mkDefault "dadada.li";
 
   services.fwupd.enable = mkDefault true;
+  programs.ssh.startAgent = true;
+  programs.ssh.enableAskPassword = true;
 
   age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];