From 411c7642ea2a45d96b3cc9b84717968995dfed42 Mon Sep 17 00:00:00 2001
From: Trolli Schmittlauch <t.schmittlauch@orlives.de>
Date: Mon, 29 Dec 2025 01:00:03 +0100
Subject: [PATCH] home/ssh: adjust to deprecation warnings

---
 home/desktop.nix | 20 +++++++++++++++++++-
 home/workmac.nix | 29 +++++++++++++++++++----------
 2 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/home/desktop.nix b/home/desktop.nix
index 5387fad..6d45ec0 100644
--- a/home/desktop.nix
+++ b/home/desktop.nix
@@ -76,9 +76,27 @@
 
   programs.ssh = {
     enable = true;
+    enableDefaultConfig = false; # deprecated
     package = pkgs.openssh;
+    # TODO: common config for desktop as well
     # ssh host config
-    matchBlocks = (import "${inputs.mysecrets}/ssh_hosts.nix").privateHosts;
+    matchBlocks = {
+
+      # default, gets placed last by home-manager
+      "*" = {
+        serverAliveInterval = 10;
+        serverAliveCountMax = 2; # 2 strikes and you're out
+        forwardAgent = false;
+        addKeysToAgent = "no";
+        compression = false;
+        hashKnownHosts = false;
+        userKnownHostsFile = "~/.ssh/known_hosts";
+        controlMaster = "no";
+        controlPath = "~/.ssh/master-%r@%n:%p";
+        controlPersist = "no";
+      };
+    }
+    // (import "${inputs.mysecrets}/ssh_hosts.nix").privateHosts;
   };
 
   # media button control support from Bluetooth devices
diff --git a/home/workmac.nix b/home/workmac.nix
index 1e50dab..93622e6 100644
--- a/home/workmac.nix
+++ b/home/workmac.nix
@@ -38,22 +38,31 @@ in
 
   programs.ssh = {
     enable = true;
+    enableDefaultConfig = false; # deprecated
     package = pkgs.openssh;
-    # defaults in bottom match block "*"
     # TODO: common config for desktop as well
-    serverAliveInterval = 10;
-    serverAliveCountMax = 2; # 2 strikes and you're out
+    # early catchall to enforce agent socket usage. **NOT** the place for fallback defaults.
+    extraOptionOverrides = {
+      IdentityAgent = "\"~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock\"";
+    };
+
     # ssh host config
     matchBlocks = {
-
-      # early catchall to enforce agent socket usage. **NOT** the place for fallback defaults.
+      # default, gets placed last by home-manager
       "*" = {
-        extraOptions = {
-          IdentityAgent = "\"~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock\"";
-        };
+        serverAliveInterval = 10;
+        serverAliveCountMax = 2; # 2 strikes and you're out
+        forwardAgent = false;
+        addKeysToAgent = "no";
+        compression = false;
+        hashKnownHosts = false;
+        userKnownHostsFile = "~/.ssh/known_hosts";
+        controlMaster = "no";
+        controlPath = "~/.ssh/master-%r@%n:%p";
+        controlPersist = "no";
       };
 
-      "hydra01" = lib.hm.dag.entryAfter [ "*" ] {
+      "hydra01" = {
         hostname = "hydra01.access.whq.gocept.net";
         user = "os";
       };
@@ -68,7 +77,7 @@ in
         };
 
       };
-      "fcio-rzob-jump" = lib.hm.dag.entryAfter [ "*" ] {
+      "fcio-rzob-jump" = {
         # multiplexer, e.g. to avoid rate limiting on jumphost usage
         hostname = "vpn-rzob.services.fcio.net";
         extraOptions = {