#+TITLE: Handoff from archangel — SSH_AUTH_SOCK routed through gpg-agent #+DATE: 2026-05-22 * Why this is here This change was made from an *archangel* session (cross-project edit into archsetup's stow dotfiles), so it's logged here for archsetup's next session to review and commit. The trigger: from archangel I needed to SSH to the TrueNAS, but Claude's non-interactive Bash-tool shells couldn't reach any ssh-agent — =SSH_AUTH_SOCK= was unset in dotfiles, and ad-hoc =ssh-agent -s= instances live on random =/tmp= sockets that fresh shells can't find. * What changed (two stow files in dotfiles/common) 1. =dotfiles/common/.config/environment.d/envvars.conf= — appended: #+begin_example SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh #+end_example Systemd-native, cross-app, takes effect at next login. 2. =dotfiles/common/.zshenv= — *new file*, exports the same socket. zsh sources =.zshenv= on every invocation (incl. non-interactive tooling and cron), so it works immediately without a re-login. Mirrors the environment.d value. Also created the stow symlink =~/.zshenv -> code/archsetup/dotfiles/common/.zshenv= (relative, matching the existing =~/.zshrc= link style). If you re-run the stow/install step, confirm it keeps this link rather than clobbering it. * Why gpg-agent =~/.gnupg/gpg-agent.conf= already had =enable-ssh-support=, and gpg-agent serves a fixed socket. So this reuses an agent you already run rather than adding a new one. The =id_ed25519= key was loaded via =ssh-add= and persists in =~/.gnupg= across reboots. The only other =SSH_AUTH_SOCK= reference in the dotfiles is a commented-out gnome-keyring line in =.config/systemd/user/emacs.service= (=%t/keyring/ssh=) — inactive, no conflict, but worth reconciling if you ever want emacs on the same agent (point it at the gpg-agent socket instead). * Verification - Fresh =zsh -c= sources =.zshenv= → =SSH_AUTH_SOCK= set, =ssh-add -l= shows the key. - =ssh cjennings@truenas= (tailscale 100.67.22.65) connects with no inline prefix. * For archsetup's next session - Review + commit the two dotfile changes (envvars.conf, new .zshenv). Only =todo.org= was dirty in archsetup before this; these two are the new edits. - Decide whether =.zshenv= should carry anything else you'd previously put in an interactive-only file by mistake (it shouldn't produce output).