ssh-agent: Fix asking for confirmation via $SSH_ASKPASS

This was lost back in
ffedee6ed523864dd5f871ffd85e3c2099d579a2. Getting this to work is
slightly tricky because ssh-agent runs as a user unit, and so doesn't
know the user's $DISPLAY.

nixos/modules/programs/ssh.nix

@@ -4,8 +4,19 @@
 
 with lib;
 
-let cfg  = config.programs.ssh;
-    cfgd = config.services.openssh;
+let
+
+  cfg  = config.programs.ssh;
+  cfgd = config.services.openssh;
+
+  askPassword = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";
+
+  askPasswordWrapper = pkgs.writeScript "ssh-askpass-wrapper"
+    ''
+      #! ${pkgs.stdenv.shell} -e
+      export DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^DISPLAY=\(.*\)/\1/; t; d')"
+      exec ${askPassword}
+    '';
 
 in
 {
@@ -117,6 +128,11 @@ in
             Restart = "on-failure";
             SuccessExitStatus = "0 2";
           };
+        # Allow ssh-agent to ask for confirmation. This requires the
+        # unit to know about the user's $DISPLAY (via ‘systemctl
+        # import-environment’).
+        environment.SSH_ASKPASS = optionalString config.services.xserver.enable askPasswordWrapper;
+        environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
       };
 
     environment.extraInit = optionalString cfg.startAgent
@@ -126,5 +142,10 @@ in
         fi
       '';
 
+    environment.interactiveShellInit = optionalString config.services.xserver.enable
+      ''
+        export SSH_ASKPASS=${askPassword}
+      '';
+
   };
 }

nixos/modules/services/x11/display-managers/default.nix

@@ -89,6 +89,10 @@ let
         ${config.hardware.pulseaudio.package}/bin/pactl load-module module-device-manager "do_routing=1"
       ''}
 
+      # Tell systemd about our $DISPLAY. This is needed by the
+      # ssh-agent unit.
+      ${config.systemd.package}/bin/systemctl --user import-environment DISPLAY
+
       # Load X defaults.
       ${xorg.xrdb}/bin/xrdb -merge ${xresourcesXft}
       if test -e ~/.Xresources; then