Keyring isn't suid on nixos

I have the full experience working ;) With some (motivational) help, keeping me on track, I got down into the deepness of polkit-debugging (https://wiki.archlinux.org/title/Polkit#Debugging/logging).

As the SSH-Auth relays on system-authentication (and so on polkit) it was really helpful for me while debugging, so I didn't had to lock/unlock my vault again for testing over and over. (just for anyone following me on the path)

1. SSH-Keys in non Standard/Personal-Vault
   Please make some hints in SSH-Key type Items in the App -> in such Vaults that they will not work. Having it in the docs is nice but as it could be interpreted different (see above - maybe my fault) this would be an improvement I guess. I hope in the long-term all non-shared (first) and later even shared (maybe keys shared without ability to download/view them for teams? ;)) Vaults are possible.

2. export SSH_AUTH_SOCK=~/.1password/agent.sock
   It help's a lot seeing/debugging the content of the keyring - for me it's part of "setup your system with 1password as ssh-auth-provider" so it would be in the snippet/getting started in the app (like the .ssh/config-thing) then in the docs (additional docs - again I love it)

3. Debugging further

with journalctl -feu polkit.service and


security.polkit = {
enable = true;
extraConfig = ''
polkit.addRule(function(action, subject) {
polkit.log("action=" + action);
polkit.log("subject=" + subject);
});
'';
}


and ssh -v root@XXX.XXX.de I was able to see in the journalctl related actions popping up. I was curios and adapted something I've seen on the ArchWiki page with the debug-output and I got it working the first time but with a hardcoded wildcard on the action:

```
security.polkit = {
enable = true;
extraConfig = ''
polkit.addRule(function(action, subject) {
polkit.log("action=" + action);
polkit.log("subject=" + subject);
});

    if (action.id == "com.1password.1Password.authorizeSshAgent") { 
        return polkit.Result.YES;
    }
'';

}
```
DONT USE THIS IT COMPROMISE YOUR SECURITY

1. Conclusion and solution

From then on I knew that there is something in my environment missing, what's prompting me for authorization when such a polkit action/event occurred. Originally searching for something like polkit-explorer-git (earlier) I saw the package polkit_gnome. Then I had some luck that one of my colleges also using i3wm had already implemented polkit_gnome in his config as systemd user-service in nixos:


systemd = {
user.services.polkit-gnome-authentication-agent-1 = {
description = "polkit-gnome-authentication-agent-1";
wants = [ "graphical-session.target" ];
wantedBy = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
};


For me personally it's more a user-managed thing so I moved it to my home-manager config, it works fine and the service-definition looks like this:

```
systemd.user.services = {
polkit-gnome-authentication-agent-1 = {
Unit = {
After = [ "graphical-session-pre.target" ];
Description = "polkit-gnome-authentication-agent-1";
PartOf = [ "graphical-session.target" ];
};

Service = {
  ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
  Restart = "on-failure";
  RestartSec = 1;
  TimeoutStopSec = 10;
  Type = "simple";
};

Install = {
  WantedBy = [ "graphical-session.target" ];
};

};
};
```

I hope I can give something back to others in the community with this (maybe too detailed) trip-report with polkit these days ;)

Best Regards