From 14a5de4730faa12f3f2b615eb42cff3797d652a4 Mon Sep 17 00:00:00 2001
From: hektor <hektor.misplon@pm.me>
Date: Sat, 16 May 2026 13:27:30 +0200
Subject: [PATCH] fix(ssh): fall back to backup key when no primary SSH key
 present

---
 home/modules/ssh/README.md   | 9 ---------
 home/modules/ssh/default.nix | 4 ++++
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/home/modules/ssh/README.md b/home/modules/ssh/README.md
index 97359179..8245fd45 100644
--- a/home/modules/ssh/README.md
+++ b/home/modules/ssh/README.md
@@ -47,15 +47,6 @@ backup key (`id_ed25519_sk_bak.pub`) if needed.
 | backup key file lost | regenerate from backup YubiKey resident key (use `ssh-keygen -K`) |
 | backup YubiKey lost | generate resident backup key, distribute across hosts, re-register (use primary key) |
 
-## notes / to do
-
-TODO: automate distributing `id_ed25519_sk_bak`, `id_ed25519_sk_bak.pub` to all devices
-TODO: declare setup scripts (use e.g. `$HOSTNAME`)
-TODO: register backup key with hosts (add to authorized hosts for each host)
-TODO: register backup key with services (e.g. Gitea)
-TODO: make sure to fall back to backup key when host-specific primary key is not present
-TODO: see if / how `-O application=ssh:<name>` could be used
-
 ## references
 
 * <https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html>
diff --git a/home/modules/ssh/default.nix b/home/modules/ssh/default.nix
index 7bb3bb8a..358dc85d 100644
--- a/home/modules/ssh/default.nix
+++ b/home/modules/ssh/default.nix
@@ -41,6 +41,10 @@ in
           "*" = {
             AddKeysToAgent = "yes";
             ForwardAgent = false;
+            identityFile = [
+              "~/.ssh/id_ed25519_sk"
+              "~/.ssh/id_ed25519_sk_bak"
+            ];
           };
         };
     };