From 5ed75a0312adb90e7a0b39bceae8b8b4ea946e5f Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
Date: Fri, 27 Mar 2026 22:16:41 -0400
Subject: [PATCH] services/ssh-agent: treat SIGTERM exit as clean

OpenSSH ssh-agent exits with status 2 when systemd stops it in
non-socket-activated mode.

Home Manager runs ssh-agent that way, so normal user-manager
shutdowns show up as unit failures.

Set SuccessExitStatus=2 for the Linux user service to match
upstream behavior. Startup failures and other unexpected exits
still fail the unit.
---
 modules/services/ssh-agent.nix                | 21 +++++++++++--------
 .../linux/basic-service-expected.service      |  1 +
 .../linux/pkcs11-service-expected.service     |  1 +
 .../linux/timeout-service-expected.service    |  1 +
 4 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/modules/services/ssh-agent.nix b/modules/services/ssh-agent.nix
index 7fda6c7f..b105f744 100644
--- a/modules/services/ssh-agent.nix
+++ b/modules/services/ssh-agent.nix
@@ -108,15 +108,18 @@ in
         Description = "SSH authentication agent";
         Documentation = "man:ssh-agent(1)";
       };
-      Service.ExecStart = "${lib.getExe' cfg.package "ssh-agent"} -D -a %t/${cfg.socket}${
-        lib.optionalString (
-          cfg.defaultMaximumIdentityLifetime != null
-        ) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
-      }${
-        lib.optionalString (
-          cfg.pkcs11Whitelist != [ ]
-        ) " -P '${lib.concatStringsSep "," cfg.pkcs11Whitelist}'"
-      }";
+      Service = {
+        ExecStart = "${lib.getExe' cfg.package "ssh-agent"} -D -a %t/${cfg.socket}${
+          lib.optionalString (
+            cfg.defaultMaximumIdentityLifetime != null
+          ) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
+        }${
+          lib.optionalString (
+            cfg.pkcs11Whitelist != [ ]
+          ) " -P '${lib.concatStringsSep "," cfg.pkcs11Whitelist}'"
+        }";
+        SuccessExitStatus = 2;
+      };
     };
 
     launchd.agents.ssh-agent = {
diff --git a/tests/modules/services/ssh-agent/linux/basic-service-expected.service b/tests/modules/services/ssh-agent/linux/basic-service-expected.service
index c03d6120..cd200c55 100644
--- a/tests/modules/services/ssh-agent/linux/basic-service-expected.service
+++ b/tests/modules/services/ssh-agent/linux/basic-service-expected.service
@@ -3,6 +3,7 @@ WantedBy=default.target
 
 [Service]
 ExecStart=@openssh@/bin/ssh-agent -D -a %t/ssh-agent/socket
+SuccessExitStatus=2
 
 [Unit]
 Description=SSH authentication agent
diff --git a/tests/modules/services/ssh-agent/linux/pkcs11-service-expected.service b/tests/modules/services/ssh-agent/linux/pkcs11-service-expected.service
index 543d1d60..25a47c54 100644
--- a/tests/modules/services/ssh-agent/linux/pkcs11-service-expected.service
+++ b/tests/modules/services/ssh-agent/linux/pkcs11-service-expected.service
@@ -3,6 +3,7 @@ WantedBy=default.target
 
 [Service]
 ExecStart=@openssh@/bin/ssh-agent -D -a %t/ssh-agent -P '/nix/store/*/lib,/usr/lib/libpkcs11.so,/usr/lib/other.so'
+SuccessExitStatus=2
 
 [Unit]
 Description=SSH authentication agent
diff --git a/tests/modules/services/ssh-agent/linux/timeout-service-expected.service b/tests/modules/services/ssh-agent/linux/timeout-service-expected.service
index ce16f584..59a99d7e 100644
--- a/tests/modules/services/ssh-agent/linux/timeout-service-expected.service
+++ b/tests/modules/services/ssh-agent/linux/timeout-service-expected.service
@@ -3,6 +3,7 @@ WantedBy=default.target
 
 [Service]
 ExecStart=@openssh@/bin/ssh-agent -D -a %t/ssh-agent -t 1337
+SuccessExitStatus=2
 
 [Unit]
 Description=SSH authentication agent