From d4e668e6fd6d38fbe5095ab58d7d41275edb83c5 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Tue, 17 Jun 2025 04:28:14 +0000
Subject: [PATCH] sane-private-unlock-remote: fix ssh sandboxing (hopefully)

---
 hosts/common/programs/sane-private-unlock-remote.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hosts/common/programs/sane-private-unlock-remote.nix b/hosts/common/programs/sane-private-unlock-remote.nix
index c116bf624..5b13f510f 100644
--- a/hosts/common/programs/sane-private-unlock-remote.nix
+++ b/hosts/common/programs/sane-private-unlock-remote.nix
@@ -8,12 +8,12 @@ in
     sandbox.net = "all";
     sandbox.extraHomePaths = [
       ".config/sops"
-      ".ssh/id_ed25519"
-      ".ssh/id_ed25519.pub"
       "knowledge/secrets"
     ];
+    sandbox.whitelistSsh = true;
     suggestedPrograms = [
       "sane-scripts.secrets-dump"
+      "ssh"
     ];
 
     configOption = with lib; mkOption {