ssh/1password/ssh-agent-switcher: move off home-manager to the system layer (#46)

[jasonboukheir]

Closes #46 (the last per-host rollout rows of the hm-removal matrix for this module).

What moved where

Per the issue's target, my.* only wraps packages — everything here is system state, so it lands on upstream NixOS/nix-darwin options instead of new wrappers:

• modules/ssh/client-config.nix — single source of truth for the shared client Host blocks (brutus/litus multiplexing + zmx RemoteCommand attach, pibitcoin agent forwarding, 1Password IdentityAgent). Consumed by:
  • thebeast: NixOS programs.ssh.extraConfig (rendered first in /etc/ssh/ssh_config, so host blocks win);
  • macbooks: nix-darwin programs.ssh.extraConfig → /etc/ssh/ssh_config.d/100-nix-darwin.conf (work-macbook keeps its github-only Match host "github.com" user git agent scope);
  • fedora (standalone HM): seeded as a real ~/.ssh/config via home.file + the existing 0600 materialize hook (full managed-files story stays Foundation: standalone activation story (work-devserver, fedora) #39).
• services.ssh-agent-switcher becomes a NixOS module (modules/nixos/services/ssh-agent-switcher.nix): supervised systemd user service + environment.sessionVariables.SSH_AUTH_SOCK = /tmp/ssh-agent.$USER (PAM maps $USER → @{PAM_USER}; shells re-export via setEnvironment, which the my.fish preinit sources). Upstream 26.05 ships a module under the same name, but it daemonizes from environment.loginShellInit, which my.fish login shells never source — so it's swapped out via disabledModules (comment in the module explains). Enabled on litus + brutus.
• 1Password: thebeast keeps its existing system programs._1password{,-gui} and now exports SSH_AUTH_SOCK at the PAM level; macbooks use nix-darwin's programs._1password (op CLI — the GUI stays the external /Applications app); fedora installs the nixGL-wrapped GUI + CLI from home.packages with the autostart entry inlined. The git/jj ssh-signing wiring the deleted HM _1password module injected is now explicit per host (home-macbook + fedora HM settings; thebeast/work-macbook already had it flattened in my.nix).

Per-host SSH_AUTH_SOCK winner: 1Password agent on thebeast, home-macbook, fedora; ssh-agent-switcher on litus + brutus; Chef-managed corp setup on work-macbook.

Deleted: sharedModules/programs/{ssh,_1password}.nix, sharedModules/services/ssh-agent-switcher.nix, and all per-host HM enables. work-macbook's programs/home-manager.nix is gone entirely — after #75 moved ghostty to my.* and this PR moved ssh/1Password, nothing remained. work-devserver keeps its HM ssh (out of scope, #39) with an explicit enableDefaultConfig = false to preserve its rendered config.

Testing

• New e2e VM test checks.x86_64-linux.ssh-agent-switcher: forwarded agent → login shell sees the stable /tmp/ssh-agent.tester socket (not sshd's per-connection one) → ssh-add -l lists the key through the switcher → survives reconnects.
• All 7 host configs (nixosConfigurations ×3, darwinConfigurations ×2, homeConfigurations ×2) evaluate; thebeast's rendered extraConfig diffs clean against the old HM output.
• nix flake check is green, rebased on top of my.ghostty: finish the wrapper + darwin Dock-launch story (#44) #75 (whose hardened omarchy/gtk.nix cursor guard also fixed the my-hyprland-config eval failure this branch had initially patched on the test side — that commit was dropped in the rebase). The omarchy-session-units uwsm-stop race flaked once and passed on re-run (identical drv to main).

🤖 Generated with Claude Code