lthms' avatar, a hand drawing looking person, wearing a headset, close to a window on a raining night
Thomas Letan
lthms · he/him

Did you come across something which caught your attention? Don’t hesitate to shoot me an email in my public inbox.

 Published on

Using git maintenance with Encrypted SSH Keys

This year, I went to FOSDEM 2024 . It was nice and cosy crowded, and I really enjoyed my time there. The very last talk I could attend to before having to leave for the train station was “So You Think You Know Git ” by Scott Chacon . If you haven’t already, go and watch it. It is a very good and educational presentation. You will learn what git blame -C -C -C does and never be the same.

Another takeaway for me was git maintenance. git maintenance allows running in the background a set of tasks which optimize commands like git add and git fetch for a responsive user experience. I mean, count me in! Our git repository at $WORK has become fairly big over the yearsNot mono-repo big  yet, but still big enough to make git fetch --all --prune feels… well, unresponsive. .

So, when I came back to work the next day, I run the magic command the speaker had mentionedFollowing a petition from the Internet , my terminal prompt is ;. .

; git maintenance start

This created a bunch of user systemd services and timers which I decided to run immediately to test that everything was working correctly, starting with the hourly service responsible for prefetching remote branches.

; systemctl --user start git-maintenance@hourly.service

Unfortunately, this did not work out, and for predictable reasons.

; systemctl --user status git-maintenance@hourly.service
(...)
systemd[1706]: Starting Optimize Git repositories data...
git[76228]: git@gitlab.com: Permission denied (publickey).
git[76226]: error: failed to prefetch remotes
git[76226]: error: task 'prefetch' failed
systemd[1706]: git-maintenance@hourly.service: Main process exited, code=exited, status=>
systemd[1706]: git-maintenance@hourly.service: Failed with result 'exit-code'.
systemd[1706]: Failed to start Optimize Git repositories data.

The culprit here is the fact I am using an encrypted SSH key to connect to Gitlab where our repository is hosted and out of the box the scripts run by git-maintenance have now way to use them. This is because git-maintenance is not aware of the existence of the SSH agent running on my laptop.

The solution can be read in the Man page of git-maintenance:

(…) any customization should be done by creating a drop-in file, i.e. a .conf suffixed file in the ~/.config/systemd/user/git-maintenance@.service.d directory.

I didn’t know this general purpose trick which should work for any systemd service running on a Linux machine! Thanks, anonymous technical writer who took the time to contribute to this Man page.

And indeed, creating a file named 10-ssh.confThe prefix number is as important as the .conf suffix mentioned in the git-maintenance Man page for systemd to load the drop-in file. in ${HOME}/.config/systemd/user/git-maintenance@.service.d/ to set the SSH_AUTH_SOCK environment variable solved my issue. Its value depends on your personal setup. In my case, I am using the systemd ssh-agent.service user unit.

; systemctl --user show ssh-agent.service | grep Environment=SSH_AUTH_SOCK
Environment=SSH_AUTH_SOCK=/run/user/1000/ssh-agent.socket

We replicate this in our 10-ssh.conf.

[Service]
Environment=SSH_AUTH_SOCK=/run/user/1000/ssh-agent.socket

And we are done! This time, executing the service manually will work (assuming the necessary encrypted key has been ssh-add to the agent).

; systemctl --user daemon-reload
; systemctl --user start git-maintenance@hourly.service
; systemctl --user status git-maintenance@hourly.service
(...)
systemd[1706]: Starting Optimize Git repositories data...
systemd[1706]: Finished Optimize Git repositories data.