support readonly ssh configs

Author: clord

cmd/agent/workspace/up.go

@@ -81,7 +81,7 @@ func (cmd *UpCmd) Run(ctx context.Context) error {
 
 	tunnelClient, logger, credentialsDir, err := initWorkspace(cancelCtx, cancel, workspaceInfo, cmd.Debug, !workspaceInfo.CLIOptions.Platform.Enabled && !workspaceInfo.CLIOptions.DisableDaemon)
 	if err != nil {
-		err1 := clientimplementation.DeleteWorkspaceFolder(workspaceInfo.Workspace.Context, workspaceInfo.Workspace.ID, workspaceInfo.Workspace.SSHConfigPath, logger)
+		err1 := clientimplementation.DeleteWorkspaceFolder(workspaceInfo.Workspace.Context, workspaceInfo.Workspace.ID, workspaceInfo.Workspace.SSHConfigPath, workspaceInfo.Workspace.SSHConfigIncludePath, logger)
 		if err1 != nil {
 			return errors.Wrap(err, err1.Error())
 		}

cmd/build.go

@@ -89,6 +89,7 @@ func NewBuildCmd(flags *flags.GlobalFlags) *cobra.Command {
 				cmd.DevContainerImage,
 				cmd.DevContainerPath,
 				sshConfigPath,
+				"", // No include path for temporary build SSH config
 				nil,
 				cmd.UID,
 				false,

cmd/pro/delete.go

@@ -136,7 +136,7 @@ func cleanupLocalWorkspaces(ctx context.Context, devPodConfig *config.Config, wo
 					return
 				}
 				// delete workspace folder
-				err = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, client.Workspace(), client.WorkspaceConfig().SSHConfigPath, log)
+				err = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, client.Workspace(), client.WorkspaceConfig().SSHConfigPath, client.WorkspaceConfig().SSHConfigIncludePath, log)
 				if err != nil {
 					log.Errorf("Failed to remove workspace %s: %v", w.ID, err)
 					return

cmd/up.go

@@ -196,8 +196,9 @@ func (cmd *UpCmd) Run(
 			devPodHome = envDevPodHome
 		}
 		setupGPGAgentForwarding := cmd.GPGAgentForwarding || devPodConfig.ContextOption(config.ContextOptionGPGAgentForwarding) == "true"
+		sshConfigIncludePath := devPodConfig.ContextOption(config.ContextOptionSSHConfigIncludePath)
 
-		err = configureSSH(client, cmd.SSHConfigPath, user, workdir, setupGPGAgentForwarding, devPodHome)
+		err = configureSSH(client, cmd.SSHConfigPath, sshConfigIncludePath, user, workdir, setupGPGAgentForwarding, devPodHome)
 		if err != nil {
 			return err
 		}
@@ -979,15 +980,25 @@ func startBrowserTunnel(
 	return nil
 }
 
-func configureSSH(client client2.BaseWorkspaceClient, sshConfigPath, user, workdir string, gpgagent bool, devPodHome string) error {
+func configureSSH(client client2.BaseWorkspaceClient, sshConfigPath, sshConfigIncludePath, user, workdir string, gpgagent bool, devPodHome string) error {
 	path, err := devssh.ResolveSSHConfigPath(sshConfigPath)
 	if err != nil {
 		return errors.Wrap(err, "Invalid ssh config path")
 	}
 	sshConfigPath = path
 
+	// Resolve the include path if specified
+	if sshConfigIncludePath != "" {
+		includePath, err := devssh.ResolveSSHConfigPath(sshConfigIncludePath)
+		if err != nil {
+			return errors.Wrap(err, "Invalid ssh config include path")
+		}
+		sshConfigIncludePath = includePath
+	}
+
 	err = devssh.ConfigureSSHConfig(
 		sshConfigPath,
+		sshConfigIncludePath,
 		client.Context(),
 		client.Workspace(),
 		user,
@@ -1399,6 +1410,7 @@ func (cmd *UpCmd) prepareClient(ctx context.Context, devPodConfig *config.Config
 	if cmd.SSHConfigPath == "" {
 		cmd.SSHConfigPath = devPodConfig.ContextOption(config.ContextOptionSSHConfigPath)
 	}
+	sshConfigIncludePath := devPodConfig.ContextOption(config.ContextOptionSSHConfigIncludePath)
 
 	client, err := workspace2.Resolve(
 		ctx,
@@ -1413,6 +1425,7 @@ func (cmd *UpCmd) prepareClient(ctx context.Context, devPodConfig *config.Config
 		cmd.DevContainerImage,
 		cmd.DevContainerPath,
 		cmd.SSHConfigPath,
+		sshConfigIncludePath,
 		source,
 		cmd.UID,
 		true,

pkg/client/clientimplementation/daemonclient/delete.go

@@ -27,7 +27,7 @@ func (c *client) Delete(ctx context.Context, opt clientpkg.DeleteOptions) error
 		return err
 	} else if workspace == nil {
 		// delete the workspace folder
-		err = clientimplementation.DeleteWorkspaceFolder(c.workspace.Context, c.workspace.ID, c.workspace.SSHConfigPath, c.log)
+		err = clientimplementation.DeleteWorkspaceFolder(c.workspace.Context, c.workspace.ID, c.workspace.SSHConfigPath, c.workspace.SSHConfigIncludePath, c.log)
 		if err != nil {
 			return err
 		}
@@ -67,7 +67,7 @@ func (c *client) Delete(ctx context.Context, opt clientpkg.DeleteOptions) error
 	}
 
 	// delete the workspace folder
-	err = clientimplementation.DeleteWorkspaceFolder(c.workspace.Context, c.workspace.ID, c.workspace.SSHConfigPath, c.log)
+	err = clientimplementation.DeleteWorkspaceFolder(c.workspace.Context, c.workspace.ID, c.workspace.SSHConfigPath, c.workspace.SSHConfigIncludePath, c.log)
 	if err != nil {
 		return err
 	}

pkg/client/clientimplementation/proxy_client.go

@@ -318,7 +318,7 @@ func (s *proxyClient) Delete(ctx context.Context, opt client.DeleteOptions) erro
 		s.log.Errorf("Error deleting workspace: %v", err)
 	}
 
-	return DeleteWorkspaceFolder(s.workspace.Context, s.workspace.ID, s.workspace.SSHConfigPath, s.log)
+	return DeleteWorkspaceFolder(s.workspace.Context, s.workspace.ID, s.workspace.SSHConfigPath, s.workspace.SSHConfigIncludePath, s.log)
 }
 
 func (s *proxyClient) Stop(ctx context.Context, opt client.StopOptions) error {

pkg/client/clientimplementation/workspace_client.go

@@ -401,7 +401,7 @@ func (s *workspaceClient) Delete(ctx context.Context, opt client.DeleteOptions)
 		}
 	}
 
-	return DeleteWorkspaceFolder(s.workspace.Context, s.workspace.ID, s.workspace.SSHConfigPath, s.log)
+	return DeleteWorkspaceFolder(s.workspace.Context, s.workspace.ID, s.workspace.SSHConfigPath, s.workspace.SSHConfigIncludePath, s.log)
 }
 
 func (s *workspaceClient) isMachineRunning(ctx context.Context) (bool, error) {
@@ -630,14 +630,23 @@ func DeleteMachineFolder(context, machineID string) error {
 	return nil
 }
 
-func DeleteWorkspaceFolder(context string, workspaceID string, sshConfigPath string, log log.Logger) error {
+func DeleteWorkspaceFolder(context string, workspaceID string, sshConfigPath string, sshConfigIncludePath string, log log.Logger) error {
 	path, err := ssh.ResolveSSHConfigPath(sshConfigPath)
 	if err != nil {
 		return err
 	}
 	sshConfigPath = path
 
-	err = ssh.RemoveFromConfig(workspaceID, sshConfigPath, log)
+	// Resolve the include path if specified
+	if sshConfigIncludePath != "" {
+		includePath, err := ssh.ResolveSSHConfigPath(sshConfigIncludePath)
+		if err != nil {
+			return err
+		}
+		sshConfigIncludePath = includePath
+	}
+
+	err = ssh.RemoveFromConfig(workspaceID, sshConfigPath, sshConfigIncludePath, log)
 	if err != nil {
 		log.Errorf("Remove workspace '%s' from ssh config: %v", workspaceID, err)
 	}

pkg/config/context.go

@@ -19,6 +19,7 @@ const (
 	ContextOptionDotfilesScript             = "DOTFILES_SCRIPT"
 	ContextOptionSSHAgentForwarding         = "SSH_AGENT_FORWARDING"
 	ContextOptionSSHConfigPath              = "SSH_CONFIG_PATH"
+	ContextOptionSSHConfigIncludePath       = "SSH_CONFIG_INCLUDE_PATH"
 	ContextOptionAgentInjectTimeout         = "AGENT_INJECT_TIMEOUT"
 	ContextOptionRegistryCache              = "REGISTRY_CACHE"
 	ContextOptionSSHStrictHostKeyChecking   = "SSH_STRICT_HOST_KEY_CHECKING"
@@ -89,6 +90,10 @@ var ContextOptions = []ContextOption{
 		Name:        ContextOptionSSHConfigPath,
 		Description: "Specifies the path where the ssh config should be written to",
 	},
+	{
+		Name:        ContextOptionSSHConfigIncludePath,
+		Description: "Specifies an alternate path where DevPod host entries should be written. Use this when your main SSH config is read-only (e.g., managed by Nix). Your main SSH config should have an Include directive pointing to this file.",
+	},
 	{
 		Name:        ContextOptionAgentInjectTimeout,
 		Description: "Specifies the timeout to inject the agent",

pkg/provider/workspace.go

@@ -70,6 +70,9 @@ type Workspace struct {
 
 	// Path to the file where the SSH config to access the workspace is stored
 	SSHConfigPath string `json:"sshConfigPath,omitempty"`
+
+	// Path to an alternate file where DevPod entries are written (for read-only SSH configs)
+	SSHConfigIncludePath string `json:"sshConfigIncludePath,omitempty"`
 }
 
 type ProMetadata struct {

pkg/ssh/config.go

@@ -24,20 +24,27 @@ var (
 	MarkerEndPrefix   = "# DevPod End "
 )
 
-func ConfigureSSHConfig(sshConfigPath, context, workspace, user, workdir string, gpgagent bool, devPodHome string, log log.Logger) error {
-	return configureSSHConfigSameFile(sshConfigPath, context, workspace, user, workdir, "", gpgagent, devPodHome, log)
+func ConfigureSSHConfig(sshConfigPath, sshConfigIncludePath, context, workspace, user, workdir string, gpgagent bool, devPodHome string, log log.Logger) error {
+	return configureSSHConfigSameFile(sshConfigPath, sshConfigIncludePath, context, workspace, user, workdir, "", gpgagent, devPodHome, log)
 }
 
-func configureSSHConfigSameFile(sshConfigPath, context, workspace, user, workdir, command string, gpgagent bool, devPodHome string, log log.Logger) error {
+func configureSSHConfigSameFile(sshConfigPath, sshConfigIncludePath, context, workspace, user, workdir, command string, gpgagent bool, devPodHome string, log log.Logger) error {
 	configLock.Lock()
 	defer configLock.Unlock()
 
-	newFile, err := addHost(sshConfigPath, workspace+"."+"devpod", user, context, workspace, workdir, command, gpgagent, devPodHome)
+	// If an include path is specified, write DevPod entries there instead of the main config.
+	// This supports read-only SSH configs (e.g., managed by Nix Home Manager).
+	targetPath := sshConfigPath
+	if sshConfigIncludePath != "" {
+		targetPath = sshConfigIncludePath
+	}
+
+	newFile, err := addHost(targetPath, workspace+"."+"devpod", user, context, workspace, workdir, command, gpgagent, devPodHome)
 	if err != nil {
 		return errors.Wrap(err, "parse ssh config")
 	}
 
-	return writeSSHConfig(sshConfigPath, newFile, log)
+	return writeSSHConfig(targetPath, newFile, log)
 }
 
 type DevPodSSHEntry struct {
@@ -159,16 +166,23 @@ func GetUser(workspaceID string, sshConfigPath string) (string, error) {
 	return user, nil
 }
 
-func RemoveFromConfig(workspaceID string, sshConfigPath string, log log.Logger) error {
+func RemoveFromConfig(workspaceID string, sshConfigPath string, sshConfigIncludePath string, log log.Logger) error {
 	configLock.Lock()
 	defer configLock.Unlock()
 
-	newFile, err := removeFromConfig(sshConfigPath, workspaceID+"."+"devpod")
+	// If an include path is specified, remove DevPod entries from there instead of the main config.
+	// This supports read-only SSH configs (e.g., managed by Nix Home Manager).
+	targetPath := sshConfigPath
+	if sshConfigIncludePath != "" {
+		targetPath = sshConfigIncludePath
+	}
+
+	newFile, err := removeFromConfig(targetPath, workspaceID+"."+"devpod")
 	if err != nil {
 		return errors.Wrap(err, "parse ssh config")
 	}
 
-	return writeSSHConfig(sshConfigPath, newFile, log)
+	return writeSSHConfig(targetPath, newFile, log)
 }
 
 func writeSSHConfig(path, content string, log log.Logger) error {