ops/nixos: tidy up various warnings

ops/nixos/lib/common.nix

@@ -154,7 +154,12 @@ in
     };
 
     environment.homeBinInPath = true;
-    security.pam.enableSSHAgentAuth = true;
+    security.pam.sshAgentAuth = {
+      enable = true;
+      authorizedKeysFiles = [
+        (toString ../../secrets/ssh-agent-pam.pub)
+      ];
+    };
     security.pam.ussh = {
       enable = true;
       control = "sufficient";
@@ -329,7 +334,7 @@ in
     services.fwupd.enable = true;
 
     # This is enabled independently of my.scrapeJournal.enable.
-    services.journald.enableHttpGateway = config.my.ip.tailscale != null || config.my.ip.tailscale6 != null;
+    services.journald.gateway.enable = config.my.ip.tailscale != null || config.my.ip.tailscale6 != null;
     systemd.sockets.systemd-journal-gatewayd.socketConfig = lib.optionalAttrs (config.my.ip.tailscale != null) {
       ListenStream = [ "" ] ++ (lib.optional (config.my.ip.tailscale != null) "${config.my.ip.tailscale}:19531") ++ (lib.optional (config.my.ip.tailscale6 != null) "[${config.my.ip.tailscale6}:19531");
       FreeBind = true;

ops/secrets/ssh-agent-pam.pub

@@ -0,0 +1,4 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILid+1rq3k3k7Kbaw8X63vrPrQdanH55TucQwp3ZWfo+ lukegb@porcorosso
+sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBAgBXCPpGxeapXvRW8z+/ZFMXvZ9q+Z2mcn5ApCSKqkS7CQjlzTj7Z21/DRQEXQALALLyqfFhcDm1VZkEp/ruBYAAAAEc3NoOg== lukegb@porcorosso
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINytpHct7PLdLNp6MoaOPP7ccBPUQKymVNMqix//Wt1f termius
+cert-authority,principals="lukegb" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqNOwlR7Qa8cbGpDfSCOweDPbAGQOZIcoRgh6s/J8DR vault-clients