ops: tweak SSH auth; add red solo SK-resident key

ops/nixos/lib/client.nix

@@ -9,6 +9,7 @@ in
 {
   config = {
     my.home-manager.imports = lib.mkAfter [ ./home-manager/client.nix ];
+    programs.ssh.startAgent = true;
     nix.gc.automatic = false;
   };
 }

ops/nixos/lib/common.nix

@@ -57,8 +57,7 @@ in
     };
 
     environment.homeBinInPath = true;
-    security.doas.wheelNeedsPassword = false;
-    security.sudo.wheelNeedsPassword = false;
+    security.pam.enableSSHAgentAuth = true;
 
     users.mutableUsers = false;
     users.users = let secrets = depot.ops.secrets; in {
@@ -74,6 +73,7 @@ in
           ../../secrets/lukegb_porcorosso_win.pub
           ../../secrets/lukegb_porcorosso_wsl.pub
           ../../secrets/lukegb_porcorosso_linux.pub
+          ../../secrets/lukegb_red_solo.pub
         ];
       };
       deployer = {

ops/secrets/lukegb_red_solo.pub

@@ -0,0 +1 @@
+sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBAgBXCPpGxeapXvRW8z+/ZFMXvZ9q+Z2mcn5ApCSKqkS7CQjlzTj7Z21/DRQEXQALALLyqfFhcDm1VZkEp/ruBYAAAAEc3NoOg== lukegb-red-solo-key