Definitively switch PIV->FIDO2 for SSH

And move Security section from home/home

modules/home/common.nix

@@ -11,6 +11,7 @@
     wget
     gemini-cli
     silver-searcher
+    yubikey-manager
   ];
   home.activation.stowLegacy = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
     if [ -d "$HOME/dotfiles" ]; then

modules/home/mac-portable.nix

@@ -12,6 +12,10 @@
 
     # Faster and more feature-rich than Terminal.
     iterm2
+
+    # Newer OpenSSH client to support FIDO2 keys.
+    openssh
+    libfido2
   ];
 
   targets.darwin.defaults."com.googlecode.iterm2" = {
@@ -45,11 +49,21 @@
       };
 
   programs.zsh.envExtra = ''
-    # If Secretive doesn't recognize your Yubikey PIV, it's possible you
-    # generated it using yubikey-agent and that did not update CHUID. Simply
-    # running 'ykman piv objects generate chuid' should be sufficient.
+    # Can't use ssh-agent-mux to mux Secretive and yubikey-agent:
+    # https://github.com/overhacked/ssh-agent-mux/issues/56
+    # export SSH_AUTH_SOCK=~/.ssh/ssh-agent-mux.sock
+
+    # Can't use Secretive to SSH using PIV from Yubikey:
+    # https://github.com/maxgoedjen/secretive/issues/330
+    #
+    # If PIV entry was generated by yubikey-agent, Secretive may not see it at
+    # all. Running 'ykman piv objects generate chuid' should fix that.
     # https://github.com/maxgoedjen/secretive/issues/333
 
+    # See README.md "Security" section to learn how we create keys.
+
+    # Setting IdentityAgent in SSH config achieves a similar result, but doesn't
+    # work with commit signing.
     export SSH_AUTH_SOCK=~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
   '';