loft-sh · clord · Nov 26, 2025 · Nov 26, 2025
diff --git a/cmd/agent/workspace/up.go b/cmd/agent/workspace/up.go
@@ -81,7 +81,7 @@ func (cmd *UpCmd) Run(ctx context.Context) error {
 
 	tunnelClient, logger, credentialsDir, err := initWorkspace(cancelCtx, cancel, workspaceInfo, cmd.Debug, !workspaceInfo.CLIOptions.Platform.Enabled && !workspaceInfo.CLIOptions.DisableDaemon)
 	if err != nil {
-		err1 := clientimplementation.DeleteWorkspaceFolder(workspaceInfo.Workspace.Context, workspaceInfo.Workspace.ID, workspaceInfo.Workspace.SSHConfigPath, logger)
+		err1 := clientimplementation.DeleteWorkspaceFolder(workspaceInfo.Workspace.Context, workspaceInfo.Workspace.ID, workspaceInfo.Workspace.SSHConfigPath, workspaceInfo.Workspace.SSHConfigIncludePath, logger)
 		if err1 != nil {
 			return errors.Wrap(err, err1.Error())
 		}

diff --git a/cmd/build.go b/cmd/build.go
@@ -89,6 +89,7 @@ func NewBuildCmd(flags *flags.GlobalFlags) *cobra.Command {
 				cmd.DevContainerImage,
 				cmd.DevContainerPath,
 				sshConfigPath,
+				"",
 				nil,
 				cmd.UID,
 				false,

diff --git a/cmd/pro/delete.go b/cmd/pro/delete.go
@@ -136,7 +136,7 @@ func cleanupLocalWorkspaces(ctx context.Context, devPodConfig *config.Config, wo
 					return
 				}
 				// delete workspace folder
-				err = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, client.Workspace(), client.WorkspaceConfig().SSHConfigPath, log)
+				err = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, client.Workspace(), client.WorkspaceConfig().SSHConfigPath, client.WorkspaceConfig().SSHConfigIncludePath, log)
 				if err != nil {
 					log.Errorf("Failed to remove workspace %s: %v", w.ID, err)
 					return

diff --git a/cmd/up.go b/cmd/up.go
@@ -196,8 +196,9 @@ func (cmd *UpCmd) Run(
 			devPodHome = envDevPodHome
 		}
 		setupGPGAgentForwarding := cmd.GPGAgentForwarding || devPodConfig.ContextOption(config.ContextOptionGPGAgentForwarding) == "true"
+		sshConfigIncludePath := devPodConfig.ContextOption(config.ContextOptionSSHConfigIncludePath)
 
-		err = configureSSH(client, cmd.SSHConfigPath, user, workdir, setupGPGAgentForwarding, devPodHome)
+		err = configureSSH(client, cmd.SSHConfigPath, sshConfigIncludePath, user, workdir, setupGPGAgentForwarding, devPodHome)
 		if err != nil {
 			return err
 		}
@@ -979,15 +980,24 @@ func startBrowserTunnel(
 	return nil
 }
 
-func configureSSH(client client2.BaseWorkspaceClient, sshConfigPath, user, workdir string, gpgagent bool, devPodHome string) error {
+func configureSSH(client client2.BaseWorkspaceClient, sshConfigPath, sshConfigIncludePath, user, workdir string, gpgagent bool, devPodHome string) error {
 	path, err := devssh.ResolveSSHConfigPath(sshConfigPath)
 	if err != nil {
 		return errors.Wrap(err, "Invalid ssh config path")
 	}
 	sshConfigPath = path
 
+	if sshConfigIncludePath != "" {
+		includePath, err := devssh.ResolveSSHConfigPath(sshConfigIncludePath)
+		if err != nil {
+			return errors.Wrap(err, "Invalid ssh config include path")
+		}
+		sshConfigIncludePath = includePath
+	}
+
 	err = devssh.ConfigureSSHConfig(
 		sshConfigPath,
+		sshConfigIncludePath,
 		client.Context(),
 		client.Workspace(),
 		user,
@@ -1399,6 +1409,7 @@ func (cmd *UpCmd) prepareClient(ctx context.Context, devPodConfig *config.Config
 	if cmd.SSHConfigPath == "" {
 		cmd.SSHConfigPath = devPodConfig.ContextOption(config.ContextOptionSSHConfigPath)
 	}
+	sshConfigIncludePath := devPodConfig.ContextOption(config.ContextOptionSSHConfigIncludePath)
 
 	client, err := workspace2.Resolve(
 		ctx,
@@ -1413,6 +1424,7 @@ func (cmd *UpCmd) prepareClient(ctx context.Context, devPodConfig *config.Config
 		cmd.DevContainerImage,
 		cmd.DevContainerPath,
 		cmd.SSHConfigPath,
+		sshConfigIncludePath,
 		source,
 		cmd.UID,
 		true,

diff --git a/pkg/client/clientimplementation/daemonclient/delete.go b/pkg/client/clientimplementation/daemonclient/delete.go
@@ -27,7 +27,7 @@ func (c *client) Delete(ctx context.Context, opt clientpkg.DeleteOptions) error
 		return err
 	} else if workspace == nil {
 		// delete the workspace folder
-		err = clientimplementation.DeleteWorkspaceFolder(c.workspace.Context, c.workspace.ID, c.workspace.SSHConfigPath, c.log)
+		err = clientimplementation.DeleteWorkspaceFolder(c.workspace.Context, c.workspace.ID, c.workspace.SSHConfigPath, c.workspace.SSHConfigIncludePath, c.log)
 		if err != nil {
 			return err
 		}
@@ -67,7 +67,7 @@ func (c *client) Delete(ctx context.Context, opt clientpkg.DeleteOptions) error
 	}
 
 	// delete the workspace folder
-	err = clientimplementation.DeleteWorkspaceFolder(c.workspace.Context, c.workspace.ID, c.workspace.SSHConfigPath, c.log)
+	err = clientimplementation.DeleteWorkspaceFolder(c.workspace.Context, c.workspace.ID, c.workspace.SSHConfigPath, c.workspace.SSHConfigIncludePath, c.log)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/client/clientimplementation/proxy_client.go b/pkg/client/clientimplementation/proxy_client.go
@@ -318,7 +318,7 @@ func (s *proxyClient) Delete(ctx context.Context, opt client.DeleteOptions) erro
 		s.log.Errorf("Error deleting workspace: %v", err)
 	}
 
-	return DeleteWorkspaceFolder(s.workspace.Context, s.workspace.ID, s.workspace.SSHConfigPath, s.log)
+	return DeleteWorkspaceFolder(s.workspace.Context, s.workspace.ID, s.workspace.SSHConfigPath, s.workspace.SSHConfigIncludePath, s.log)
 }
 
 func (s *proxyClient) Stop(ctx context.Context, opt client.StopOptions) error {

diff --git a/pkg/client/clientimplementation/workspace_client.go b/pkg/client/clientimplementation/workspace_client.go
@@ -401,7 +401,7 @@ func (s *workspaceClient) Delete(ctx context.Context, opt client.DeleteOptions)
 		}
 	}
 
-	return DeleteWorkspaceFolder(s.workspace.Context, s.workspace.ID, s.workspace.SSHConfigPath, s.log)
+	return DeleteWorkspaceFolder(s.workspace.Context, s.workspace.ID, s.workspace.SSHConfigPath, s.workspace.SSHConfigIncludePath, s.log)
 }
 
 func (s *workspaceClient) isMachineRunning(ctx context.Context) (bool, error) {
@@ -630,14 +630,22 @@ func DeleteMachineFolder(context, machineID string) error {
 	return nil
 }
 
-func DeleteWorkspaceFolder(context string, workspaceID string, sshConfigPath string, log log.Logger) error {
+func DeleteWorkspaceFolder(context string, workspaceID string, sshConfigPath string, sshConfigIncludePath string, log log.Logger) error {
 	path, err := ssh.ResolveSSHConfigPath(sshConfigPath)
 	if err != nil {
 		return err
 	}
 	sshConfigPath = path
 
-	err = ssh.RemoveFromConfig(workspaceID, sshConfigPath, log)
+	if sshConfigIncludePath != "" {
+		includePath, err := ssh.ResolveSSHConfigPath(sshConfigIncludePath)
+		if err != nil {
+			return err
+		}
+		sshConfigIncludePath = includePath
+	}
+
+	err = ssh.RemoveFromConfig(workspaceID, sshConfigPath, sshConfigIncludePath, log)
 	if err != nil {
 		log.Errorf("Remove workspace '%s' from ssh config: %v", workspaceID, err)
 	}

diff --git a/pkg/config/context.go b/pkg/config/context.go
@@ -19,6 +19,7 @@ const (
 	ContextOptionDotfilesScript             = "DOTFILES_SCRIPT"
 	ContextOptionSSHAgentForwarding         = "SSH_AGENT_FORWARDING"
 	ContextOptionSSHConfigPath              = "SSH_CONFIG_PATH"
+	ContextOptionSSHConfigIncludePath       = "SSH_CONFIG_INCLUDE_PATH"
 	ContextOptionAgentInjectTimeout         = "AGENT_INJECT_TIMEOUT"
 	ContextOptionRegistryCache              = "REGISTRY_CACHE"
 	ContextOptionSSHStrictHostKeyChecking   = "SSH_STRICT_HOST_KEY_CHECKING"
@@ -89,6 +90,10 @@ var ContextOptions = []ContextOption{
 		Name:        ContextOptionSSHConfigPath,
 		Description: "Specifies the path where the ssh config should be written to",
 	},
+	{
+		Name:        ContextOptionSSHConfigIncludePath,
+		Description: "Specifies an alternate path where DevPod host entries should be written. Use this when your main SSH config is read-only (e.g., managed by Nix). Your main SSH config should have an Include directive pointing to this file.",
+	},
 	{
 		Name:        ContextOptionAgentInjectTimeout,
 		Description: "Specifies the timeout to inject the agent",

diff --git a/pkg/provider/workspace.go b/pkg/provider/workspace.go
@@ -70,6 +70,9 @@ type Workspace struct {
 
 	// Path to the file where the SSH config to access the workspace is stored
 	SSHConfigPath string `json:"sshConfigPath,omitempty"`
+
+	// Path to an alternate file where DevPod entries are written (for read-only SSH configs)
+	SSHConfigIncludePath string `json:"sshConfigIncludePath,omitempty"`
 }
 
 type ProMetadata struct {

diff --git a/pkg/ssh/config.go b/pkg/ssh/config.go
@@ -24,20 +24,25 @@ var (
 	MarkerEndPrefix   = "# DevPod End "
 )
 
-func ConfigureSSHConfig(sshConfigPath, context, workspace, user, workdir string, gpgagent bool, devPodHome string, log log.Logger) error {
-	return configureSSHConfigSameFile(sshConfigPath, context, workspace, user, workdir, "", gpgagent, devPodHome, log)
+func ConfigureSSHConfig(sshConfigPath, sshConfigIncludePath, context, workspace, user, workdir string, gpgagent bool, devPodHome string, log log.Logger) error {
+	return configureSSHConfigSameFile(sshConfigPath, sshConfigIncludePath, context, workspace, user, workdir, "", gpgagent, devPodHome, log)
 }
 
-func configureSSHConfigSameFile(sshConfigPath, context, workspace, user, workdir, command string, gpgagent bool, devPodHome string, log log.Logger) error {
+func configureSSHConfigSameFile(sshConfigPath, sshConfigIncludePath, context, workspace, user, workdir, command string, gpgagent bool, devPodHome string, log log.Logger) error {
 	configLock.Lock()
 	defer configLock.Unlock()
 
-	newFile, err := addHost(sshConfigPath, workspace+"."+"devpod", user, context, workspace, workdir, command, gpgagent, devPodHome)
+	targetPath := sshConfigPath
+	if sshConfigIncludePath != "" {
+		targetPath = sshConfigIncludePath
+	}
+
+	newFile, err := addHost(targetPath, workspace+"."+"devpod", user, context, workspace, workdir, command, gpgagent, devPodHome)
 	if err != nil {
 		return errors.Wrap(err, "parse ssh config")
 	}
 
-	return writeSSHConfig(sshConfigPath, newFile, log)
+	return writeSSHConfig(targetPath, newFile, log)
 }
 
 type DevPodSSHEntry struct {
@@ -159,16 +164,21 @@ func GetUser(workspaceID string, sshConfigPath string) (string, error) {
 	return user, nil
 }
 
-func RemoveFromConfig(workspaceID string, sshConfigPath string, log log.Logger) error {
+func RemoveFromConfig(workspaceID string, sshConfigPath string, sshConfigIncludePath string, log log.Logger) error {
 	configLock.Lock()
 	defer configLock.Unlock()
 
-	newFile, err := removeFromConfig(sshConfigPath, workspaceID+"."+"devpod")
+	targetPath := sshConfigPath
+	if sshConfigIncludePath != "" {
+		targetPath = sshConfigIncludePath
+	}
+
+	newFile, err := removeFromConfig(targetPath, workspaceID+"."+"devpod")
 	if err != nil {
 		return errors.Wrap(err, "parse ssh config")
 	}
 
-	return writeSSHConfig(sshConfigPath, newFile, log)
+	return writeSSHConfig(targetPath, newFile, log)
 }
 
 func writeSSHConfig(path, content string, log log.Logger) error {

diff --git a/pkg/workspace/delete.go b/pkg/workspace/delete.go
@@ -36,7 +36,7 @@ func Delete(ctx context.Context, devPodConfig *config.Config, args []string, ign
 		log.Errorf("Error retrieving workspace: %v", err)
 
 		// delete workspace folder
-		err = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, workspaceID, "", log)
+		err = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, workspaceID, "", "", log)
 		if err != nil {
 			return "", err
 		}
@@ -49,7 +49,7 @@ func Delete(ctx context.Context, devPodConfig *config.Config, args []string, ign
 	workspaceConfig := client.WorkspaceConfig()
 	if !force && workspaceConfig.Imported {
 		// delete workspace folder
-		err = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, client.Workspace(), workspaceConfig.SSHConfigPath, log)
+		err = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, client.Workspace(), workspaceConfig.SSHConfigPath, workspaceConfig.SSHConfigIncludePath, log)
 		if err != nil {
 			return "", err
 		}
@@ -135,7 +135,7 @@ func deleteSingleMachine(ctx context.Context, client client2.BaseWorkspaceClient
 	}
 
 	// delete workspace folder
-	err = clientimplementation.DeleteWorkspaceFolder(client.Context(), client.Workspace(), client.WorkspaceConfig().SSHConfigPath, log)
+	err = clientimplementation.DeleteWorkspaceFolder(client.Context(), client.Workspace(), client.WorkspaceConfig().SSHConfigPath, client.WorkspaceConfig().SSHConfigIncludePath, log)
 	if err != nil {
 		return false, err
 	}

diff --git a/pkg/workspace/list.go b/pkg/workspace/list.go
@@ -53,7 +53,7 @@ func List(ctx context.Context, devPodConfig *config.Config, skipPro bool, owner
 		for _, localWorkspace := range localWorkspaces {
 			if localWorkspace.IsPro() {
 				if shouldDeleteLocalWorkspace(ctx, localWorkspace, proWorkspaceResults) {
-					err = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, localWorkspace.ID, "", log)
+					err = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, localWorkspace.ID, localWorkspace.SSHConfigPath, localWorkspace.SSHConfigIncludePath, log)
 					if err != nil {
 						log.Debugf("failed to delete local workspace %s: %v", localWorkspace.ID, err)
 					}

diff --git a/pkg/workspace/workspace.go b/pkg/workspace/workspace.go
@@ -39,6 +39,7 @@ func Resolve(
 	devContainerImage string,
 	devContainerPath string,
 	sshConfigPath string,
+	sshConfigIncludePath string,
 	source *providerpkg.WorkspaceSource,
 	uid string,
 	changeLastUsed bool,
@@ -63,6 +64,7 @@ func Resolve(
 		desiredMachine,
 		providerUserOptions,
 		sshConfigPath,
+		sshConfigIncludePath,
 		source,
 		uid,
 		changeLastUsed,
@@ -143,7 +145,7 @@ func Get(ctx context.Context, devPodConfig *config.Config, args []string, change
 
 	// check if we have no args
 	if len(args) == 0 {
-		provider, workspace, machine, err = selectWorkspace(ctx, devPodConfig, changeLastUsed, "", owner, log)
+		provider, workspace, machine, err = selectWorkspace(ctx, devPodConfig, changeLastUsed, "", "", owner, log)
 		if err != nil {
 			return nil, err
 		}
@@ -189,6 +191,7 @@ func resolveWorkspace(
 	desiredMachine string,
 	providerUserOptions []string,
 	sshConfigPath string,
+	sshConfigIncludePath string,
 	source *providerpkg.WorkspaceSource,
 	uid string,
 	changeLastUsed bool,
@@ -205,7 +208,7 @@ func resolveWorkspace(
 			return loadExistingWorkspace(devPodConfig, workspace.ID, changeLastUsed, log)
 		}
 
-		return selectWorkspace(ctx, devPodConfig, changeLastUsed, sshConfigPath, owner, log)
+		return selectWorkspace(ctx, devPodConfig, changeLastUsed, sshConfigPath, sshConfigIncludePath, owner, log)
 	}
 
 	// check if workspace already exists
@@ -237,13 +240,14 @@ func resolveWorkspace(
 		desiredMachine,
 		providerUserOptions,
 		sshConfigPath,
+		sshConfigIncludePath,
 		source,
 		isLocalPath,
 		uid,
 		log,
 	)
 	if err != nil {
-		_ = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, workspaceID, sshConfigPath, log)
+		_ = clientimplementation.DeleteWorkspaceFolder(devPodConfig.DefaultContext, workspaceID, sshConfigPath, sshConfigIncludePath, log)
 		return nil, nil, nil, err
 	}
 
@@ -258,6 +262,7 @@ func createWorkspace(
 	desiredMachine string,
 	providerUserOptions []string,
 	sshConfigPath string,
+	sshConfigIncludePath string,
 	source *providerpkg.WorkspaceSource,
 	isLocalPath bool,
 	uid string,
@@ -272,7 +277,7 @@ func createWorkspace(
 	}
 
 	// resolve workspace
-	workspace, err := resolveWorkspaceConfig(ctx, provider, devPodConfig, name, workspaceID, source, isLocalPath, sshConfigPath, uid)
+	workspace, err := resolveWorkspaceConfig(ctx, provider, devPodConfig, name, workspaceID, source, isLocalPath, sshConfigPath, sshConfigIncludePath, uid)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -395,6 +400,7 @@ func resolveWorkspaceConfig(
 	source *providerpkg.WorkspaceSource,
 	isLocalPath bool,
 	sshConfigPath string,
+	sshConfigIncludePath string,
 	uid string,
 ) (*providerpkg.Workspace, error) {
 	now := types.Now()
@@ -408,9 +414,10 @@ func resolveWorkspaceConfig(
 		Provider: providerpkg.WorkspaceProviderConfig{
 			Name: defaultProvider.Config.Name,
 		},
-		CreationTimestamp: now,
-		LastUsedTimestamp: now,
-		SSHConfigPath:     sshConfigPath,
+		CreationTimestamp:    now,
+		LastUsedTimestamp:    now,
+		SSHConfigPath:        sshConfigPath,
+		SSHConfigIncludePath: sshConfigIncludePath,
 	}
 
 	// outside source set?
@@ -545,7 +552,7 @@ func findWorkspace(ctx context.Context, devPodConfig *config.Config, args []stri
 	return retWorkspace
 }
 
-func selectWorkspace(ctx context.Context, devPodConfig *config.Config, changeLastUsed bool, sshConfigPath string, owner platform.OwnerFilter, log log.Logger) (*providerpkg.ProviderConfig, *providerpkg.Workspace, *providerpkg.Machine, error) {
+func selectWorkspace(ctx context.Context, devPodConfig *config.Config, changeLastUsed bool, sshConfigPath string, sshConfigIncludePath string, owner platform.OwnerFilter, log log.Logger) (*providerpkg.ProviderConfig, *providerpkg.Workspace, *providerpkg.Machine, error) {
 	if !terminal.IsTerminalIn {
 		return nil, nil, nil, errProvideWorkspaceArg
 	}
@@ -596,6 +603,9 @@ func selectWorkspace(ctx context.Context, devPodConfig *config.Config, changeLas
 			if workspace.SSHConfigPath == "" && sshConfigPath != "" {
 				workspace.SSHConfigPath = sshConfigPath
 			}
+			if workspace.SSHConfigIncludePath == "" && sshConfigIncludePath != "" {
+				workspace.SSHConfigIncludePath = sshConfigIncludePath
+			}
 			workspace.Imported = true
 			if err := providerpkg.SaveWorkspaceConfig(workspace); err != nil {
 				return nil, nil, nil, fmt.Errorf("save workspace config for workspace \"%s\": %w", workspace.ID, err)