U2f support is available in recent versions of OpenSSH - though ideally you should to configure a pin code as well, which requires some configuration. Can't speak for how good this support is as I've not used it - but for web it is as you say zero, configuration, and just works, always.
For GPG/SSH, there is a bit of an initial setup process to setup the card and generate keys (ideally generate them on-card, so you know they cannot be exist elsewhere) - this can be scripted though, as we have done. As part of our deployment process we generate all needed passphrases and revocation certificates, storing in encrypted storage, as well as uploading the public key to a known URL, which is also referenced in the smartcard configuration.
Once the card is setup - all you need on a machine is gnupg/gpg-agent and a ~/.gnupg/gpg-agent.conf file that looks like:
For GPG/SSH, there is a bit of an initial setup process to setup the card and generate keys (ideally generate them on-card, so you know they cannot be exist elsewhere) - this can be scripted though, as we have done. As part of our deployment process we generate all needed passphrases and revocation certificates, storing in encrypted storage, as well as uploading the public key to a known URL, which is also referenced in the smartcard configuration.
Once the card is setup - all you need on a machine is gnupg/gpg-agent and a ~/.gnupg/gpg-agent.conf file that looks like:
no-grab pinentry-program /usr/bin/pinentry-curses default-cache-ttl 2400 default-cache-ttl-ssh 14400 enable-ssh-support
Using the card on a new machine is as straightforward as fetching the public key to your local/default keychain (gpg --card-edit, then 'fetch').
Switching between machines is then seamless - we have many engineers switching between macOS + Linux multiple times per day without issue.