feat(nixos): add age key generation args option

2026-05-05 05:26:05 +08:00 · 2026-04-08 12:56:27 -04:00 · 2026-04-08 12:56:27 -04:00 · 1721fd4324
commit 1721fd4324
parent d7cbc61787
2 changed files with 61 additions and 1 deletions
--- a/checks/nixos-test.nix
+++ b/checks/nixos-test.nix
@ -198,6 +198,57 @@ in
    '';
  };

+  # This test should be altered or removed if `age-keygen` switches its default to match the post-quantum `-pq` behavior.
+  age-extra-generate-key-args = testers.runNixOSTest {
+    name = "age-generate-key-args";
+    nodes.machine =
+      { ... }:
+      {
+        imports = [ ../modules/sops ];
+        sops = {
+          age = {
+            keyFile = "/run/age-keys-args.txt";
+            generateKey = true;
+            extraGenerateKeyArgs = [ "-pq" ];
+          };
+          defaultSopsFile = testAssets + "/secrets.yaml";
+          secrets.test_key = { };
+        };
+      };
+
+    testScript = ''
+      start_all()
+      machine.succeed("cat /run/age-keys-args.txt | grep -q AGE-SECRET-KEY-PQ-")
+    '';
+  };
+
+  age-extra-generate-key-args-override-keyfile = testers.runNixOSTest {
+    name = "age-generate-key-args-override-keyfile";
+    nodes.machine =
+      { ... }:
+      {
+        imports = [ ../modules/sops ];
+        sops = {
+          age = {
+            keyFile = "/run/age-keys-args-fail.txt";
+            generateKey = true;
+            extraGenerateKeyArgs = [
+              "-o"
+              "/run/age-keys-args-succeed.txt"
+            ];
+          };
+          defaultSopsFile = testAssets + "/secrets.yaml";
+          secrets.test_key = { };
+        };
+      };
+
+    testScript = ''
+      start_all()
+      machine.fail("find /run/age-keys-args-fail.txt")
+      machine.succeed("find /run/age-keys-args-succeed.txt")
+    '';
+  };
+
  age-ssh-keys = testers.runNixOSTest {
    name = "sops-age-ssh-keys";
    nodes.machine = {
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -361,6 +361,15 @@ in
        '';
      };

+      extraGenerateKeyArgs = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "-pq" ];
+        description = ''
+          List of arguments to use when generating the age key.
+        '';
+      };
+
      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
        default = defaultImportKeys "ed25519";
@ -511,7 +520,7 @@ in
                echo generating machine-specific age key...
                mkdir -p $(dirname ${escapedKeyFile})
                # age-keygen sets 0600 by default, no need to chmod.
-                ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile}
+                ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile} ${lib.join " " cfg.age.extraGenerateKeyArgs}
              fi
            ''
          );