From 260872257c432d2880a295f26d67c8ea4cf8c17f Mon Sep 17 00:00:00 2001
From: Lucas Wagler <lucas@rubletrucks.com>
Date: Wed, 8 Apr 2026 12:56:27 -0400
Subject: [PATCH] feat(darwin): add age key generation args option

---
 checks/darwin.nix              |  1 +
 modules/nix-darwin/default.nix | 11 ++++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/checks/darwin.nix b/checks/darwin.nix
index de06e4e..229754e 100644
--- a/checks/darwin.nix
+++ b/checks/darwin.nix
@@ -27,5 +27,6 @@
   };
   sops.defaultSopsFile = ../pkgs/sops-install-secrets/test-assets/secrets.yaml;
   sops.age.generateKey = true;
+  sops.age.extraGenerateKeyArgs = [ "-pq" ];
   system.stateVersion = 5;
 }
diff --git a/modules/nix-darwin/default.nix b/modules/nix-darwin/default.nix
index 27331bc..3931794 100644
--- a/modules/nix-darwin/default.nix
+++ b/modules/nix-darwin/default.nix
@@ -173,7 +173,7 @@ let
             echo generating machine-specific age key...
             mkdir -p "$(dirname ${escapedKeyFile})"
             # age-keygen sets 0600 by default, no need to chmod.
-            ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile}
+            ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile} ${lib.join " " cfg.age.extraGenerateKeyArgs}
           fi
         ''
       else
@@ -300,6 +300,15 @@ in
         '';
       };
 
+      extraGenerateKeyArgs = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "-pq" ];
+        description = ''
+          List of arguments to use when generating the age key.
+        '';
+      };
+
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = defaultImportKeys "ed25519";