From 33119dd52cedbdeae8ce87dd58fe31e9917f16c3 Mon Sep 17 00:00:00 2001
From: Ryota <rytswd@gmail.com>
Date: Sat, 17 Jan 2026 02:15:31 +0000
Subject: [PATCH] feat(home-manager): add YubiKey/FIDO2 age plugin support

Add new options under sops.age for hardware key plugin support:

- systemdDeps: custom systemd unit dependencies for sops-nix service
- requirePcscd: convenience option that auto-adds pcscd.socket dependency

The systemd user service now respects After= and Wants= for
the configured dependencies.
---
 modules/home-manager/sops.nix | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
index e340198..85209dc 100644
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@@ -274,6 +274,31 @@ in
           Paths to ssh keys added as age keys during sops description.
         '';
       };
+
+      # Options for hardware key support (YubiKey, FIDO2, etc.)
+      systemdDeps = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "pcscd.socket" ];
+        description = ''
+          Additional systemd units that the sops-nix user service should depend on.
+          This is useful when using age plugins that require external services like pcscd.
+        '';
+      };
+
+      requirePcscd = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = ''
+          Whether pcscd (PC/SC Smart Card Daemon) is required for age decryption.
+          Enable this when using hardware key plugins like age-plugin-yubikey
+          or age-plugin-fido2-hmac. This automatically configures the systemd
+          service to depend on pcscd.socket.
+
+          Note: The system must have pcscd available (usually via
+          `services.pcscd.enable = true` in your NixOS configuration).
+        '';
+      };
     };
 
     gnupg = {
@@ -375,6 +400,8 @@ in
     systemd.user.services.sops-nix = lib.mkIf pkgs.stdenv.hostPlatform.isLinux {
       Unit = {
         Description = "sops-nix activation";
+        After = cfg.age.systemdDeps;
+        Wants = cfg.age.systemdDeps;
       };
       Service = {
         Type = "oneshot";
@@ -387,6 +414,9 @@ in
         if cfg.gnupg.home != null then [ "graphical-session-pre.target" ] else [ "default.target" ];
     };
 
+    # Auto-configure pcscd dependency when requirePcscd is enabled
+    sops.age.systemdDeps = lib.mkIf cfg.age.requirePcscd [ "pcscd.socket" ];
+
     # Darwin: load secrets once on login
     launchd.agents.sops-nix = {
       enable = true;