feat(home-manager): add YubiKey/FIDO2 age plugin support

Add new options under sops.age for hardware key plugin support: - systemdDeps: custom systemd unit dependencies for sops-nix service - requirePcscd: convenience option that auto-adds pcscd.socket dependency The systemd user service now respects After= and Wants= for the configured dependencies.
2026-02-22 21:05:44 +08:00 · 2026-01-17 02:15:31 +00:00 · 2026-01-17 02:15:31 +00:00 · 33119dd52c
commit 33119dd52c
parent 84a8698b98
1 changed files with 30 additions and 0 deletions
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@ -274,6 +274,31 @@ in
          Paths to ssh keys added as age keys during sops description.
        '';
      };
+
+      # Options for hardware key support (YubiKey, FIDO2, etc.)
+      systemdDeps = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "pcscd.socket" ];
+        description = ''
+          Additional systemd units that the sops-nix user service should depend on.
+          This is useful when using age plugins that require external services like pcscd.
+        '';
+      };
+
+      requirePcscd = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = ''
+          Whether pcscd (PC/SC Smart Card Daemon) is required for age decryption.
+          Enable this when using hardware key plugins like age-plugin-yubikey
+          or age-plugin-fido2-hmac. This automatically configures the systemd
+          service to depend on pcscd.socket.
+
+          Note: The system must have pcscd available (usually via
+          `services.pcscd.enable = true` in your NixOS configuration).
+        '';
+      };
    };

    gnupg = {
@ -375,6 +400,8 @@ in
    systemd.user.services.sops-nix = lib.mkIf pkgs.stdenv.hostPlatform.isLinux {
      Unit = {
        Description = "sops-nix activation";
+        After = cfg.age.systemdDeps;
+        Wants = cfg.age.systemdDeps;
      };
      Service = {
        Type = "oneshot";
@ -387,6 +414,9 @@ in
        if cfg.gnupg.home != null then [ "graphical-session-pre.target" ] else [ "default.target" ];
    };

+    # Auto-configure pcscd dependency when requirePcscd is enabled
+    sops.age.systemdDeps = lib.mkIf cfg.age.requirePcscd [ "pcscd.socket" ];
+
    # Darwin: load secrets once on login
    launchd.agents.sops-nix = {
      enable = true;