pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2026-02-22 21:05:44 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

feat(home-manager): add YubiKey/FIDO2 age plugin support

Browse source 
Add new options under sops.age for hardware key plugin support:

- systemdDeps: custom systemd unit dependencies for sops-nix service
- requirePcscd: convenience option that auto-adds pcscd.socket dependency

The systemd user service now respects After= and Wants= for
the configured dependencies.
This commit is contained in:
Ryota 2026-01-17 02:15:31 +00:00
parent 84a8698b98
commit 33119dd52c
No known key found for this signature in database
GPG key ID: 5370567CADB11F6C
1 changed files with 30 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

30
modules/home-manager/sops.nix
View file

@ -274,6 +274,31 @@ in
Paths to ssh keys added as age keys during sops description. Paths to ssh keys added as age keys during sops description.
''; '';
}; };
# Options for hardware key support (YubiKey, FIDO2, etc.)
systemdDeps = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "pcscd.socket" ];
description = ''
Additional systemd units that the sops-nix user service should depend on.
This is useful when using age plugins that require external services like pcscd.
'';
};
requirePcscd = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether pcscd (PC/SC Smart Card Daemon) is required for age decryption.
Enable this when using hardware key plugins like age-plugin-yubikey
or age-plugin-fido2-hmac. This automatically configures the systemd
service to depend on pcscd.socket.
Note: The system must have pcscd available (usually via
`services.pcscd.enable = true` in your NixOS configuration).
'';
};
}; };
gnupg = { gnupg = {
@ -375,6 +400,8 @@ in
systemd.user.services.sops-nix = lib.mkIf pkgs.stdenv.hostPlatform.isLinux { systemd.user.services.sops-nix = lib.mkIf pkgs.stdenv.hostPlatform.isLinux {
Unit = { Unit = {
Description = "sops-nix activation"; Description = "sops-nix activation";
After = cfg.age.systemdDeps;
Wants = cfg.age.systemdDeps;
}; };
Service = { Service = {
Type = "oneshot"; Type = "oneshot";
@ -387,6 +414,9 @@ in
if cfg.gnupg.home != null then [ "graphical-session-pre.target" ] else [ "default.target" ]; if cfg.gnupg.home != null then [ "graphical-session-pre.target" ] else [ "default.target" ];
}; };
# Auto-configure pcscd dependency when requirePcscd is enabled
sops.age.systemdDeps = lib.mkIf cfg.age.requirePcscd [ "pcscd.socket" ];
# Darwin: load secrets once on login # Darwin: load secrets once on login
launchd.agents.sops-nix = { launchd.agents.sops-nix = {
enable = true; enable = true;