From 39c667d73c5b7e749fa044d984b2106c09157dce Mon Sep 17 00:00:00 2001
From: Fabrizio Romano Genovese <fabrizio.romano.genovese@gmail.com>
Date: Tue, 16 Dec 2025 14:40:39 +0100
Subject: [PATCH] gnupg: add package option to allow custom gnupg versions

Add sops.gnupg.package option to NixOS, home-manager, and nix-darwin
modules, allowing users to specify a custom gnupg package instead of
the default pkgs.gnupg.

This enables use of bleeding-edge GPG versions with post-quantum
encryption algorithms like Kyber, addressing "store now, decrypt
later" threat models.
---
 modules/home-manager/sops.nix  | 11 ++++++++++-
 modules/nix-darwin/default.nix | 11 ++++++++++-
 modules/sops/default.nix       | 12 +++++++++++-
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
index 4906b4c..5c7a0a3 100644
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@@ -269,6 +269,15 @@ in
     };
 
     gnupg = {
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
       home = lib.mkOption {
         type = lib.types.nullOr lib.types.str;
         default = null;
@@ -341,7 +350,7 @@ in
     sops.environment = {
       SOPS_GPG_EXEC = lib.mkMerge [
         (lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-          lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+          lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
         ))
         (lib.mkIf cfg.gnupg.qubes-split-gpg.enable (
           lib.mkDefault config.home.sessionVariables.SOPS_GPG_EXEC
diff --git a/modules/nix-darwin/default.nix b/modules/nix-darwin/default.nix
index f169a30..fffd5b5 100644
--- a/modules/nix-darwin/default.nix
+++ b/modules/nix-darwin/default.nix
@@ -320,6 +320,15 @@ in
         '';
       };
 
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = defaultImportKeys "rsa";
@@ -384,7 +393,7 @@ in
 
     {
       sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-        lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+        lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
       );
     }
   ];
diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index 0c236d5..f80c5a2 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -381,6 +381,16 @@ in
           This option must be explicitly unset if <literal>config.sops.gnupg.home</literal> is set.
         '';
       };
+
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
     };
   };
   imports = [
@@ -442,7 +452,7 @@ in
         );
 
       sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-        lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+        lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
       );
 
       # When using sysusers we no longer are started as an activation script because those are started in initrd while sysusers is started later.