gnupg: add package option to allow custom gnupg versions

Add sops.gnupg.package option to NixOS, home-manager, and nix-darwin modules, allowing users to specify a custom gnupg package instead of the default pkgs.gnupg. This enables use of bleeding-edge GPG versions with post-quantum encryption algorithms like Kyber, addressing "store now, decrypt later" threat models.
2026-01-13 01:57:55 +08:00 · 2025-12-16 14:40:39 +01:00 · 2025-12-16 14:40:39 +01:00 · 39c667d73c
commit 39c667d73c
parent 57e2d9ef84
3 changed files with 31 additions and 3 deletions
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@ -269,6 +269,15 @@ in
    };

    gnupg = {
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
      home = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = null;
@ -341,7 +350,7 @@ in
    sops.environment = {
      SOPS_GPG_EXEC = lib.mkMerge [
        (lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-          lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+          lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
        ))
        (lib.mkIf cfg.gnupg.qubes-split-gpg.enable (
          lib.mkDefault config.home.sessionVariables.SOPS_GPG_EXEC
--- a/modules/nix-darwin/default.nix
+++ b/modules/nix-darwin/default.nix
@ -320,6 +320,15 @@ in
        '';
      };

+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
        default = defaultImportKeys "rsa";
@ -384,7 +393,7 @@ in

    {
      sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-        lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+        lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
      );
    }
  ];
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -381,6 +381,16 @@ in
          This option must be explicitly unset if <literal>config.sops.gnupg.home</literal> is set.
        '';
      };
+
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
    };
  };
  imports = [
@ -442,7 +452,7 @@ in
        );

      sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-        lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+        lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
      );

      # When using sysusers we no longer are started as an activation script because those are started in initrd while sysusers is started later.