From 3ef112ec7218f66124ed5743f066251e2ad4af19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 29 Dec 2021 15:11:48 +0100
Subject: [PATCH] ignore ssh keys deployed with sops

---
 modules/sops/default.nix | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index 076d5dc..aa87023 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -137,7 +137,12 @@ let
       ${sopsCall}
     )
   '';
-
+  # Skip ssh keys deployed with sops to avoid a catch 22
+  defaultImportKeys = algo:
+    if config.services.openssh.enable then
+      map (e: e.path) (lib.filter (e: e.type == algo && !(lib.hasPrefix "/run/secrets" e.path)) config.services.openssh.hostKeys)
+    else
+      [];
 in {
   options.sops = {
     secrets = mkOption {
@@ -223,7 +228,7 @@ in {
 
       sshKeyPaths = mkOption {
         type = types.listOf types.path;
-        default = if config.services.openssh.enable then map (e: e.path) (lib.filter (e: e.type == "ed25519") config.services.openssh.hostKeys) else [];
+        default = defaultImportKeys "ed25519";
         description = ''
           Paths to ssh keys added as age keys during sops description.
         '';
@@ -242,9 +247,7 @@ in {
 
       sshKeyPaths = mkOption {
         type = types.listOf types.path;
-        default = if config.services.openssh.enable then
-                    map (e: e.path) (lib.filter (e: e.type == "rsa") config.services.openssh.hostKeys)
-                  else [];
+        default = defaultImportKeys "rsa";
         description = ''
           Path to ssh keys added as GPG keys during sops description.
           This option must be explicitly unset if <literal>config.sops.gnupg.sshKeyPaths</literal> is set.