Merge df977b7f76 into 9836912e37

2025-12-31 18:04:59 +08:00 · 2025-12-21 15:02:26 -05:00 · 2025-12-21 15:02:26 -05:00 · 51be135cf0
commit 51be135cf0
parent 9836912e37 df977b7f76
6 changed files with 57 additions and 1 deletions
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@ -98,6 +98,7 @@ let
        gnupgHome = cfg.gnupg.home;
        sshKeyPaths = cfg.gnupg.sshKeyPaths;
        ageKeyFile = cfg.age.keyFile;
+        ageSshKeyFile = cfg.age.sshKeyFile;
        ageSshKeyPaths = cfg.age.sshKeyPaths;
        placeholderBySecretName = cfg.placeholder;
        userMode = true;
@ -259,11 +260,26 @@ in
        '';
      };

+      sshKeyFile = lib.mkOption {
+        type = lib.types.nullOr pathNotInStore;
+        default = null;
+        example = "/home/someuser/.ssh/id_ed25519";
+        description = ''
+          Path to ssh key file that will be used by age for sops decryption.
+          
+          Unlike {option}`config.sops.age.sshKeyPaths`, this option makes use of
+          the native ssh key support in age and requires no conversion.
+        '';
+      };
+
      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
        default = [ ];
        description = ''
          Paths to ssh keys added as age keys during sops description.
+          
+          These ssh keys will be converted into age keys automatically using
+          ssh-to-age before they are fed to age.
        '';
      };
    };
@ -310,6 +326,7 @@ in
          || cfg.gnupg.sshKeyPaths != [ ]
          || cfg.gnupg.qubes-split-gpg.enable == true
          || cfg.age.keyFile != null
+          || cfg.age.sshKeyFile != null
          || cfg.age.sshKeyPaths != [ ];
        message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home or sops.gnupg.qubes-split-gpg.enable";
      }
--- a/modules/nix-darwin/default.nix
+++ b/modules/nix-darwin/default.nix
@ -300,12 +300,27 @@ in
        '';
      };

+      sshKeyFile = lib.mkOption {
+        type = lib.types.nullOr pathNotInStore;
+        default = null;
+        example = "/etc/ssh/ssh_host_ed25519_key";
+        description = ''
+          Path to ssh key file that will be used by age for sops decryption.
+          
+          Unlike {option}`config.sops.age.sshKeyPaths`, this option makes use of
+          the native ssh key support in age and requires no conversion.
+        '';
+      };
+
      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
        default = defaultImportKeys "ed25519";
        defaultText = lib.literalMD "The ed25519 keys from {option}`config.services.openssh.hostKeys`";
        description = ''
          Paths to ssh keys added as age keys during sops description.
+          
+          These ssh keys will be converted into age keys automatically using
+          ssh-to-age before they are fed to age.
        '';
      };
    };
@ -345,6 +360,7 @@ in
              cfg.gnupg.home != null
              || cfg.gnupg.sshKeyPaths != [ ]
              || cfg.age.keyFile != null
+              || cfg.age.sshKeyFile != null
              || cfg.age.sshKeyPaths != [ ];
            message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home";
          }
--- a/modules/nix-darwin/manifest-for.nix
+++ b/modules/nix-darwin/manifest-for.nix
@ -15,6 +15,7 @@ writeTextFile {
      gnupgHome = cfg.gnupg.home;
      sshKeyPaths = cfg.gnupg.sshKeyPaths;
      ageKeyFile = cfg.age.keyFile;
+      ageSshKeyFile = cfg.age.sshKeyFile;
      ageSshKeyPaths = cfg.age.sshKeyPaths;
      useTmpfs = false;
      placeholderBySecretName = cfg.placeholder;
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -352,12 +352,27 @@ in
        '';
      };

+      sshKeyFile = lib.mkOption {
+        type = lib.types.nullOr pathNotInStore;
+        default = null;
+        example = "/etc/ssh/ssh_host_ed25519_key";
+        description = ''
+          Path to ssh key file that will be used by age for sops decryption.
+          
+          Unlike {option}`config.sops.age.sshKeyPaths`, this option makes use of
+          the native ssh key support in age and requires no conversion.
+        '';
+      };
+
      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
        default = defaultImportKeys "ed25519";
        defaultText = lib.literalMD "The ed25519 keys from {option}`config.services.openssh.hostKeys`";
        description = ''
          Paths to ssh keys added as age keys during sops description.
+          
+          These ssh keys will be converted into age keys automatically using
+          ssh-to-age before they are fed to age.
        '';
      };
    };
@ -418,6 +433,7 @@ in
              cfg.gnupg.home != null
              || cfg.gnupg.sshKeyPaths != [ ]
              || cfg.age.keyFile != null
+              || cfg.age.sshKeyFile != null
              || cfg.age.sshKeyPaths != [ ];
            message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home";
          }
--- a/modules/sops/manifest-for.nix
+++ b/modules/sops/manifest-for.nix
@ -40,6 +40,7 @@ else
        gnupgHome = cfg.gnupg.home;
        sshKeyPaths = cfg.gnupg.sshKeyPaths;
        ageKeyFile = cfg.age.keyFile;
+        ageSshKeyFile = cfg.age.sshKeyFile;
        ageSshKeyPaths = cfg.age.sshKeyPaths;
        useTmpfs = cfg.useTmpfs;
        placeholderBySecretName = cfg.placeholder;