feat: add age plugin and fido2 hmac support

Co-authored-by: brianmcgee <brian@41north.dev>
2025-12-26 14:14:58 +08:00 · 2025-04-23 17:33:01 -05:00 · 2025-04-23 17:33:01 -05:00 · 88dd7997d9
commit 88dd7997d9
parent 94d8af61d8
4 changed files with 26 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -60,6 +60,10 @@
            ;
          # backward compatibility
          inherit (prev) ssh-to-pgp;
+
+          sops = prev.sops.withAgePlugins (p: [
+              p.age-plugin-fido2-hmac
+          ]);
        };
      nixosModules = {
        sops = ./modules/sops;
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@ -249,6 +249,14 @@ in
        '';
      };

+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
+
      generateKey = lib.mkOption {
        type = lib.types.bool;
        default = false;
@ -348,6 +356,8 @@ in
        ))
      ];

+      PATH = lib.makeBinPath cfg.age.plugins;
+
      QUBES_GPG_DOMAIN = lib.mkIf cfg.gnupg.qubes-split-gpg.enable (
        lib.mkDefault cfg.gnupg.qubes-split-gpg.domain
      );
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -39,6 +39,7 @@ let
    # [1] https://github.com/getsops/sops/pull/1692
    cfg = lib.recursiveUpdate cfg {
      environment.HOME = "/var/empty";
+      environment.PATH = lib.makeBinPath cfg.age.plugins;
    };
    inherit lib;
  };
@ -342,6 +343,14 @@ in
        '';
      };

+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
+
      generateKey = lib.mkOption {
        type = lib.types.bool;
        default = false;
@ -453,6 +462,7 @@ in
        before = [ "sysinit-reactivation.target" ];
        environment = cfg.environment;
        unitConfig.DefaultDependencies = "no";
+        path = cfg.age.plugins;

        serviceConfig = {
          Type = "oneshot";
--- a/modules/sops/secrets-for-users/default.nix
+++ b/modules/sops/secrets-for-users/default.nix
@ -17,6 +17,7 @@ let
    # See also the default NixOS module.
    cfg = lib.recursiveUpdate cfg {
      environment.HOME = "/var/empty";
+      environment.PATH = lib.makeBinPath cfg.age.plugins;
    };
    inherit lib;
  };
@ -36,6 +37,7 @@ in
        before = [ "systemd-sysusers.service" ];
        environment = cfg.environment;
        unitConfig.DefaultDependencies = "no";
+        path = cfg.age.plugins;

        serviceConfig = {
          Type = "oneshot";