From 88dd7997d9f5f54806da4e2ee30df2c65678be39 Mon Sep 17 00:00:00 2001
From: NovaViper <coder.nova99@mailbox.org>
Date: Wed, 23 Apr 2025 17:33:01 -0500
Subject: [PATCH] feat: add age plugin and fido2 hmac support

Co-authored-by: brianmcgee <brian@41north.dev>
---
 flake.nix                                  |  4 ++++
 modules/home-manager/sops.nix              | 10 ++++++++++
 modules/sops/default.nix                   | 10 ++++++++++
 modules/sops/secrets-for-users/default.nix |  2 ++
 4 files changed, 26 insertions(+)

diff --git a/flake.nix b/flake.nix
index 3ac2f6e..d314213 100644
--- a/flake.nix
+++ b/flake.nix
@@ -60,6 +60,10 @@
             ;
           # backward compatibility
           inherit (prev) ssh-to-pgp;
+
+          sops = prev.sops.withAgePlugins (p: [
+              p.age-plugin-fido2-hmac
+          ]);
         };
       nixosModules = {
         sops = ./modules/sops;
diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
index 4906b4c..b2fd906 100644
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@@ -249,6 +249,14 @@ in
         '';
       };
 
+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
+
       generateKey = lib.mkOption {
         type = lib.types.bool;
         default = false;
@@ -348,6 +356,8 @@ in
         ))
       ];
 
+      PATH = lib.makeBinPath cfg.age.plugins;
+
       QUBES_GPG_DOMAIN = lib.mkIf cfg.gnupg.qubes-split-gpg.enable (
         lib.mkDefault cfg.gnupg.qubes-split-gpg.domain
       );
diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index 0c236d5..a733cbc 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -39,6 +39,7 @@ let
     # [1] https://github.com/getsops/sops/pull/1692
     cfg = lib.recursiveUpdate cfg {
       environment.HOME = "/var/empty";
+      environment.PATH = lib.makeBinPath cfg.age.plugins;
     };
     inherit lib;
   };
@@ -342,6 +343,14 @@ in
         '';
       };
 
+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
+
       generateKey = lib.mkOption {
         type = lib.types.bool;
         default = false;
@@ -453,6 +462,7 @@ in
         before = [ "sysinit-reactivation.target" ];
         environment = cfg.environment;
         unitConfig.DefaultDependencies = "no";
+        path = cfg.age.plugins;
 
         serviceConfig = {
           Type = "oneshot";
diff --git a/modules/sops/secrets-for-users/default.nix b/modules/sops/secrets-for-users/default.nix
index aee1ced..841eb13 100644
--- a/modules/sops/secrets-for-users/default.nix
+++ b/modules/sops/secrets-for-users/default.nix
@@ -17,6 +17,7 @@ let
     # See also the default NixOS module.
     cfg = lib.recursiveUpdate cfg {
       environment.HOME = "/var/empty";
+      environment.PATH = lib.makeBinPath cfg.age.plugins;
     };
     inherit lib;
   };
@@ -36,6 +37,7 @@ in
         before = [ "systemd-sysusers.service" ];
         environment = cfg.environment;
         unitConfig.DefaultDependencies = "no";
+        path = cfg.age.plugins;
 
         serviceConfig = {
           Type = "oneshot";