feat: add age plugin and fido2 hmac support

Co-authored-by: brianmcgee <brian@41north.dev>
2026-01-13 10:07:55 +08:00 · 2025-04-23 17:33:01 -05:00 · 2025-04-23 17:33:01 -05:00 · 899e202643
commit 899e202643
parent d7593b87b0
4 changed files with 31 additions and 0 deletions
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@ -249,6 +249,14 @@ in
        '';
      };

+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
+
      generateKey = lib.mkOption {
        type = lib.types.bool;
        default = false;
@ -357,6 +365,8 @@ in
        ))
      ];

+      PATH = lib.makeBinPath cfg.age.plugins;
+
      QUBES_GPG_DOMAIN = lib.mkIf cfg.gnupg.qubes-split-gpg.enable (
        lib.mkDefault cfg.gnupg.qubes-split-gpg.domain
      );
--- a/modules/nix-darwin/default.nix
+++ b/modules/nix-darwin/default.nix
@ -308,6 +308,14 @@ in
          Paths to ssh keys added as age keys during sops description.
        '';
      };
+
+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
    };

    gnupg = {
@ -395,6 +403,7 @@ in
      sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
        lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
      );
+      sops.environment.PATH = lib.mkIf (cfg.age.plugins != [ ]) (lib.makeBinPath cfg.age.plugins);
    }
  ];
 }
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -39,6 +39,7 @@ let
    # [1] https://github.com/getsops/sops/pull/1692
    cfg = lib.recursiveUpdate cfg {
      environment.HOME = "/var/empty";
+      environment.PATH = lib.makeBinPath cfg.age.plugins;
    };
    inherit lib;
  };
@ -342,6 +343,14 @@ in
        '';
      };

+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
+
      generateKey = lib.mkOption {
        type = lib.types.bool;
        default = false;
@ -463,6 +472,7 @@ in
        before = [ "sysinit-reactivation.target" ];
        environment = cfg.environment;
        unitConfig.DefaultDependencies = "no";
+        path = cfg.age.plugins;

        serviceConfig = {
          Type = "oneshot";
--- a/modules/sops/secrets-for-users/default.nix
+++ b/modules/sops/secrets-for-users/default.nix
@ -17,6 +17,7 @@ let
    # See also the default NixOS module.
    cfg = lib.recursiveUpdate cfg {
      environment.HOME = "/var/empty";
+      environment.PATH = lib.makeBinPath cfg.age.plugins;
    };
    inherit lib;
  };
@ -36,6 +37,7 @@ in
        before = [ "systemd-sysusers.service" ];
        environment = cfg.environment;
        unitConfig.DefaultDependencies = "no";
+        path = cfg.age.plugins;

        serviceConfig = {
          Type = "oneshot";