diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix index a772868..d62ff58 100644 --- a/modules/home-manager/sops.nix +++ b/modules/home-manager/sops.nix @@ -94,18 +94,20 @@ let manifest = manifestFor "" cfg.secrets; + escapedAgeKeyFile = lib.escapeShellArg cfg.age.keyFile; + script = toString (pkgs.writeShellScript "sops-nix-user" ((lib.optionalString (cfg.gnupg.home != null) '' export SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg '') + (lib.optionalString cfg.age.generateKey '' - if [[ ! -f '${cfg.age.keyFile}' ]]; then + if [[ ! -f ${escapedAgeKeyFile} ]]; then echo generating machine-specific age key... - ${pkgs.coreutils}/bin/mkdir -p $(${pkgs.coreutils}/bin/dirname ${cfg.age.keyFile}) + ${pkgs.coreutils}/bin/mkdir -p $(${pkgs.coreutils}/bin/dirname ${escapedAgeKeyFile}) # age-keygen sets 0600 by default, no need to chmod. - ${pkgs.age}/bin/age-keygen -o ${cfg.age.keyFile} + ${pkgs.age}/bin/age-keygen -o ${escapedAgeKeyFile} fi '' + '' - ${sops-install-secrets}/bin/sops-install-secrets -ignore-passwd '${manifest}' + ${sops-install-secrets}/bin/sops-install-secrets -ignore-passwd ${manifest} ''))); in { options.sops = { diff --git a/modules/sops/default.nix b/modules/sops/default.nix index c8488c4..277156f 100644 --- a/modules/sops/default.nix +++ b/modules/sops/default.nix @@ -344,12 +344,14 @@ in { supportsDryActivation = true; }); - generate-age-key = lib.mkIf (cfg.age.generateKey) (lib.stringAfter [] '' - if [[ ! -f '${cfg.age.keyFile}' ]]; then + generate-age-key = let + escapedKeyFile = lib.escapeShellArg cfg.age.keyFile; + in lib.mkIf cfg.age.generateKey (lib.stringAfter [] '' + if [[ ! -f ${escapedKeyFile} ]]; then echo generating machine-specific age key... - mkdir -p $(dirname ${cfg.age.keyFile}) + mkdir -p $(dirname ${escapedKeyFile}) # age-keygen sets 0600 by default, no need to chmod. - ${pkgs.age}/bin/age-keygen -o ${cfg.age.keyFile} + ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile} fi ''); };