{nixos,home-manager}: shell escape age key paths

2025-12-26 14:14:58 +08:00 · 2024-08-12 11:10:45 +02:00 · 2024-08-12 11:10:45 +02:00 · ab2d1ffeb5
commit ab2d1ffeb5
parent 8ae477955d
2 changed files with 12 additions and 8 deletions
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -344,12 +344,14 @@ in {
          supportsDryActivation = true;
        });

-        generate-age-key = lib.mkIf (cfg.age.generateKey) (lib.stringAfter [] ''
-          if [[ ! -f '${cfg.age.keyFile}' ]]; then
+        generate-age-key = let
+          escapedKeyFile = lib.escapeShellArg cfg.age.keyFile;
+        in lib.mkIf cfg.age.generateKey (lib.stringAfter [] ''
+          if [[ ! -f ${escapedKeyFile} ]]; then
            echo generating machine-specific age key...
-            mkdir -p $(dirname ${cfg.age.keyFile})
+            mkdir -p $(dirname ${escapedKeyFile})
            # age-keygen sets 0600 by default, no need to chmod.
-            ${pkgs.age}/bin/age-keygen -o ${cfg.age.keyFile}
+            ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile}
          fi
        '');
      };