Add support for SSH key cmd

2026-05-01 10:55:46 +08:00 · 2026-03-09 14:57:07 -05:00 · 2026-03-09 14:57:07 -05:00 · b2676a047c
commit b2676a047c
parent df977b7f76
6 changed files with 42 additions and 1 deletions
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@ -99,6 +99,7 @@ let
        sshKeyPaths = cfg.gnupg.sshKeyPaths;
        ageKeyFile = cfg.age.keyFile;
        ageSshKeyFile = cfg.age.sshKeyFile;
+        ageSshKeyCmd = cfg.age.sshKeyCmd;
        ageSshKeyPaths = cfg.age.sshKeyPaths;
        placeholderBySecretName = cfg.placeholder;
        userMode = true;
@ -263,6 +264,16 @@ in
        '';
      };

+      sshKeyCmd = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        description = ''
+          Command that outputs a (non-password protected) ssh private key that will be used by age for sops decryption.
+
+          Uses native ssh key support in age and requires no conversion.
+        '';
+      };
+
      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
        default = [ ];
@ -318,6 +329,7 @@ in
          || cfg.gnupg.qubes-split-gpg.enable == true
          || cfg.age.keyFile != null
          || cfg.age.sshKeyFile != null
+          || cfg.age.sshKeyCmd != null
          || cfg.age.sshKeyPaths != [ ];
        message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home or sops.gnupg.qubes-split-gpg.enable";
      }
--- a/modules/nix-darwin/default.nix
+++ b/modules/nix-darwin/default.nix
@ -311,6 +311,16 @@ in
          the native ssh key support in age and requires no conversion.
        '';
      };
+      
+      sshKeyCmd = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        description = ''
+          Command that outputs a (non-password protected) ssh private key that will be used by age for sops decryption.
+
+          Uses native ssh key support in age and requires no conversion.
+        '';
+      };

      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
@ -361,6 +371,7 @@ in
              || cfg.gnupg.sshKeyPaths != [ ]
              || cfg.age.keyFile != null
              || cfg.age.sshKeyFile != null
+              || cfg.age.sshKeyCmd != null
              || cfg.age.sshKeyPaths != [ ];
            message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home";
          }
--- a/modules/nix-darwin/manifest-for.nix
+++ b/modules/nix-darwin/manifest-for.nix
@ -16,6 +16,7 @@ writeTextFile {
      sshKeyPaths = cfg.gnupg.sshKeyPaths;
      ageKeyFile = cfg.age.keyFile;
      ageSshKeyFile = cfg.age.sshKeyFile;
+      ageSshKeyCmd = cfg.age.sshKeyCmd;
      ageSshKeyPaths = cfg.age.sshKeyPaths;
      useTmpfs = false;
      placeholderBySecretName = cfg.placeholder;
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -350,6 +350,16 @@ in
          the native ssh key support in age and requires no conversion.
        '';
      };
+      
+      sshKeyCmd = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        description = ''
+          Command that outputs a (non-password protected) ssh private key that will be used by age for sops decryption.
+
+          Uses native ssh key support in age and requires no conversion.
+        '';
+      };

      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
@ -421,6 +431,7 @@ in
              || cfg.gnupg.sshKeyPaths != [ ]
              || cfg.age.keyFile != null
              || cfg.age.sshKeyFile != null
+              || cfg.age.sshKeyCmd != null
              || cfg.age.sshKeyPaths != [ ];
            message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home";
          }
--- a/modules/sops/manifest-for.nix
+++ b/modules/sops/manifest-for.nix
@ -41,6 +41,7 @@ else
        sshKeyPaths = cfg.gnupg.sshKeyPaths;
        ageKeyFile = cfg.age.keyFile;
        ageSshKeyFile = cfg.age.sshKeyFile;
+        ageSshKeyCmd = cfg.age.ageSshKeyCmd;
        ageSshKeyPaths = cfg.age.sshKeyPaths;
        useTmpfs = cfg.useTmpfs;
        placeholderBySecretName = cfg.placeholder;
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@ -80,6 +80,7 @@ type manifest struct {
 	GnupgHome               string            `json:"gnupgHome"`
 	AgeKeyFile              string            `json:"ageKeyFile"`
 	AgeSSHKeyFile           string            `json:"ageSshKeyFile"`
+	AgeSSHKeyCmd            string            `json:"ageSshKeyCmd"`
 	AgeSSHKeyPaths          []string          `json:"ageSshKeyPaths"`
 	UseTmpfs                bool              `json:"useTmpfs"`
 	UserMode                bool              `json:"userMode"`
@ -1326,7 +1327,7 @@ func installSecrets(args []string) error {
 	}

 	// Import age keys
-	if (len(manifest.AgeSSHKeyPaths) != 0 || manifest.AgeKeyFile != "") && manifest.AgeSSHKeyFile == "" {
+	if (len(manifest.AgeSSHKeyPaths) != 0 || manifest.AgeKeyFile != "") && manifest.AgeSSHKeyFile == "" && manifest.AgeSSHKeyCmd == "" {
 		keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt")
 		os.Setenv("SOPS_AGE_KEY_FILE", keyfile)
 		// Create the keyfile
@ -1365,6 +1366,10 @@ func installSecrets(args []string) error {
 		os.Setenv("SOPS_AGE_SSH_PRIVATE_KEY_FILE", manifest.AgeSSHKeyFile)
 	}

+	if manifest.AgeSSHKeyCmd != "" {
+		os.Setenv("SOPS_AGE_SSH_PRIVATE_KEY_CMD", manifest.AgeSSHKeyCmd)
+	}
+
 	if err := decryptSecrets(manifest.Secrets); err != nil {
 		return err
 	}