diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix index 844d014..865dc19 100644 --- a/modules/home-manager/sops.nix +++ b/modules/home-manager/sops.nix @@ -99,6 +99,7 @@ let sshKeyPaths = cfg.gnupg.sshKeyPaths; ageKeyFile = cfg.age.keyFile; ageSshKeyFile = cfg.age.sshKeyFile; + ageSshKeyCmd = cfg.age.sshKeyCmd; ageSshKeyPaths = cfg.age.sshKeyPaths; placeholderBySecretName = cfg.placeholder; userMode = true; @@ -263,6 +264,16 @@ in ''; }; + sshKeyCmd = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = '' + Command that outputs a (non-password protected) ssh private key that will be used by age for sops decryption. + + Uses native ssh key support in age and requires no conversion. + ''; + }; + sshKeyPaths = lib.mkOption { type = lib.types.listOf lib.types.path; default = [ ]; @@ -318,6 +329,7 @@ in || cfg.gnupg.qubes-split-gpg.enable == true || cfg.age.keyFile != null || cfg.age.sshKeyFile != null + || cfg.age.sshKeyCmd != null || cfg.age.sshKeyPaths != [ ]; message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home or sops.gnupg.qubes-split-gpg.enable"; } diff --git a/modules/nix-darwin/default.nix b/modules/nix-darwin/default.nix index 88e1ffe..c43fb3c 100644 --- a/modules/nix-darwin/default.nix +++ b/modules/nix-darwin/default.nix @@ -311,6 +311,16 @@ in the native ssh key support in age and requires no conversion. ''; }; + + sshKeyCmd = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = '' + Command that outputs a (non-password protected) ssh private key that will be used by age for sops decryption. + + Uses native ssh key support in age and requires no conversion. + ''; + }; sshKeyPaths = lib.mkOption { type = lib.types.listOf lib.types.path; @@ -361,6 +371,7 @@ in || cfg.gnupg.sshKeyPaths != [ ] || cfg.age.keyFile != null || cfg.age.sshKeyFile != null + || cfg.age.sshKeyCmd != null || cfg.age.sshKeyPaths != [ ]; message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home"; } diff --git a/modules/nix-darwin/manifest-for.nix b/modules/nix-darwin/manifest-for.nix index edc6b3e..f9c7733 100644 --- a/modules/nix-darwin/manifest-for.nix +++ b/modules/nix-darwin/manifest-for.nix @@ -16,6 +16,7 @@ writeTextFile { sshKeyPaths = cfg.gnupg.sshKeyPaths; ageKeyFile = cfg.age.keyFile; ageSshKeyFile = cfg.age.sshKeyFile; + ageSshKeyCmd = cfg.age.sshKeyCmd; ageSshKeyPaths = cfg.age.sshKeyPaths; useTmpfs = false; placeholderBySecretName = cfg.placeholder; diff --git a/modules/sops/default.nix b/modules/sops/default.nix index 218e9b8..b17b7db 100644 --- a/modules/sops/default.nix +++ b/modules/sops/default.nix @@ -350,6 +350,16 @@ in the native ssh key support in age and requires no conversion. ''; }; + + sshKeyCmd = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = '' + Command that outputs a (non-password protected) ssh private key that will be used by age for sops decryption. + + Uses native ssh key support in age and requires no conversion. + ''; + }; sshKeyPaths = lib.mkOption { type = lib.types.listOf lib.types.path; @@ -421,6 +431,7 @@ in || cfg.gnupg.sshKeyPaths != [ ] || cfg.age.keyFile != null || cfg.age.sshKeyFile != null + || cfg.age.sshKeyCmd != null || cfg.age.sshKeyPaths != [ ]; message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home"; } diff --git a/modules/sops/manifest-for.nix b/modules/sops/manifest-for.nix index dc40065..27e74ba 100644 --- a/modules/sops/manifest-for.nix +++ b/modules/sops/manifest-for.nix @@ -41,6 +41,7 @@ else sshKeyPaths = cfg.gnupg.sshKeyPaths; ageKeyFile = cfg.age.keyFile; ageSshKeyFile = cfg.age.sshKeyFile; + ageSshKeyCmd = cfg.age.ageSshKeyCmd; ageSshKeyPaths = cfg.age.sshKeyPaths; useTmpfs = cfg.useTmpfs; placeholderBySecretName = cfg.placeholder; diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go index 6e3ea93..632f5c0 100644 --- a/pkgs/sops-install-secrets/main.go +++ b/pkgs/sops-install-secrets/main.go @@ -80,6 +80,7 @@ type manifest struct { GnupgHome string `json:"gnupgHome"` AgeKeyFile string `json:"ageKeyFile"` AgeSSHKeyFile string `json:"ageSshKeyFile"` + AgeSSHKeyCmd string `json:"ageSshKeyCmd"` AgeSSHKeyPaths []string `json:"ageSshKeyPaths"` UseTmpfs bool `json:"useTmpfs"` UserMode bool `json:"userMode"` @@ -1326,7 +1327,7 @@ func installSecrets(args []string) error { } // Import age keys - if (len(manifest.AgeSSHKeyPaths) != 0 || manifest.AgeKeyFile != "") && manifest.AgeSSHKeyFile == "" { + if (len(manifest.AgeSSHKeyPaths) != 0 || manifest.AgeKeyFile != "") && manifest.AgeSSHKeyFile == "" && manifest.AgeSSHKeyCmd == "" { keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt") os.Setenv("SOPS_AGE_KEY_FILE", keyfile) // Create the keyfile @@ -1365,6 +1366,10 @@ func installSecrets(args []string) error { os.Setenv("SOPS_AGE_SSH_PRIVATE_KEY_FILE", manifest.AgeSSHKeyFile) } + if manifest.AgeSSHKeyCmd != "" { + os.Setenv("SOPS_AGE_SSH_PRIVATE_KEY_CMD", manifest.AgeSSHKeyCmd) + } + if err := decryptSecrets(manifest.Secrets); err != nil { return err }