pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2026-05-09 09:12:28 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add support for SSH key cmd

Browse source
This commit is contained in:
uncenter 2026-03-09 14:57:07 -05:00
parent df977b7f76
commit b2676a047c
No known key found for this signature in database
6 changed files with 42 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
modules/home-manager/sops.nix
View file

@ -99,6 +99,7 @@ let
sshKeyPaths = cfg.gnupg.sshKeyPaths;
ageKeyFile = cfg.age.keyFile;
ageSshKeyFile = cfg.age.sshKeyFile;
ageSshKeyCmd = cfg.age.sshKeyCmd;
ageSshKeyPaths = cfg.age.sshKeyPaths;
placeholderBySecretName = cfg.placeholder;
userMode = true;
@ -263,6 +264,16 @@ in
'';
};
sshKeyCmd = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
Command that outputs a (non-password protected) ssh private key that will be used by age for sops decryption.
Uses native ssh key support in age and requires no conversion.
'';
};
sshKeyPaths = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [ ];
@ -318,6 +329,7 @@ in
|| cfg.gnupg.qubes-split-gpg.enable == true
|| cfg.age.keyFile != null
|| cfg.age.sshKeyFile != null
|| cfg.age.sshKeyCmd != null
|| cfg.age.sshKeyPaths != [ ];
message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home or sops.gnupg.qubes-split-gpg.enable";
}

11
modules/nix-darwin/default.nix
View file

@ -311,6 +311,16 @@ in
the native ssh key support in age and requires no conversion.
'';
};
sshKeyCmd = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
Command that outputs a (non-password protected) ssh private key that will be used by age for sops decryption.
Uses native ssh key support in age and requires no conversion.
'';
};
sshKeyPaths = lib.mkOption {
type = lib.types.listOf lib.types.path;
@ -361,6 +371,7 @@ in
|| cfg.gnupg.sshKeyPaths != [ ]
|| cfg.age.keyFile != null
|| cfg.age.sshKeyFile != null
|| cfg.age.sshKeyCmd != null
|| cfg.age.sshKeyPaths != [ ];
message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home";
}

1
modules/nix-darwin/manifest-for.nix
View file

@ -16,6 +16,7 @@ writeTextFile {
sshKeyPaths = cfg.gnupg.sshKeyPaths;
ageKeyFile = cfg.age.keyFile;
ageSshKeyFile = cfg.age.sshKeyFile;
ageSshKeyCmd = cfg.age.sshKeyCmd;
ageSshKeyPaths = cfg.age.sshKeyPaths;
useTmpfs = false;
placeholderBySecretName = cfg.placeholder;

11
modules/sops/default.nix
View file

@ -350,6 +350,16 @@ in
the native ssh key support in age and requires no conversion.
'';
};
sshKeyCmd = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
Command that outputs a (non-password protected) ssh private key that will be used by age for sops decryption.
Uses native ssh key support in age and requires no conversion.
'';
};
sshKeyPaths = lib.mkOption {
type = lib.types.listOf lib.types.path;
@ -421,6 +431,7 @@ in
|| cfg.gnupg.sshKeyPaths != [ ]
|| cfg.age.keyFile != null
|| cfg.age.sshKeyFile != null
|| cfg.age.sshKeyCmd != null
|| cfg.age.sshKeyPaths != [ ];
message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home";
}

1
modules/sops/manifest-for.nix
View file

@ -41,6 +41,7 @@ else
sshKeyPaths = cfg.gnupg.sshKeyPaths;
ageKeyFile = cfg.age.keyFile;
ageSshKeyFile = cfg.age.sshKeyFile;
ageSshKeyCmd = cfg.age.ageSshKeyCmd;
ageSshKeyPaths = cfg.age.sshKeyPaths;
useTmpfs = cfg.useTmpfs;
placeholderBySecretName = cfg.placeholder;