Merge da91d2736f into d2e8438d58

2026-04-10 04:15:55 +08:00 · 2026-04-08 17:39:26 -04:00 · 2026-04-08 17:39:26 -04:00 · dcc85864c8
commit dcc85864c8
parent d2e8438d58 da91d2736f
6 changed files with 84 additions and 4 deletions
--- a/checks/darwin.nix
+++ b/checks/darwin.nix
@ -27,5 +27,6 @@
  };
  sops.defaultSopsFile = ../pkgs/sops-install-secrets/test-assets/secrets.yaml;
  sops.age.generateKey = true;
+  sops.age.extraGenerateKeyArgs = [ "-pq" ];
  system.stateVersion = 5;
 }
--- a/checks/home-manager.nix
+++ b/checks/home-manager.nix
@ -9,6 +9,7 @@
  home.enableNixpkgsReleaseCheck = false;

  sops.age.generateKey = true;
+  sops.age.extraGenerateKeyArgs = [ "-pq" ];
  sops.age.keyFile = "${config.home.homeDirectory}/.age-key.txt";
  sops.secrets.test_key = { };
  sops.templates."template.toml".content = ''
--- a/checks/nixos-test.nix
+++ b/checks/nixos-test.nix
@ -198,6 +198,57 @@ in
    '';
  };

+  # This test should be altered or removed if `age-keygen` switches its default to match the post-quantum `-pq` behavior.
+  age-extra-generate-key-args = testers.runNixOSTest {
+    name = "age-generate-key-args";
+    nodes.machine =
+      { ... }:
+      {
+        imports = [ ../modules/sops ];
+        sops = {
+          age = {
+            keyFile = "/run/age-keys-args.txt";
+            generateKey = true;
+            extraGenerateKeyArgs = [ "-pq" ];
+          };
+          defaultSopsFile = testAssets + "/secrets.yaml";
+          secrets.test_key = { };
+        };
+      };
+
+    testScript = ''
+      start_all()
+      machine.succeed("cat /run/age-keys-args.txt | grep -q AGE-SECRET-KEY-PQ-")
+    '';
+  };
+
+  age-extra-generate-key-args-override-keyfile = testers.runNixOSTest {
+    name = "age-generate-key-args-override-keyfile";
+    nodes.machine =
+      { ... }:
+      {
+        imports = [ ../modules/sops ];
+        sops = {
+          age = {
+            keyFile = "/run/age-keys-args-fail.txt";
+            generateKey = true;
+            extraGenerateKeyArgs = [
+              "-o"
+              "/run/age-keys-args-succeed.txt"
+            ];
+          };
+          defaultSopsFile = testAssets + "/secrets.yaml";
+          secrets.test_key = { };
+        };
+      };
+
+    testScript = ''
+      start_all()
+      machine.fail("find /run/age-keys-args-fail.txt")
+      machine.succeed("find /run/age-keys-args-succeed.txt")
+    '';
+  };
+
  age-ssh-keys = testers.runNixOSTest {
    name = "sops-age-ssh-keys";
    nodes.machine = {
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@ -121,10 +121,10 @@ let
    pkgs.writeShellScript "sops-nix-user" (
      lib.optionalString cfg.age.generateKey ''
        if [[ ! -f ${escapedAgeKeyFile} ]]; then
-          echo generating machine-specific age key...
+          echo generating user-specific age key...
          ${pkgs.coreutils}/bin/mkdir -p $(${pkgs.coreutils}/bin/dirname ${escapedAgeKeyFile})
          # age-keygen sets 0600 by default, no need to chmod.
-          ${pkgs.age}/bin/age-keygen -o ${escapedAgeKeyFile}
+          ${pkgs.age}/bin/age-keygen -o ${escapedAgeKeyFile} ${lib.join " " cfg.age.extraGenerateKeyArgs}
        fi
      ''
      + ''
@ -267,6 +267,15 @@ in
        '';
      };

+      extraGenerateKeyArgs = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "-pq" ];
+        description = ''
+          List of arguments to use when generating the age key.
+        '';
+      };
+
      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
        default = [ ];
--- a/modules/nix-darwin/default.nix
+++ b/modules/nix-darwin/default.nix
@ -173,7 +173,7 @@ let
            echo generating machine-specific age key...
            mkdir -p "$(dirname ${escapedKeyFile})"
            # age-keygen sets 0600 by default, no need to chmod.
-            ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile}
+            ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile} ${lib.join " " cfg.age.extraGenerateKeyArgs}
          fi
        ''
      else
@ -300,6 +300,15 @@ in
        '';
      };

+      extraGenerateKeyArgs = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "-pq" ];
+        description = ''
+          List of arguments to use when generating the age key.
+        '';
+      };
+
      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
        default = defaultImportKeys "ed25519";
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -361,6 +361,15 @@ in
        '';
      };

+      extraGenerateKeyArgs = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "-pq" ];
+        description = ''
+          List of arguments to use when generating the age key.
+        '';
+      };
+
      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
        default = defaultImportKeys "ed25519";
@ -511,7 +520,7 @@ in
                echo generating machine-specific age key...
                mkdir -p $(dirname ${escapedKeyFile})
                # age-keygen sets 0600 by default, no need to chmod.
-                ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile}
+                ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile} ${lib.join " " cfg.age.extraGenerateKeyArgs}
              fi
            ''
          );