From d7cbc61787532354a87450a6b0485c91a90e9217 Mon Sep 17 00:00:00 2001
From: Lucas Wagler <lucas@rubletrucks.com>
Date: Wed, 8 Apr 2026 12:56:27 -0400
Subject: [PATCH 1/4] feat(home-manager): add age key generation args option

---
 checks/home-manager.nix       |  1 +
 modules/home-manager/sops.nix | 11 ++++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/checks/home-manager.nix b/checks/home-manager.nix
index de1701a..c2ca541 100644
--- a/checks/home-manager.nix
+++ b/checks/home-manager.nix
@@ -9,6 +9,7 @@
   home.enableNixpkgsReleaseCheck = false;
 
   sops.age.generateKey = true;
+  sops.age.extraGenerateKeyArgs = [ "-pq" ];
   sops.age.keyFile = "${config.home.homeDirectory}/.age-key.txt";
   sops.secrets.test_key = { };
   sops.templates."template.toml".content = ''
diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
index be11f69..1ed8708 100644
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@@ -124,7 +124,7 @@ let
           echo generating machine-specific age key...
           ${pkgs.coreutils}/bin/mkdir -p $(${pkgs.coreutils}/bin/dirname ${escapedAgeKeyFile})
           # age-keygen sets 0600 by default, no need to chmod.
-          ${pkgs.age}/bin/age-keygen -o ${escapedAgeKeyFile}
+          ${pkgs.age}/bin/age-keygen -o ${escapedAgeKeyFile} ${lib.join " " cfg.age.extraGenerateKeyArgs}
         fi
       ''
       + ''
@@ -267,6 +267,15 @@ in
         '';
       };
 
+      extraGenerateKeyArgs = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "-pq" ];
+        description = ''
+          List of arguments to use when generating the age key.
+        '';
+      };
+
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = [ ];

From 1721fd432497a2b3a6ee34f31fae6c63a0418f94 Mon Sep 17 00:00:00 2001
From: Lucas Wagler <lucas@rubletrucks.com>
Date: Wed, 8 Apr 2026 12:56:27 -0400
Subject: [PATCH 2/4] feat(nixos): add age key generation args option

---
 checks/nixos-test.nix    | 51 ++++++++++++++++++++++++++++++++++++++++
 modules/sops/default.nix | 11 ++++++++-
 2 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/checks/nixos-test.nix b/checks/nixos-test.nix
index 7a113fc..2512d25 100644
--- a/checks/nixos-test.nix
+++ b/checks/nixos-test.nix
@@ -198,6 +198,57 @@ in
     '';
   };
 
+  # This test should be altered or removed if `age-keygen` switches its default to match the post-quantum `-pq` behavior.
+  age-extra-generate-key-args = testers.runNixOSTest {
+    name = "age-generate-key-args";
+    nodes.machine =
+      { ... }:
+      {
+        imports = [ ../modules/sops ];
+        sops = {
+          age = {
+            keyFile = "/run/age-keys-args.txt";
+            generateKey = true;
+            extraGenerateKeyArgs = [ "-pq" ];
+          };
+          defaultSopsFile = testAssets + "/secrets.yaml";
+          secrets.test_key = { };
+        };
+      };
+
+    testScript = ''
+      start_all()
+      machine.succeed("cat /run/age-keys-args.txt | grep -q AGE-SECRET-KEY-PQ-")
+    '';
+  };
+
+  age-extra-generate-key-args-override-keyfile = testers.runNixOSTest {
+    name = "age-generate-key-args-override-keyfile";
+    nodes.machine =
+      { ... }:
+      {
+        imports = [ ../modules/sops ];
+        sops = {
+          age = {
+            keyFile = "/run/age-keys-args-fail.txt";
+            generateKey = true;
+            extraGenerateKeyArgs = [
+              "-o"
+              "/run/age-keys-args-succeed.txt"
+            ];
+          };
+          defaultSopsFile = testAssets + "/secrets.yaml";
+          secrets.test_key = { };
+        };
+      };
+
+    testScript = ''
+      start_all()
+      machine.fail("find /run/age-keys-args-fail.txt")
+      machine.succeed("find /run/age-keys-args-succeed.txt")
+    '';
+  };
+
   age-ssh-keys = testers.runNixOSTest {
     name = "sops-age-ssh-keys";
     nodes.machine = {
diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index 9f19ab6..86819d4 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -361,6 +361,15 @@ in
         '';
       };
 
+      extraGenerateKeyArgs = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "-pq" ];
+        description = ''
+          List of arguments to use when generating the age key.
+        '';
+      };
+
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = defaultImportKeys "ed25519";
@@ -511,7 +520,7 @@ in
                 echo generating machine-specific age key...
                 mkdir -p $(dirname ${escapedKeyFile})
                 # age-keygen sets 0600 by default, no need to chmod.
-                ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile}
+                ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile} ${lib.join " " cfg.age.extraGenerateKeyArgs}
               fi
             ''
           );

From 260872257c432d2880a295f26d67c8ea4cf8c17f Mon Sep 17 00:00:00 2001
From: Lucas Wagler <lucas@rubletrucks.com>
Date: Wed, 8 Apr 2026 12:56:27 -0400
Subject: [PATCH 3/4] feat(darwin): add age key generation args option

---
 checks/darwin.nix              |  1 +
 modules/nix-darwin/default.nix | 11 ++++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/checks/darwin.nix b/checks/darwin.nix
index de06e4e..229754e 100644
--- a/checks/darwin.nix
+++ b/checks/darwin.nix
@@ -27,5 +27,6 @@
   };
   sops.defaultSopsFile = ../pkgs/sops-install-secrets/test-assets/secrets.yaml;
   sops.age.generateKey = true;
+  sops.age.extraGenerateKeyArgs = [ "-pq" ];
   system.stateVersion = 5;
 }
diff --git a/modules/nix-darwin/default.nix b/modules/nix-darwin/default.nix
index 27331bc..3931794 100644
--- a/modules/nix-darwin/default.nix
+++ b/modules/nix-darwin/default.nix
@@ -173,7 +173,7 @@ let
             echo generating machine-specific age key...
             mkdir -p "$(dirname ${escapedKeyFile})"
             # age-keygen sets 0600 by default, no need to chmod.
-            ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile}
+            ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile} ${lib.join " " cfg.age.extraGenerateKeyArgs}
           fi
         ''
       else
@@ -300,6 +300,15 @@ in
         '';
       };
 
+      extraGenerateKeyArgs = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "-pq" ];
+        description = ''
+          List of arguments to use when generating the age key.
+        '';
+      };
+
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = defaultImportKeys "ed25519";

From da91d2736f56a93658f4a7de316760ab54ae89dd Mon Sep 17 00:00:00 2001
From: Lucas Wagler <lucas@rubletrucks.com>
Date: Wed, 8 Apr 2026 12:56:27 -0400
Subject: [PATCH 4/4] chore(home-manager): change wording "machine" -> "user"

---
 modules/home-manager/sops.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
index 1ed8708..a6ad78b 100644
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@@ -121,7 +121,7 @@ let
     pkgs.writeShellScript "sops-nix-user" (
       lib.optionalString cfg.age.generateKey ''
         if [[ ! -f ${escapedAgeKeyFile} ]]; then
-          echo generating machine-specific age key...
+          echo generating user-specific age key...
           ${pkgs.coreutils}/bin/mkdir -p $(${pkgs.coreutils}/bin/dirname ${escapedAgeKeyFile})
           # age-keygen sets 0600 by default, no need to chmod.
           ${pkgs.age}/bin/age-keygen -o ${escapedAgeKeyFile} ${lib.join " " cfg.age.extraGenerateKeyArgs}