Check for /run/pcscd/pcscd.comm socket file directly instead of using
systemctl, which may have D-Bus permission issues when running as a
user service. The socket file is created by systemd when pcscd.socket
is active and listening.
Increased wait time to 6 seconds (30 iterations × 0.2s) to handle
slower boot scenarios.
Add the requirePcscd option to the nix-darwin module for consistency
with NixOS and home-manager modules. On macOS, CryptoTokenKit typically
handles YubiKey communication automatically, but this option is provided
for API consistency.
Add new options under sops.age for hardware key plugin support:
- systemdDeps: custom systemd unit dependencies for sops-nix service
- requirePcscd: convenience option that auto-adds pcscd.socket dependency
The systemd user service now respects After= and Wants= for
the configured dependencies.
Add support for activationScriptDeps and systemdDeps in the
secrets-for-users module, ensuring pcscd dependencies are
respected for secrets that need to be available before user
creation (neededForUsers = true).
Add new options under sops.age for hardware key plugin support:
- activationScriptDeps: custom activation script dependencies
- systemdDeps: custom systemd unit dependencies
- requirePcscd: convenience option that auto-configures pcscd
When requirePcscd is enabled:
- Adds pcscd.socket as systemd dependency (systemd activation mode)
- Creates setupPcscdForSops activation script (traditional mode)
- Validates that services.pcscd.enable is set
This addresses GitHub issue #377 for YubiKey-hosted age keys.
Add sops.gnupg.package option to NixOS, home-manager, and nix-darwin
modules, allowing users to specify a custom gnupg package instead of
the default pkgs.gnupg.
This enables use of bleeding-edge GPG versions with post-quantum
encryption algorithms like Kyber, addressing "store now, decrypt
later" threat models.
Since Home Manager relies on the naming scheme used by Systemd, the
current way to set a dependent service defined in the README fails as
Systemd doesn't support it.
Consider the following case: a service (`gitlab-runner.service` in this case) gets
a new secret that is installed via sops and will be reloaded on a switch. Right
now this would fail like this:
machine | updating GRUB 2 menu...
machine | stopping the following units: sops-install-secrets.service
machine | activating the configuration...
machine | setting up /etc...
[...]
machine | restarting sysinit-reactivation.target
machine | reloading the following units: dbus-broker.service, gitlab-runner.service
machine | restarting the following units: polkit.service
machine | starting the following units: sops-install-secrets.service
Here, the reload happens _before_ running `sops-install-secrets.service`
which means that the newly added secret doesn't exist yet and thus the
reload fails.
This change makes sure the service is started when running
`sysinit-reactivation.target`, i.e. before stc-ng reloads other
services. This is what sysusers already does, so the objective of
running after sysusers is still met.
Also, added an `After=userborn.service` to make sure it's also ordered
after userborn if necessary.
Thank you WilliButz for reminding me that `sysinit-reactivation.target`
exists and is most likely the culprit of that!
