feat: add age plugin and fido2 hmac support

NovaViper · brianmcgee · NovaViper · commit 33eea0ad95bf · 2025-09-19T09:28:50.000-05:00
Co-authored-by: brianmcgee &lt;brian@41north.dev&gt;
diff --git a/flake.nix b/flake.nix
@@ -61,6 +61,10 @@
             ;
           # backward compatibility
           inherit (prev) ssh-to-pgp;
+
+          sops = prev.sops.withAgePlugins (p: [
+              p.age-plugin-fido2-hmac
+          ]);
         };
       nixosModules = {
         sops = ./modules/sops;
diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
@@ -249,6 +249,14 @@ in
         '';
       };
 
+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
+
       generateKey = lib.mkOption {
         type = lib.types.bool;
         default = false;
@@ -348,6 +356,8 @@ in
         ))
       ];
 
+      PATH = lib.makeBinPath cfg.age.plugins;
+
       QUBES_GPG_DOMAIN = lib.mkIf cfg.gnupg.qubes-split-gpg.enable (
         lib.mkDefault cfg.gnupg.qubes-split-gpg.domain
       );
diff --git a/modules/sops/default.nix b/modules/sops/default.nix
@@ -43,6 +43,7 @@ let
     # [1] https://github.com/getsops/sops/pull/1692
     cfg = lib.recursiveUpdate cfg {
       environment.HOME = "/var/empty";
+      environment.PATH = lib.makeBinPath cfg.age.plugins;
     };
     inherit lib;
   };
@@ -329,6 +330,14 @@ in
         '';
       };
 
+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
+
       generateKey = lib.mkOption {
         type = lib.types.bool;
         default = false;
@@ -438,6 +447,7 @@ in
         after = [ "systemd-sysusers.service" ];
         environment = cfg.environment;
         unitConfig.DefaultDependencies = "no";
+        path = cfg.age.plugins;
 
         serviceConfig = {
           Type = "oneshot";
diff --git a/modules/sops/secrets-for-users/default.nix b/modules/sops/secrets-for-users/default.nix
@@ -17,6 +17,7 @@ let
     # See also the default NixOS module.
     cfg = lib.recursiveUpdate cfg {
       environment.HOME = "/var/empty";
+      environment.PATH = lib.makeBinPath cfg.age.plugins;
     };
     inherit lib;
   };
@@ -36,6 +37,7 @@ in
         before = [ "systemd-sysusers.service" ];
         environment = cfg.environment;
         unitConfig.DefaultDependencies = "no";
+        path = cfg.age.plugins;
 
         serviceConfig = {
           Type = "oneshot";
