Skip to content

feat: add age plugin support, take 2 #781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
NovaViper wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: add age plugin support, take 2 #781

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,10 @@
;
# backward compatibility
inherit (prev) ssh-to-pgp;

sops = prev.sops.withAgePlugins (p: [
p.age-plugin-fido2-hmac
]);
Comment on lines +63 to +66
Copy link

@coderabbitai coderabbitai bot Oct 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Remove the default age plugin from the overlay.

According to the maintainer's past review comments and the PR objectives, a default plugin should not be set in the first iteration. The age-plugin-fido2-hmac plugin requires user presence and may not work reliably in all contexts (boot-time, systemd services, etc.). Including it as a default:

  1. Creates an unnecessary dependency for users who don't need this specific plugin
  2. Goes against the maintainer's explicit request to not set a default
  3. May cause confusion about which plugin to use

Based on past review comments and PR objectives.

Apply this diff to remove the default plugin:

-
-          sops = prev.sops.withAgePlugins (p: [
-              p.age-plugin-fido2-hmac
-          ]);
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
sops = prev.sops.withAgePlugins (p: [
p.age-plugin-fido2-hmac
]);
🤖 Prompt for AI Agents 
In flake.nix around lines 64 to 67, the overlay currently sets a default age
plugin by adding age-plugin-fido2-hmac to sops.withAgePlugins; remove that
default so no plugin is preselected. Edit the sops.withAgePlugins invocation to
not include age-plugin-fido2-hmac (e.g., remove the entry or supply an empty
list), ensuring the overlay does not set any default age plugin.

};
nixosModules = {
sops = ./modules/sops;
Expand Down
10 changes: 10 additions & 0 deletions modules/home-manager/sops.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,14 @@ in
'';
};

plugins = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [ ];
description = ''
List of plugins to use for sops decryption.
'';
};

generateKey = lib.mkOption {
type = lib.types.bool;
default = false;
Expand Down Expand Up @@ -348,6 +356,8 @@ in
))
];

PATH = lib.makeBinPath cfg.age.plugins;

QUBES_GPG_DOMAIN = lib.mkIf cfg.gnupg.qubes-split-gpg.enable (
lib.mkDefault cfg.gnupg.qubes-split-gpg.domain
);
Expand Down
10 changes: 10 additions & 0 deletions modules/sops/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ let
# [1] https://github.com/getsops/sops/pull/1692
cfg = lib.recursiveUpdate cfg {
environment.HOME = "/var/empty";
environment.PATH = lib.makeBinPath cfg.age.plugins;
};
inherit lib;
};
Expand Down Expand Up @@ -342,6 +343,14 @@ in
'';
};

plugins = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [ ];
description = ''
List of plugins to use for sops decryption.
'';
};

generateKey = lib.mkOption {
type = lib.types.bool;
default = false;
Expand Down Expand Up @@ -453,6 +462,7 @@ in
before = [ "sysinit-reactivation.target" ];
environment = cfg.environment;
unitConfig.DefaultDependencies = "no";
path = cfg.age.plugins;

serviceConfig = {
Type = "oneshot";
Expand Down
2 changes: 2 additions & 0 deletions modules/sops/secrets-for-users/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ let
# See also the default NixOS module.
cfg = lib.recursiveUpdate cfg {
environment.HOME = "/var/empty";
environment.PATH = lib.makeBinPath cfg.age.plugins;
};
inherit lib;
};
Expand All @@ -36,6 +37,7 @@ in
before = [ "systemd-sysusers.service" ];
environment = cfg.environment;
unitConfig.DefaultDependencies = "no";
path = cfg.age.plugins;

serviceConfig = {
Type = "oneshot";
Expand Down
Loading