feat: add age plugin and fido2 hmac support

NovaViper · brianmcgee · NovaViper · commit 681758a9fbc6 · 2025-04-24T20:27:09.000-05:00
Co-authored-by: brianmcgee &lt;brian@41north.dev&gt;
diff --git a/flake.nix b/flake.nix
@@ -61,6 +61,10 @@
             ;
           # backward compatibility
           inherit (prev) ssh-to-pgp;
+
+          sops = prev.sops.withAgePlugins (p: [
+              p.age-plugin-fido2-hmac
+          ]);
         };
       nixosModules = {
         sops = ./modules/sops;
diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
@@ -240,6 +240,16 @@ in
         '';
       };
 
+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [
+          pkgs.age-plugin-fido2-hmac
+        ];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
+
       generateKey = lib.mkOption {
         type = lib.types.bool;
         default = false;
@@ -339,6 +349,8 @@ in
         ))
       ];
 
+      PATH = lib.makeBinPath cfg.age.plugins;
+
       QUBES_GPG_DOMAIN = lib.mkIf cfg.gnupg.qubes-split-gpg.enable (
         lib.mkDefault cfg.gnupg.qubes-split-gpg.domain
       );
diff --git a/modules/sops/default.nix b/modules/sops/default.nix
@@ -329,6 +329,16 @@ in
         '';
       };
 
+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [
+          pkgs.age-plugin-fido2-hmac
+        ];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
+
       generateKey = lib.mkOption {
         type = lib.types.bool;
         default = false;
@@ -432,12 +442,15 @@ in
         lib.mkDefault "${pkgs.gnupg}/bin/gpg"
       );
 
+      sops.environment.PATH = lib.makeBinPath cfg.age.plugins;
+
       # When using sysusers we no longer are started as an activation script because those are started in initrd while sysusers is started later.
       systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && useSystemdActivation) {
         wantedBy = [ "sysinit.target" ];
         after = [ "systemd-sysusers.service" ];
-        environment = cfg.environment;
+        environment = cfg.environment // {PATH = lib.mkForce "${cfg.environment.PATH}:${lib.makeSearchPathOutput "bin" "sbin" cfg.age.plugins}";};
         unitConfig.DefaultDependencies = "no";
+        path = config.sops.age.plugins;
 
         serviceConfig = {
           Type = "oneshot";
diff --git a/modules/sops/secrets-for-users/default.nix b/modules/sops/secrets-for-users/default.nix
@@ -34,8 +34,9 @@ in
       {
         wantedBy = [ "systemd-sysusers.service" ];
         before = [ "systemd-sysusers.service" ];
-        environment = cfg.environment;
+        environment = cfg.environment // {PATH = lib.mkForce "${cfg.environment.PATH}:${lib.makeSearchPathOutput "bin" "sbin" cfg.age.plugins}";};
         unitConfig.DefaultDependencies = "no";
+        path = config.sops.age.plugins;
 
         serviceConfig = {
           Type = "oneshot";
