add native support for ssh keys for age

musjj · musjj · commit 93789fad9c5f · 2025-04-22T06:22:02.000+07:00
diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
@@ -98,6 +98,7 @@ let
         gnupgHome = cfg.gnupg.home;
         sshKeyPaths = cfg.gnupg.sshKeyPaths;
         ageKeyFile = cfg.age.keyFile;
+        ageSshKeyFile = cfg.age.sshKeyFile;
         ageSshKeyPaths = cfg.age.sshKeyPaths;
         placeholderBySecretName = cfg.placeholder;
         userMode = true;
@@ -250,11 +251,23 @@ in
         '';
       };
 
+      sshKeyFile = lib.mkOption {
+        type = lib.types.nullOr pathNotInStore;
+        default = null;
+        example = "/home/someuser/.ssh/id_ed25519";
+        description = ''
+          Path to ssh key file that will be used by age for sops decryption.
+        '';
+      };
+
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = [ ];
         description = ''
-          Paths to ssh keys added as age keys during sops description.
+          Paths to ssh keys added as age keys during sops description. The ssh
+          keys will be converted into age keys manually using ssh-to-age.
+
+          This option is deprecated and will be removed in the future. Use sops.age.sshKeyFile instead.
         '';
       };
     };
@@ -301,6 +314,7 @@ in
           || cfg.gnupg.sshKeyPaths != [ ]
           || cfg.gnupg.qubes-split-gpg.enable == true
           || cfg.age.keyFile != null
+          || cfg.age.sshKeyFile != null
           || cfg.age.sshKeyPaths != [ ];
         message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home or sops.gnupg.qubes-split-gpg.enable";
       }
diff --git a/modules/nix-darwin/default.nix b/modules/nix-darwin/default.nix
@@ -300,12 +300,24 @@ in
         '';
       };
 
+      sshKeyFile = lib.mkOption {
+        type = lib.types.nullOr pathNotInStore;
+        default = null;
+        example = "/etc/ssh/ssh_host_ed25519_key";
+        description = ''
+          Path to ssh key file that will be used by age for sops decryption.
+        '';
+      };
+
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = defaultImportKeys "ed25519";
         defaultText = lib.literalMD "The ed25519 keys from {option}`config.services.openssh.hostKeys`";
         description = ''
-          Paths to ssh keys added as age keys during sops description.
+          Paths to ssh keys added as age keys during sops description. The ssh
+          keys will be converted into age keys manually using ssh-to-age.
+
+          This option is deprecated and will be removed in the future. Use sops.age.sshKeyFile instead.
         '';
       };
     };
@@ -345,6 +357,7 @@ in
               cfg.gnupg.home != null
               || cfg.gnupg.sshKeyPaths != [ ]
               || cfg.age.keyFile != null
+              || cfg.age.sshKeyFile != null
               || cfg.age.sshKeyPaths != [ ];
             message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home";
           }
diff --git a/modules/nix-darwin/manifest-for.nix b/modules/nix-darwin/manifest-for.nix
@@ -15,6 +15,7 @@ writeTextFile {
       gnupgHome = cfg.gnupg.home;
       sshKeyPaths = cfg.gnupg.sshKeyPaths;
       ageKeyFile = cfg.age.keyFile;
+      ageSshKeyFile = cfg.age.sshKeyFile;
       ageSshKeyPaths = cfg.age.sshKeyPaths;
       useTmpfs = false;
       placeholderBySecretName = cfg.placeholder;
diff --git a/modules/sops/default.nix b/modules/sops/default.nix
@@ -339,12 +339,24 @@ in
         '';
       };
 
+      sshKeyFile = lib.mkOption {
+        type = lib.types.nullOr pathNotInStore;
+        default = null;
+        example = "/etc/ssh/ssh_host_ed25519_key";
+        description = ''
+          Path to ssh key file that will be used by age for sops decryption.
+        '';
+      };
+
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = defaultImportKeys "ed25519";
         defaultText = lib.literalMD "The ed25519 keys from {option}`config.services.openssh.hostKeys`";
         description = ''
-          Paths to ssh keys added as age keys during sops description.
+          Paths to ssh keys added as age keys during sops description. The ssh
+          keys will be converted into age keys manually using ssh-to-age.
+
+          This option is deprecated and will be removed in the future. Use sops.age.sshKeyFile instead.
         '';
       };
     };
@@ -405,6 +417,7 @@ in
               cfg.gnupg.home != null
               || cfg.gnupg.sshKeyPaths != [ ]
               || cfg.age.keyFile != null
+              || cfg.age.sshKeyFile != null
               || cfg.age.sshKeyPaths != [ ];
             message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home";
           }
diff --git a/modules/sops/manifest-for.nix b/modules/sops/manifest-for.nix
@@ -40,6 +40,7 @@ else
         gnupgHome = cfg.gnupg.home;
         sshKeyPaths = cfg.gnupg.sshKeyPaths;
         ageKeyFile = cfg.age.keyFile;
+        ageSshKeyFile = cfg.age.sshKeyFile;
         ageSshKeyPaths = cfg.age.sshKeyPaths;
         useTmpfs = cfg.useTmpfs;
         placeholderBySecretName = cfg.placeholder;
diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go
@@ -79,6 +79,7 @@ type manifest struct {
 	SSHKeyPaths             []string          `json:"sshKeyPaths"`
 	GnupgHome               string            `json:"gnupgHome"`
 	AgeKeyFile              string            `json:"ageKeyFile"`
+	AgeSSHKeyFile           string            `json:"ageSshKeyFile"`
 	AgeSSHKeyPaths          []string          `json:"ageSshKeyPaths"`
 	UseTmpfs                bool              `json:"useTmpfs"`
 	UserMode                bool              `json:"userMode"`
@@ -1325,7 +1326,7 @@ func installSecrets(args []string) error {
 	}
 
 	// Import age keys
-	if len(manifest.AgeSSHKeyPaths) != 0 || manifest.AgeKeyFile != "" {
+	if (len(manifest.AgeSSHKeyPaths) != 0 || manifest.AgeKeyFile != "") && manifest.AgeSSHKeyFile == "" {
 		keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt")
 		os.Setenv("SOPS_AGE_KEY_FILE", keyfile)
 		// Create the keyfile
@@ -1360,6 +1361,10 @@ func installSecrets(args []string) error {
 		}
 	}
 
+	if manifest.AgeSSHKeyFile != "" {
+		os.Setenv("SOPS_AGE_SSH_PRIVATE_KEY_FILE", manifest.AgeSSHKeyFile)
+	}
+
 	if err := decryptSecrets(manifest.Secrets); err != nil {
 		return err
 	}

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,7 @@ type manifest struct {`
`79`	`79`	SSHKeyPaths []string `json:"sshKeyPaths"`
`80`	`80`	GnupgHome string `json:"gnupgHome"`
`81`	`81`	AgeKeyFile string `json:"ageKeyFile"`
	`82`	+ AgeSSHKeyFile string `json:"ageSshKeyFile"`
`82`	`83`	AgeSSHKeyPaths []string `json:"ageSshKeyPaths"`
`83`	`84`	UseTmpfs bool `json:"useTmpfs"`
`84`	`85`	UserMode bool `json:"userMode"`
`@@ -1325,7 +1326,7 @@ func installSecrets(args []string) error {`
`1325`	`1326`	`}`
`1326`	`1327`
`1327`	`1328`	`// Import age keys`
`1328`		`- if len(manifest.AgeSSHKeyPaths) != 0 \|\| manifest.AgeKeyFile != "" {`
	`1329`	`+ if (len(manifest.AgeSSHKeyPaths) != 0 \|\| manifest.AgeKeyFile != "") && manifest.AgeSSHKeyFile == "" {`
`1329`	`1330`	`keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt")`
`1330`	`1331`	`os.Setenv("SOPS_AGE_KEY_FILE", keyfile)`
`1331`	`1332`	`// Create the keyfile`
`@@ -1360,6 +1361,10 @@ func installSecrets(args []string) error {`
`1360`	`1361`	`}`
`1361`	`1362`	`}`
`1362`	`1363`
	`1364`	`+ if manifest.AgeSSHKeyFile != "" {`
	`1365`	`+ os.Setenv("SOPS_AGE_SSH_PRIVATE_KEY_FILE", manifest.AgeSSHKeyFile)`
	`1366`	`+ }`
	`1367`	`+`
`1363`	`1368`	`if err := decryptSecrets(manifest.Secrets); err != nil {`
`1364`	`1369`	`return err`
`1365`	`1370`	`}`