sops: Add age support.

fishinthecalculator · May 13, 2024 · 9459e12 · 9459e12
1 parent 934d981
commit 9459e12
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 5 deletions.
diff --git a/modules/sops/activation.scm b/modules/sops/activation.scm
@@ -10,6 +10,7 @@
   #:export (activate-secrets))
 
 (define* (activate-secrets config-file
+                           age-key-file
                            gnupg-home
                            sops-secrets
                            sops-package
@@ -44,6 +45,7 @@
                        (not (member file `("." ".." ,@exclude))))
                      string<?))
 
+          (setenv "SOPS_AGE_KEY_FILE" #$age-key-file)
           (setenv "GNUPGHOME" #$gnupg-home)
           (setenv "SOPS_GPG_EXEC" #$gpg)
 

diff --git a/modules/sops/home/services/sops.scm b/modules/sops/home/services/sops.scm
@@ -9,6 +9,7 @@
   #:use-module (guix packages)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages golang)
+  #:use-module (gnu packages golang-crypto)
   #:use-module (sops packages sops)
   #:use-module (sops activation)
   #:use-module (sops secrets)
@@ -19,15 +20,24 @@
             home-sops-service-configuration
             home-sops-service-configuration?
             home-sops-service-configuration-fields
+            home-sops-service-configuration-age
+            home-sops-service-configuration-gnupg
             home-sops-service-configuration-sops
             home-sops-service-configuration-config
             home-sops-service-configuration-gnupg-home
+            home-sops-service-configuration-age-key-file
             home-sops-service-configuration-secrets))
 
 (define list-of-sops-secrets?
   (list-of sops-secret?))
 
 (define-configuration/no-serialization home-sops-service-configuration
+  (age
+   (package age)
+   "The @code{age} package used to perform decryption.")
+  (gnupg
+   (package gnupg)
+   "The @code{GnuPG} package used to perform decryption.")
   (sops
    (package sops)
    "The @code{SOPS} package used to perform decryption.")
@@ -37,14 +47,21 @@
   (gnupg-home
    (string "~/.gnupg")
    "The homedir of GnuPG, i.e. where keys used to decrypt SOPS secrets will be looked for.")
+  (age-key-file
+   (string "~/.config/sops/age/keys.txt")
+   "The file containing the corresponding @code{age} identities where SOPS will look for
+when decrypting a secret.")
   (secrets
    (list-of-sops-secrets '())
    "The @code{sops-secret} records managed by the @code{home-sops-secrets-service-type}."))
 
 (define (home-sops-secrets-shepherd-service config)
   (when config
     (let* ((config-file
-            (home-sops-service-configuration-config config))(gnupg-home
+            (home-sops-service-configuration-config config))
+           (age-key-file
+            (home-sops-service-configuration-age-key-file config))
+           (gnupg-home
             (home-sops-service-configuration-gnupg-home config))
            (secrets (home-sops-service-configuration-secrets config))
            (sops (home-sops-service-configuration-sops config)))
@@ -59,6 +76,7 @@
                              (list
                               #$(program-file "home-sops-secrets-entrypoint"
                                               (activate-secrets config-file
+                                                                age-key-file
                                                                 gnupg-home
                                                                 secrets
                                                                 sops)))))
@@ -77,7 +95,8 @@
   (service-type (name 'home-sops-secrets)
                 (extensions (list (service-extension home-profile-service-type
                                                      (lambda (config)
-                                                       (list age gnupg
+                                                       (list (home-sops-service-configuration-age config)
+                                                             (home-sops-service-configuration-gnupg config)
                                                              (home-sops-service-configuration-sops config))))
                                   (service-extension home-activation-service-type
                                                      (lambda _
@@ -87,7 +106,6 @@
                                                              (mkdir-p secrets-directory)))))
                                   (service-extension home-shepherd-service-type
                                                      home-sops-secrets-shepherd-service)))
-                (default-value #f)
                 (compose concatenate)
                 (extend secrets->home-sops-service-configuration)
                 (description

diff --git a/modules/sops/services/sops.scm b/modules/sops/services/sops.scm
@@ -22,17 +22,26 @@
             sops-service-configuration
             sops-service-configuration?
             sops-service-configuration-fields
+            sops-service-configuration-age
+            sops-service-configuration-gnupg
             sops-service-configuration-sops
             sops-service-configuration-config
             sops-service-configuration-generate-key?
             sops-service-configuration-gnupg-home
+            sops-service-configuration-age-key-file
             sops-service-configuration-secrets-directory
             sops-service-configuration-secrets))
 
 (define list-of-sops-secrets?
   (list-of sops-secret?))
 
 (define-configuration/no-serialization sops-service-configuration
+  (age
+   (package age)
+   "The @code{age} package used to perform decryption.")
+  (gnupg
+   (package gnupg)
+   "The @code{GnuPG} package used to perform decryption.")
   (sops
    (package sops)
    "The @code{SOPS} package used to perform decryption.")
@@ -48,6 +57,10 @@ more than welcome to provide your own key in the keyring.")
   (gnupg-home
    (string "/root/.gnupg")
    "The homedir of GnuPG, i.e. where keys used to decrypt SOPS secrets will be looked for.")
+  (age-key-file
+   (string "/root/.config/sops/age/keys.txt")
+   "The file containing the corresponding @code{age} identities where SOPS will look for
+when decrypting a secret.")
   (secrets-directory
    (string "/run/secrets")
    "The path on the filesystem where the secrets will be decrypted.")
@@ -61,6 +74,8 @@ more than welcome to provide your own key in the keyring.")
             (sops-service-configuration-config config))
            (generate-key?
             (sops-service-configuration-generate-key? config))
+           (age-key-file
+            (sops-service-configuration-age-key-file config))
            (gnupg-home
             (sops-service-configuration-gnupg-home config))
            (secrets (sops-service-configuration-secrets config))
@@ -78,6 +93,7 @@ more than welcome to provide your own key in the keyring.")
                              (list
                               #$(program-file "sops-secrets-entrypoint"
                                               (activate-secrets config-file
+                                                                age-key-file
                                                                 gnupg-home
                                                                 secrets
                                                                 sops
@@ -107,7 +123,8 @@ more than welcome to provide your own key in the keyring.")
   (service-type (name 'sops-secrets)
                 (extensions (list (service-extension profile-service-type
                                                      (lambda (config)
-                                                       (list age gnupg
+                                                       (list (sops-service-configuration-age config)
+                                                             (sops-service-configuration-gnupg config)
                                                              (sops-service-configuration-sops config))))
                                   (service-extension file-system-service-type
                                                      %sops-secrets-file-system)
@@ -120,7 +137,6 @@ more than welcome to provide your own key in the keyring.")
                                                                    (mkdir-p secrets-directory)))))
                                   (service-extension shepherd-root-service-type
                                                      sops-secrets-shepherd-service)))
-                (default-value #f)
                 (compose concatenate)
                 (extend secrets->sops-service-configuration)
                 (description