From 31b34ca8da38def580ed53aa5564a6faecfb07e0 Mon Sep 17 00:00:00 2001
From: Mark Sisson <5761292+marksisson@users.noreply.github.com>
Date: Thu, 5 Sep 2024 10:46:27 -0500
Subject: [PATCH] feat(home-manager/sops): add environment variable
 configuration

Added support for configuring environment variables before calling
`sops-install-secrets`. Introduced a new `environment` option which
allows specifying environment variables. Modified systemd service
and launchd agent to use the specified environment variables.
---
 modules/home-manager/sops.nix | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
index d62ff58f..98be6450 100644
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@@ -96,10 +96,7 @@ let
 
   escapedAgeKeyFile = lib.escapeShellArg cfg.age.keyFile;
 
-  script = toString (pkgs.writeShellScript "sops-nix-user" ((lib.optionalString (cfg.gnupg.home != null) ''
-    export SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg
-  '')
-    + (lib.optionalString cfg.age.generateKey ''
+  script = toString (pkgs.writeShellScript "sops-nix-user" ((lib.optionalString cfg.age.generateKey ''
     if [[ ! -f ${escapedAgeKeyFile} ]]; then
       echo generating machine-specific age key...
       ${pkgs.coreutils}/bin/mkdir -p $(${pkgs.coreutils}/bin/dirname ${escapedAgeKeyFile})
@@ -174,6 +171,18 @@ in {
       description = "What to log";
     };
 
+    environment = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.either lib.types.str lib.types.path);
+      default = {};
+      description = ''
+        Environment variables to set before calling sops-install-secrets.
+
+        The values are placed in single quotes and not escaped any further to
+        allow usage of command substitutions for more flexibility. To properly quote
+        strings with quotes use lib.escapeShellArg.
+      '';
+    };
+
     age = {
       keyFile = lib.mkOption {
         type = lib.types.nullOr pathNotInStore;
@@ -243,6 +252,8 @@ in {
       }]) cfg.secrets)
     );
 
+    sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg");
+
     systemd.user.services.sops-nix = lib.mkIf pkgs.stdenv.hostPlatform.isLinux {
       Unit = {
         Description = "sops-nix activation";
@@ -251,6 +262,7 @@ in {
         Type = "oneshot";
         ExecStart = script;
       };
+      Environment = builtins.concatStringsSep " " (lib.mapAttrsToList (name: value: "'${name}=${value}'") cfg.environment);
       Install.WantedBy = if cfg.gnupg.home != null then [ "graphical-session-pre.target" ] else [ "default.target" ];
     };
 
@@ -259,6 +271,7 @@ in {
       enable = true;
       config = {
         Program = script;
+        EnvironmentVariables = cfg.environment;
         KeepAlive = false;
         RunAtLoad = true;
         StandardOutPath = "${config.home.homeDirectory}/Library/Logs/SopsNix/stdout";