From 45681626296b4f6efa52cfda8db5f38bcf94a48b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Janne=20He=C3=9F?= <janne@hess.ooo>
Date: Sat, 28 Aug 2021 12:37:10 +0200
Subject: [PATCH] Import age ssh keys by default

---
 modules/sops/default.nix                 | 13 ++++---------
 pkgs/sops-install-secrets/nixos-test.nix |  6 +++++-
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index 7e4f36f..b7e1e2d 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -140,7 +140,7 @@ in {
         example = "/var/lib/sops-nix/key.txt";
         description = ''
           Path to age key file used for sops decryption.
-          Setting this to a non-null value causes age to be used instead of gnupg.
+          Setting this to a non-null value causes the ssh keys to be ignored.
         '';
       };
 
@@ -156,12 +156,10 @@ in {
 
       sshKeyPaths = mkOption {
         type = types.listOf types.path;
-        default = []; # If we set this like the gnupg option, we would use ed25519 by default
+        default = if config.services.openssh.enable then map (e: e.path) (lib.filter (e: e.type == "ed25519") config.services.openssh.hostKeys) else [];
         description = ''
-          Path to ssh keys added as age keys during sops description.
-          This option must be explicitly unset if <literal>config.sops.age.keyFile</literal> is set.
-
-          Setting this to a non-empty list causes age to be used instead of gnupg.
+          Paths to ssh keys added as age keys during sops description.
+          This setting is ignored when the keyFile is set to a non-null value.
         '';
       };
     };
@@ -196,9 +194,6 @@ in {
     assertions = [{
       assertion = (cfg.age.keyFile == null && cfg.age.sshKeyPaths == []) -> (cfg.gnupg.home == null) != (cfg.gnupg.sshKeyPaths == []);
       message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set for gnupg mode";
-    } {
-      assertion = (cfg.age.keyFile != null || cfg.age.sshKeyPaths != []) -> (cfg.age.sshKeyPaths != []) != (cfg.age.keyFile != null);
-      message = "sops.age.keyFile is mutually exclusive with sops.age.sshKeyPaths";
     }] ++ optionals cfg.validateSopsFiles (
       concatLists (mapAttrsToList (name: secret: [{
         assertion = builtins.pathExists secret.sopsFile;
diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/pkgs/sops-install-secrets/nixos-test.nix
index 7471f1f..5ad21e4 100644
--- a/pkgs/sops-install-secrets/nixos-test.nix
+++ b/pkgs/sops-install-secrets/nixos-test.nix
@@ -47,8 +47,12 @@
   name = "sops-age-ssh-keys";
   machine = {
     imports = [ ../../modules/sops ];
+    services.openssh.enable = true;
+    services.openssh.hostKeys = [{
+      type = "ed25519";
+      path = ./test-assets/ssh-ed25519-key;
+    }];
     sops = {
-      age.sshKeyPaths = [ ./test-assets/ssh-ed25519-key ];
       defaultSopsFile = ./test-assets/secrets.yaml;
       secrets.test_key = {};
     };