{nixos,home-manager}: shell escape age key paths

modules/home-manager/sops.nix

@@ -94,18 +94,20 @@ let
 
   manifest = manifestFor "" cfg.secrets;
 
+  escapedAgeKeyFile = lib.escapeShellArg cfg.age.keyFile;
+
   script = toString (pkgs.writeShellScript "sops-nix-user" ((lib.optionalString (cfg.gnupg.home != null) ''
     export SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg
   '')
     + (lib.optionalString cfg.age.generateKey ''
-    if [[ ! -f '${cfg.age.keyFile}' ]]; then
+    if [[ ! -f ${escapedAgeKeyFile} ]]; then
       echo generating machine-specific age key...
-      ${pkgs.coreutils}/bin/mkdir -p $(${pkgs.coreutils}/bin/dirname ${cfg.age.keyFile})
+      ${pkgs.coreutils}/bin/mkdir -p $(${pkgs.coreutils}/bin/dirname ${escapedAgeKeyFile})
       # age-keygen sets 0600 by default, no need to chmod.
-      ${pkgs.age}/bin/age-keygen -o ${cfg.age.keyFile}
+      ${pkgs.age}/bin/age-keygen -o ${escapedAgeKeyFile}
     fi
   '' + ''
-    ${sops-install-secrets}/bin/sops-install-secrets -ignore-passwd '${manifest}'
+    ${sops-install-secrets}/bin/sops-install-secrets -ignore-passwd ${manifest}
   '')));
 in {
   options.sops = {

modules/sops/default.nix

@@ -344,12 +344,14 @@ in {
           supportsDryActivation = true;
         });
 
-        generate-age-key = lib.mkIf (cfg.age.generateKey) (lib.stringAfter [] ''
+        generate-age-key = let
-          if [[ ! -f '${cfg.age.keyFile}' ]]; then
+          escapedKeyFile = lib.escapeShellArg cfg.age.keyFile;
+        in lib.mkIf cfg.age.generateKey (lib.stringAfter [] ''
+          if [[ ! -f ${escapedKeyFile} ]]; then
             echo generating machine-specific age key...
-            mkdir -p $(dirname ${cfg.age.keyFile})
+            mkdir -p $(dirname ${escapedKeyFile})
             # age-keygen sets 0600 by default, no need to chmod.
-            ${pkgs.age}/bin/age-keygen -o ${cfg.age.keyFile}
+            ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile}
           fi
         '');
       };