mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-22 17:50:48 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #93 from jtojnar/create-run

Browse source 
Ensure /run is created before mounting secrets
This commit is contained in:
Ryan Mulligan 2022-01-07 09:24:25 -08:00 committed by GitHub
commit 08b9c96878
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
modules/age.nix
View file

@ -24,7 +24,7 @@ let
echo "decrypting '${secretType.file}' to '$_truePath'..." echo "decrypting '${secretType.file}' to '$_truePath'..."
TMP_FILE="$_truePath.tmp" TMP_FILE="$_truePath.tmp"
mkdir -p "$(dirname "$_truePath")" mkdir -p "$(dirname "$_truePath")"
mkdir -p "$(dirname "${secretType.path}")" [ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
( (
umask u=r,g=,o= umask u=r,g=,o=
LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}" LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}"
@ -147,7 +147,8 @@ in
# Create a new directory full of secrets for symlinking (this helps # Create a new directory full of secrets for symlinking (this helps
# ensure removed secrets are actually removed, or at least become # ensure removed secrets are actually removed, or at least become
# invalid symlinks). # invalid symlinks).
system.activationScripts.agenixMountSecrets = '' system.activationScripts.agenixMountSecrets = {
text = ''
_agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)" _agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)"
(( ++_agenix_generation )) (( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..." echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..."
@ -163,6 +164,10 @@ in
rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))" rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
} }
''; '';
deps = [
"specialfs"
];
};
# Secrets with root owner and group can be installed before users # Secrets with root owner and group can be installed before users
# exist. This allows user password files to be encrypted. # exist. This allows user password files to be encrypted.