mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-22 17:50:48 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #93 from jtojnar/create-run

Browse source 
Ensure /run is created before mounting secrets
This commit is contained in:
Ryan Mulligan 2022-01-07 09:24:25 -08:00 committed by GitHub
commit 08b9c96878
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
modules/age.nix
View file

@ -24,7 +24,7 @@ let
echo "decrypting '${secretType.file}' to '$_truePath'..." echo "decrypting '${secretType.file}' to '$_truePath'..."
TMP_FILE="$_truePath.tmp" TMP_FILE="$_truePath.tmp"
mkdir -p "$(dirname "$_truePath")" mkdir -p "$(dirname "$_truePath")"
mkdir -p "$(dirname "${secretType.path}")" [ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
( (
umask u=r,g=,o= umask u=r,g=,o=
LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}" LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}"
@ -147,22 +147,27 @@ in
# Create a new directory full of secrets for symlinking (this helps # Create a new directory full of secrets for symlinking (this helps
# ensure removed secrets are actually removed, or at least become # ensure removed secrets are actually removed, or at least become
# invalid symlinks). # invalid symlinks).
system.activationScripts.agenixMountSecrets = '' system.activationScripts.agenixMountSecrets = {
_agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)" text = ''
(( ++_agenix_generation )) _agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)"
echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..." (( ++_agenix_generation ))
mkdir -p "${cfg.secretsMountPoint}" echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..."
chmod 0751 "${cfg.secretsMountPoint}" mkdir -p "${cfg.secretsMountPoint}"
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751 chmod 0751 "${cfg.secretsMountPoint}"
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation" grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation" mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" /run/agenix chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" /run/agenix
(( _agenix_generation > 1 )) && { (( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))" rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
} }
''; '';
deps = [
"specialfs"
];
};
# Secrets with root owner and group can be installed before users # Secrets with root owner and group can be installed before users
# exist. This allows user password files to be encrypted. # exist. This allows user password files to be encrypted.