mynix
/
agenix
mirror of https://github.com/ryantm/agenix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ensure /run is created before mounting secrets 

Otherwise /run/agenix might disappear if specialfs is toposorted
between agenixMountSecrets and agenixRoot.

Fixes: https://github.com/ryantm/agenix/issues/92
This commit is contained in:
Jan Tojnar 2022-01-06 22:50:56 +01:00
parent c5558c88b2
commit 26edd03a5a
1 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
modules/age.nix
View File

@ -147,22 +147,27 @@ in
# Create a new directory full of secrets for symlinking (this helps # Create a new directory full of secrets for symlinking (this helps
# ensure removed secrets are actually removed, or at least become # ensure removed secrets are actually removed, or at least become
# invalid symlinks). # invalid symlinks).
system.activationScripts.agenixMountSecrets = '' system.activationScripts.agenixMountSecrets = {
_agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)" text = ''
(( ++_agenix_generation )) _agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)"
echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..." (( ++_agenix_generation ))
mkdir -p "${cfg.secretsMountPoint}" echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..."
chmod 0751 "${cfg.secretsMountPoint}" mkdir -p "${cfg.secretsMountPoint}"
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751 chmod 0751 "${cfg.secretsMountPoint}"
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation" grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation" mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" /run/agenix chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" /run/agenix
(( _agenix_generation > 1 )) && { (( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))" rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
} }
''; '';
deps = [
"specialfs"
];
};
# Secrets with root owner and group can be installed before users # Secrets with root owner and group can be installed before users
# exist. This allows user password files to be encrypted. # exist. This allows user password files to be encrypted.