mynix
/
agenix
mirror of https://github.com/ryantm/agenix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: workaround for #54

This commit is contained in:
Ryan Mulligan 2021-09-10 11:20:54 -07:00
parent e6752e7b85
commit 375a33cd97
1 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
modules/age.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, options, lib, pkgs, ... }:
with lib;
@ -103,18 +103,29 @@ in
'';
};
};
config = mkIf (cfg.secrets != { }) {
assertions = [{
assertion = cfg.sshKeyPaths != [ ];
message = "age.sshKeyPaths must be set.";
}];
config = mkIf (cfg.secrets != { }) (mkMerge [
# Secrets with root owner and group can be installed before users
# exist. This allows user password files to be encrypted.
system.activationScripts.agenixRoot = stringAfter [ "specialfs" ] installRootOwnedSecrets;
system.activationScripts.users.deps = [ "agenixRoot" ];
{
assertions = [{
assertion = cfg.sshKeyPaths != [ ];
message = "age.sshKeyPaths must be set.";
}];
# Other secrets need to wait for users and groups to exist.
system.activationScripts.agenix = stringAfter [ "users" "groups" "specialfs" ] installNonRootSecrets;
};
# Secrets with root owner and group can be installed before users
# exist. This allows user password files to be encrypted.
system.activationScripts.agenixRoot = stringAfter [ "specialfs" ] installRootOwnedSecrets;
system.activationScripts.users.deps = [ "agenixRoot" ];
# Other secrets need to wait for users and groups to exist.
system.activationScripts.agenix = stringAfter [ "users" "groups" "specialfs" ] installNonRootSecrets;
}
# workaround for #54
(optionalAttrs (builtins.hasAttr "dryActivationScript" options.system) {
system.activationScripts.users.supportsDryActivation = mkForce false;
system.activationScripts.groups.supportsDryActivation = mkForce false;
})
]);
}