From 375a33cd97ada536fd1d24b679ccfd61e2db1af7 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Fri, 10 Sep 2021 11:20:54 -0700 Subject: [PATCH] fix: workaround for #54 --- modules/age.nix | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/modules/age.nix b/modules/age.nix index 308753d..4442c42 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; @@ -103,18 +103,29 @@ in ''; }; }; - config = mkIf (cfg.secrets != { }) { - assertions = [{ - assertion = cfg.sshKeyPaths != [ ]; - message = "age.sshKeyPaths must be set."; - }]; + config = mkIf (cfg.secrets != { }) (mkMerge [ - # Secrets with root owner and group can be installed before users - # exist. This allows user password files to be encrypted. - system.activationScripts.agenixRoot = stringAfter [ "specialfs" ] installRootOwnedSecrets; - system.activationScripts.users.deps = [ "agenixRoot" ]; + { + assertions = [{ + assertion = cfg.sshKeyPaths != [ ]; + message = "age.sshKeyPaths must be set."; + }]; - # Other secrets need to wait for users and groups to exist. - system.activationScripts.agenix = stringAfter [ "users" "groups" "specialfs" ] installNonRootSecrets; - }; + # Secrets with root owner and group can be installed before users + # exist. This allows user password files to be encrypted. + system.activationScripts.agenixRoot = stringAfter [ "specialfs" ] installRootOwnedSecrets; + system.activationScripts.users.deps = [ "agenixRoot" ]; + + # Other secrets need to wait for users and groups to exist. + system.activationScripts.agenix = stringAfter [ "users" "groups" "specialfs" ] installNonRootSecrets; + + } + + # workaround for #54 + (optionalAttrs (builtins.hasAttr "dryActivationScript" options.system) { + system.activationScripts.users.supportsDryActivation = mkForce false; + system.activationScripts.groups.supportsDryActivation = mkForce false; + }) + + ]); }