mynix
/
agenix
mirror of https://github.com/ryantm/agenix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: workaround for #54

This commit is contained in:
Ryan Mulligan 2021-09-10 11:20:54 -07:00
parent e6752e7b85
commit 375a33cd97
1 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
modules/age.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, options, lib, pkgs, ... }:
with lib; with lib;
@ -103,18 +103,29 @@ in
''; '';
}; };
}; };
config = mkIf (cfg.secrets != { }) { config = mkIf (cfg.secrets != { }) (mkMerge [
assertions = [{
assertion = cfg.sshKeyPaths != [ ];
message = "age.sshKeyPaths must be set.";
}];
# Secrets with root owner and group can be installed before users {
# exist. This allows user password files to be encrypted. assertions = [{
system.activationScripts.agenixRoot = stringAfter [ "specialfs" ] installRootOwnedSecrets; assertion = cfg.sshKeyPaths != [ ];
system.activationScripts.users.deps = [ "agenixRoot" ]; message = "age.sshKeyPaths must be set.";
}];
# Other secrets need to wait for users and groups to exist. # Secrets with root owner and group can be installed before users
system.activationScripts.agenix = stringAfter [ "users" "groups" "specialfs" ] installNonRootSecrets; # exist. This allows user password files to be encrypted.
}; system.activationScripts.agenixRoot = stringAfter [ "specialfs" ] installRootOwnedSecrets;
system.activationScripts.users.deps = [ "agenixRoot" ];
# Other secrets need to wait for users and groups to exist.
system.activationScripts.agenix = stringAfter [ "users" "groups" "specialfs" ] installNonRootSecrets;
}
# workaround for #54
(optionalAttrs (builtins.hasAttr "dryActivationScript" options.system) {
system.activationScripts.users.supportsDryActivation = mkForce false;
system.activationScripts.groups.supportsDryActivation = mkForce false;
})
]);
} }