mirror of https://github.com/ryantm/agenix.git
feat: works with sysuser
fix: darwin compatible chore: reformat fix: infrec chore: clean logic Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
This commit is contained in:
oluceps
parent
1381a759b2
commit
c5703d556a
|
|
@ -14,6 +14,11 @@ with lib; let
|
||||||
|
|
||||||
users = config.users.users;
|
users = config.users.users;
|
||||||
|
|
||||||
|
sysusersEnabled =
|
||||||
|
if isDarwin
|
||||||
|
then false
|
||||||
|
else options.systemd ? sysusers && config.systemd.sysusers.enable;
|
||||||
|
|
||||||
mountCommand =
|
mountCommand =
|
||||||
if isDarwin
|
if isDarwin
|
||||||
then ''
|
then ''
|
||||||
|
|
@ -261,44 +266,66 @@ in {
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
(optionalAttrs (!isDarwin) {
|
(optionalAttrs (!isDarwin) {
|
||||||
|
# When using sysusers we no longer be started as an activation script
|
||||||
|
# because those are started in initrd while sysusers is started later.
|
||||||
|
systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
|
||||||
|
wantedBy = ["sysinit.target"];
|
||||||
|
after = ["systemd-sysusers.service"];
|
||||||
|
unitConfig.DefaultDependencies = "no";
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
ExecStart = pkgs.writeShellScript "agenix-install" (
|
||||||
|
builtins.concatStringsSep "\n" [
|
||||||
|
newGeneration
|
||||||
|
installSecrets
|
||||||
|
chownSecrets
|
||||||
|
]
|
||||||
|
);
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# Create a new directory full of secrets for symlinking (this helps
|
# Create a new directory full of secrets for symlinking (this helps
|
||||||
# ensure removed secrets are actually removed, or at least become
|
# ensure removed secrets are actually removed, or at least become
|
||||||
# invalid symlinks).
|
# invalid symlinks).
|
||||||
system.activationScripts.agenixNewGeneration = {
|
system = mkIf (!sysusersEnabled) {
|
||||||
text = newGeneration;
|
activationScripts.agenixNewGeneration = {
|
||||||
deps = [
|
text = newGeneration;
|
||||||
"specialfs"
|
deps = [
|
||||||
];
|
"specialfs"
|
||||||
};
|
];
|
||||||
|
};
|
||||||
|
|
||||||
system.activationScripts.agenixInstall = {
|
activationScripts.agenixInstall = {
|
||||||
text = installSecrets;
|
text = installSecrets;
|
||||||
deps = [
|
deps = [
|
||||||
"agenixNewGeneration"
|
"agenixNewGeneration"
|
||||||
"specialfs"
|
"specialfs"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# So user passwords can be encrypted.
|
# So user passwords can be encrypted.
|
||||||
system.activationScripts.users.deps = ["agenixInstall"];
|
activationScripts.users.deps = ["agenixInstall"];
|
||||||
|
|
||||||
# Change ownership and group after users and groups are made.
|
# Change ownership and group after users and groups are made.
|
||||||
system.activationScripts.agenixChown = {
|
activationScripts.agenixChown = {
|
||||||
text = chownSecrets;
|
text = chownSecrets;
|
||||||
deps = [
|
deps = [
|
||||||
"users"
|
"users"
|
||||||
"groups"
|
"groups"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# So other activation scripts can depend on agenix being done.
|
# So other activation scripts can depend on agenix being done.
|
||||||
system.activationScripts.agenix = {
|
activationScripts.agenix = {
|
||||||
text = "";
|
text = "";
|
||||||
deps = ["agenixChown"];
|
deps = ["agenixChown"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
|
|
||||||
(optionalAttrs isDarwin {
|
(optionalAttrs isDarwin {
|
||||||
launchd.daemons.activate-agenix = {
|
launchd.daemons.activate-agenix = {
|
||||||
script = ''
|
script = ''
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue