mirror of
https://github.com/ryantm/agenix.git
synced 2024-11-25 02:58:30 +03:00
feat: works with sysuser
fix: darwin compatible chore: reformat fix: infrec chore: clean logic Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com> Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
This commit is contained in:
parent
f6291c5935
commit
e474aa1a4b
1 changed files with 56 additions and 28 deletions
|
@ -14,6 +14,11 @@ with lib; let
|
||||||
|
|
||||||
users = config.users.users;
|
users = config.users.users;
|
||||||
|
|
||||||
|
sysusersEnabled =
|
||||||
|
if isDarwin
|
||||||
|
then false
|
||||||
|
else options.systemd ? sysusers && config.systemd.sysusers.enable;
|
||||||
|
|
||||||
mountCommand =
|
mountCommand =
|
||||||
if isDarwin
|
if isDarwin
|
||||||
then ''
|
then ''
|
||||||
|
@ -261,19 +266,40 @@ in {
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
(optionalAttrs (!isDarwin) {
|
(optionalAttrs (!isDarwin) {
|
||||||
|
# When using sysusers we no longer be started as an activation script
|
||||||
|
# because those are started in initrd while sysusers is started later.
|
||||||
|
systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
|
||||||
|
wantedBy = ["sysinit.target"];
|
||||||
|
after = ["systemd-sysusers.service"];
|
||||||
|
unitConfig.DefaultDependencies = "no";
|
||||||
|
|
||||||
|
path = [pkgs.mount];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
ExecStart = pkgs.writeShellScript "agenix-install" (
|
||||||
|
concatLines [
|
||||||
|
newGeneration
|
||||||
|
installSecrets
|
||||||
|
chownSecrets
|
||||||
|
]
|
||||||
|
);
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# Create a new directory full of secrets for symlinking (this helps
|
# Create a new directory full of secrets for symlinking (this helps
|
||||||
# ensure removed secrets are actually removed, or at least become
|
# ensure removed secrets are actually removed, or at least become
|
||||||
# invalid symlinks).
|
# invalid symlinks).
|
||||||
system.activationScripts.agenixNewGeneration = {
|
system.activationScripts = mkIf (!sysusersEnabled) {
|
||||||
|
agenixNewGeneration = {
|
||||||
text = newGeneration;
|
text = newGeneration;
|
||||||
deps = [
|
deps = [
|
||||||
"specialfs"
|
"specialfs"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
system.activationScripts.agenixInstall = {
|
agenixInstall = {
|
||||||
text = installSecrets;
|
text = installSecrets;
|
||||||
deps = [
|
deps = [
|
||||||
"agenixNewGeneration"
|
"agenixNewGeneration"
|
||||||
|
@ -282,10 +308,10 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
# So user passwords can be encrypted.
|
# So user passwords can be encrypted.
|
||||||
system.activationScripts.users.deps = ["agenixInstall"];
|
users.deps = ["agenixInstall"];
|
||||||
|
|
||||||
# Change ownership and group after users and groups are made.
|
# Change ownership and group after users and groups are made.
|
||||||
system.activationScripts.agenixChown = {
|
agenixChown = {
|
||||||
text = chownSecrets;
|
text = chownSecrets;
|
||||||
deps = [
|
deps = [
|
||||||
"users"
|
"users"
|
||||||
|
@ -294,11 +320,13 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
# So other activation scripts can depend on agenix being done.
|
# So other activation scripts can depend on agenix being done.
|
||||||
system.activationScripts.agenix = {
|
agenix = {
|
||||||
text = "";
|
text = "";
|
||||||
deps = ["agenixChown"];
|
deps = ["agenixChown"];
|
||||||
};
|
};
|
||||||
|
};
|
||||||
})
|
})
|
||||||
|
|
||||||
(optionalAttrs isDarwin {
|
(optionalAttrs isDarwin {
|
||||||
launchd.daemons.activate-agenix = {
|
launchd.daemons.activate-agenix = {
|
||||||
script = ''
|
script = ''
|
||||||
|
|
Loading…
Reference in a new issue