feat: works with sysuser

fix: darwin compatible chore: reformat fix: infrec chore: clean logic Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com> Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
2024-11-25 02:58:30 +03:00 · 2024-04-07 04:18:45 +08:00 · 2024-04-07 04:18:45 +08:00 · e474aa1a4b
commit e474aa1a4b
parent f6291c5935
1 changed files with 56 additions and 28 deletions
--- a/modules/age.nix
+++ b/modules/age.nix
@ -14,6 +14,11 @@ with lib; let

  users = config.users.users;

+  sysusersEnabled =
+    if isDarwin
+    then false
+    else options.systemd ? sysusers && config.systemd.sysusers.enable;
+
  mountCommand =
    if isDarwin
    then ''
@ -261,44 +266,67 @@ in {
        }
      ];
    }
-
    (optionalAttrs (!isDarwin) {
+      # When using sysusers we no longer be started as an activation script
+      # because those are started in initrd while sysusers is started later.
+      systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
+        wantedBy = ["sysinit.target"];
+        after = ["systemd-sysusers.service"];
+        unitConfig.DefaultDependencies = "no";
+
+        path = [pkgs.mount];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = pkgs.writeShellScript "agenix-install" (
+            concatLines [
+              newGeneration
+              installSecrets
+              chownSecrets
+            ]
+          );
+          RemainAfterExit = true;
+        };
+      };
+
      # Create a new directory full of secrets for symlinking (this helps
      # ensure removed secrets are actually removed, or at least become
      # invalid symlinks).
-      system.activationScripts.agenixNewGeneration = {
-        text = newGeneration;
-        deps = [
-          "specialfs"
-        ];
-      };
+      system.activationScripts = mkIf (!sysusersEnabled) {
+        agenixNewGeneration = {
+          text = newGeneration;
+          deps = [
+            "specialfs"
+          ];
+        };

-      system.activationScripts.agenixInstall = {
-        text = installSecrets;
-        deps = [
-          "agenixNewGeneration"
-          "specialfs"
-        ];
-      };
+        agenixInstall = {
+          text = installSecrets;
+          deps = [
+            "agenixNewGeneration"
+            "specialfs"
+          ];
+        };

-      # So user passwords can be encrypted.
-      system.activationScripts.users.deps = ["agenixInstall"];
+        # So user passwords can be encrypted.
+        users.deps = ["agenixInstall"];

-      # Change ownership and group after users and groups are made.
-      system.activationScripts.agenixChown = {
-        text = chownSecrets;
-        deps = [
-          "users"
-          "groups"
-        ];
-      };
+        # Change ownership and group after users and groups are made.
+        agenixChown = {
+          text = chownSecrets;
+          deps = [
+            "users"
+            "groups"
+          ];
+        };

-      # So other activation scripts can depend on agenix being done.
-      system.activationScripts.agenix = {
-        text = "";
-        deps = ["agenixChown"];
+        # So other activation scripts can depend on agenix being done.
+        agenix = {
+          text = "";
+          deps = ["agenixChown"];
+        };
      };
    })
+
    (optionalAttrs isDarwin {
      launchd.daemons.activate-agenix = {
        script = ''