From fe206b43065394cc7cbcc111b29eea4527161dc1 Mon Sep 17 00:00:00 2001
From: Jeroen Simonetti <jeroen@simonetti.nl>
Date: Sun, 10 Jul 2022 18:39:23 +0200
Subject: [PATCH] [module] change operation order

Change the order of operations to:

1. create new generation
2. decrypt secrets into new generation
3. symlink and remove old generation/secrets

Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
---
 modules/age.nix | 34 +++++++++++++++++++++-------------
 1 file changed, 21 insertions(+), 13 deletions(-)

diff --git a/modules/age.nix b/modules/age.nix
index ad4e392..c1528c5 100644
--- a/modules/age.nix
+++ b/modules/age.nix
@@ -161,16 +161,28 @@ in
     # Create a new directory full of secrets for symlinking (this helps
     # ensure removed secrets are actually removed, or at least become
     # invalid symlinks).
-    system.activationScripts.agenixMountSecrets = {
+    system.activationScripts.agenixNewGeneration = {
       text = ''
         _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
         (( ++_agenix_generation ))
-        echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
+        echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
         mkdir -p "${cfg.secretsMountPoint}"
         chmod 0751 "${cfg.secretsMountPoint}"
         grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
         mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
         chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
+      '';
+      deps = [
+        "specialfs"
+      ];
+    };
+
+    # Symlink new generation in place and cleanup old generation
+    system.activationScripts.agenixCleanupAndLink= {
+      text = ''
+        _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
+        (( ++_agenix_generation ))
+        echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
         ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
 
         (( _agenix_generation > 1 )) && {
@@ -179,7 +191,8 @@ in
         }
       '';
       deps = [
-        "specialfs"
+        "agenixRoot"
+        "agenixNonRoot"
       ];
     };
 
@@ -187,7 +200,7 @@ in
     # exist. This allows user password files to be encrypted.
     system.activationScripts.agenixRoot = {
       text = installRootOwnedSecrets;
-      deps = [ "agenixMountSecrets" "specialfs" ];
+      deps = [ "agenixNewGeneration" "specialfs" ];
     };
     system.activationScripts.users.deps = [ "agenixRoot" ];
 
@@ -200,20 +213,15 @@ in
       deps = [
         "users"
         "groups"
-        "agenixMountSecrets"
+        "agenixCleanupAndLink"
       ];
     };
 
+
     # Other secrets need to wait for users and groups to exist.
-    system.activationScripts.agenix = {
+    system.activationScripts.agenixNonRoot = {
       text = installNonRootSecrets;
-      deps = [
-        "users"
-        "groups"
-        "specialfs"
-        "agenixMountSecrets"
-        "agenixChownKeys"
-      ];
+      deps = [ "agenixNewGeneration" "specialfs" ];
     };
   };