mirror of
https://github.com/ryantm/agenix.git
synced 2024-11-25 11:08:30 +03:00
[module] change operation order
Change the order of operations to: 1. create new generation 2. decrypt secrets into new generation 3. symlink and remove old generation/secrets Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
This commit is contained in:
parent
7e5e58b98c
commit
fe206b4306
1 changed files with 21 additions and 13 deletions
|
@ -161,16 +161,28 @@ in
|
||||||
# Create a new directory full of secrets for symlinking (this helps
|
# Create a new directory full of secrets for symlinking (this helps
|
||||||
# ensure removed secrets are actually removed, or at least become
|
# ensure removed secrets are actually removed, or at least become
|
||||||
# invalid symlinks).
|
# invalid symlinks).
|
||||||
system.activationScripts.agenixMountSecrets = {
|
system.activationScripts.agenixNewGeneration = {
|
||||||
text = ''
|
text = ''
|
||||||
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
|
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
|
||||||
(( ++_agenix_generation ))
|
(( ++_agenix_generation ))
|
||||||
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
|
echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
|
||||||
mkdir -p "${cfg.secretsMountPoint}"
|
mkdir -p "${cfg.secretsMountPoint}"
|
||||||
chmod 0751 "${cfg.secretsMountPoint}"
|
chmod 0751 "${cfg.secretsMountPoint}"
|
||||||
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
|
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
|
||||||
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
|
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
|
||||||
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
|
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
|
||||||
|
'';
|
||||||
|
deps = [
|
||||||
|
"specialfs"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Symlink new generation in place and cleanup old generation
|
||||||
|
system.activationScripts.agenixCleanupAndLink= {
|
||||||
|
text = ''
|
||||||
|
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
|
||||||
|
(( ++_agenix_generation ))
|
||||||
|
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
|
||||||
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
|
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
|
||||||
|
|
||||||
(( _agenix_generation > 1 )) && {
|
(( _agenix_generation > 1 )) && {
|
||||||
|
@ -179,7 +191,8 @@ in
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
deps = [
|
deps = [
|
||||||
"specialfs"
|
"agenixRoot"
|
||||||
|
"agenixNonRoot"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -187,7 +200,7 @@ in
|
||||||
# exist. This allows user password files to be encrypted.
|
# exist. This allows user password files to be encrypted.
|
||||||
system.activationScripts.agenixRoot = {
|
system.activationScripts.agenixRoot = {
|
||||||
text = installRootOwnedSecrets;
|
text = installRootOwnedSecrets;
|
||||||
deps = [ "agenixMountSecrets" "specialfs" ];
|
deps = [ "agenixNewGeneration" "specialfs" ];
|
||||||
};
|
};
|
||||||
system.activationScripts.users.deps = [ "agenixRoot" ];
|
system.activationScripts.users.deps = [ "agenixRoot" ];
|
||||||
|
|
||||||
|
@ -200,20 +213,15 @@ in
|
||||||
deps = [
|
deps = [
|
||||||
"users"
|
"users"
|
||||||
"groups"
|
"groups"
|
||||||
"agenixMountSecrets"
|
"agenixCleanupAndLink"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
# Other secrets need to wait for users and groups to exist.
|
# Other secrets need to wait for users and groups to exist.
|
||||||
system.activationScripts.agenix = {
|
system.activationScripts.agenixNonRoot = {
|
||||||
text = installNonRootSecrets;
|
text = installNonRootSecrets;
|
||||||
deps = [
|
deps = [ "agenixNewGeneration" "specialfs" ];
|
||||||
"users"
|
|
||||||
"groups"
|
|
||||||
"specialfs"
|
|
||||||
"agenixMountSecrets"
|
|
||||||
"agenixChownKeys"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue