mynix
/
agenix
mirror of https://github.com/ryantm/agenix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[module] change operation order 

Change the order of operations to:

1. create new generation
2. decrypt secrets into new generation
3. symlink and remove old generation/secrets

Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
This commit is contained in:
Jeroen Simonetti 2022-07-10 18:39:23 +02:00
parent 7e5e58b98c
commit fe206b4306
No known key found for this signature in database
1 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
modules/age.nix
View File

@ -161,16 +161,28 @@ in
# Create a new directory full of secrets for symlinking (this helps # Create a new directory full of secrets for symlinking (this helps
# ensure removed secrets are actually removed, or at least become # ensure removed secrets are actually removed, or at least become
# invalid symlinks). # invalid symlinks).
system.activationScripts.agenixMountSecrets = { system.activationScripts.agenixNewGeneration = {
text = '' text = ''
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)" _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation )) (( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..." echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
mkdir -p "${cfg.secretsMountPoint}" mkdir -p "${cfg.secretsMountPoint}"
chmod 0751 "${cfg.secretsMountPoint}" chmod 0751 "${cfg.secretsMountPoint}"
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751 grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation" mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation" chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
'';
deps = [
"specialfs"
];
};
# Symlink new generation in place and cleanup old generation
system.activationScripts.agenixCleanupAndLink= {
text = ''
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir} ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
(( _agenix_generation > 1 )) && { (( _agenix_generation > 1 )) && {
@ -179,7 +191,8 @@ in
} }
''; '';
deps = [ deps = [
"specialfs" "agenixRoot"
"agenixNonRoot"
]; ];
}; };
@ -187,7 +200,7 @@ in
# exist. This allows user password files to be encrypted. # exist. This allows user password files to be encrypted.
system.activationScripts.agenixRoot = { system.activationScripts.agenixRoot = {
text = installRootOwnedSecrets; text = installRootOwnedSecrets;
deps = [ "agenixMountSecrets" "specialfs" ]; deps = [ "agenixNewGeneration" "specialfs" ];
}; };
system.activationScripts.users.deps = [ "agenixRoot" ]; system.activationScripts.users.deps = [ "agenixRoot" ];
@ -200,20 +213,15 @@ in
deps = [ deps = [
"users" "users"
"groups" "groups"
"agenixMountSecrets" "agenixCleanupAndLink"
]; ];
}; };
# Other secrets need to wait for users and groups to exist. # Other secrets need to wait for users and groups to exist.
system.activationScripts.agenix = { system.activationScripts.agenixNonRoot = {
text = installNonRootSecrets; text = installNonRootSecrets;
deps = [ deps = [ "agenixNewGeneration" "specialfs" ];
"users"
"groups"
"specialfs"
"agenixMountSecrets"
"agenixChownKeys"
];
}; };
}; };