mirror of https://github.com/ryantm/agenix.git
Compare commits
3 Commits
8ff1e1afcd
...
2b558e9af1
Author | SHA1 | Date |
---|---|---|
oluceps | 2b558e9af1 | |
Ryan Mulligan | 24a7ea3905 | |
Ellis Gibbons | 2c1d1fb134 |
|
@ -14,6 +14,11 @@ with lib; let
|
|||
|
||||
users = config.users.users;
|
||||
|
||||
sysusersEnabled =
|
||||
if isDarwin
|
||||
then false
|
||||
else options.systemd ? sysusers && config.systemd.sysusers.enable;
|
||||
|
||||
mountCommand =
|
||||
if isDarwin
|
||||
then ''
|
||||
|
@ -261,44 +266,66 @@ in {
|
|||
}
|
||||
];
|
||||
}
|
||||
|
||||
(optionalAttrs (!isDarwin) {
|
||||
# When using sysusers we no longer be started as an activation script
|
||||
# because those are started in initrd while sysusers is started later.
|
||||
systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
|
||||
wantedBy = ["sysinit.target"];
|
||||
after = ["systemd-sysusers.service"];
|
||||
unitConfig.DefaultDependencies = "no";
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = pkgs.writeShellScript "agenix-install" (
|
||||
builtins.concatStringsSep "\n" [
|
||||
newGeneration
|
||||
installSecrets
|
||||
chownSecrets
|
||||
]
|
||||
);
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Create a new directory full of secrets for symlinking (this helps
|
||||
# ensure removed secrets are actually removed, or at least become
|
||||
# invalid symlinks).
|
||||
system.activationScripts.agenixNewGeneration = {
|
||||
text = newGeneration;
|
||||
deps = [
|
||||
"specialfs"
|
||||
];
|
||||
};
|
||||
system.activationScripts = mkIf (!sysusersEnabled) {
|
||||
agenixNewGeneration = {
|
||||
text = newGeneration;
|
||||
deps = [
|
||||
"specialfs"
|
||||
];
|
||||
};
|
||||
|
||||
system.activationScripts.agenixInstall = {
|
||||
text = installSecrets;
|
||||
deps = [
|
||||
"agenixNewGeneration"
|
||||
"specialfs"
|
||||
];
|
||||
};
|
||||
agenixInstall = {
|
||||
text = installSecrets;
|
||||
deps = [
|
||||
"agenixNewGeneration"
|
||||
"specialfs"
|
||||
];
|
||||
};
|
||||
|
||||
# So user passwords can be encrypted.
|
||||
system.activationScripts.users.deps = ["agenixInstall"];
|
||||
# So user passwords can be encrypted.
|
||||
users.deps = ["agenixInstall"];
|
||||
|
||||
# Change ownership and group after users and groups are made.
|
||||
system.activationScripts.agenixChown = {
|
||||
text = chownSecrets;
|
||||
deps = [
|
||||
"users"
|
||||
"groups"
|
||||
];
|
||||
};
|
||||
# Change ownership and group after users and groups are made.
|
||||
agenixChown = {
|
||||
text = chownSecrets;
|
||||
deps = [
|
||||
"users"
|
||||
"groups"
|
||||
];
|
||||
};
|
||||
|
||||
# So other activation scripts can depend on agenix being done.
|
||||
system.activationScripts.agenix = {
|
||||
text = "";
|
||||
deps = ["agenixChown"];
|
||||
# So other activation scripts can depend on agenix being done.
|
||||
agenix = {
|
||||
text = "";
|
||||
deps = ["agenixChown"];
|
||||
};
|
||||
};
|
||||
})
|
||||
|
||||
(optionalAttrs isDarwin {
|
||||
launchd.daemons.activate-agenix = {
|
||||
script = ''
|
||||
|
|
|
@ -171,7 +171,9 @@ function edit {
|
|||
ENCRYPT=()
|
||||
while IFS= read -r key
|
||||
do
|
||||
ENCRYPT+=(--recipient "$key")
|
||||
if [ -n "$key" ]; then
|
||||
ENCRYPT+=(--recipient "$key")
|
||||
fi
|
||||
done <<< "$KEYS"
|
||||
|
||||
REENCRYPTED_DIR=$(@mktempBin@ -d)
|
||||
|
|
Loading…
Reference in New Issue