Compare commits

...

3 Commits

Author SHA1 Message Date
oluceps 2b558e9af1
feat: works with sysuser
fix: darwin compatible

chore: reformat

fix: infrec

chore: clean logic

Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
2024-04-30 06:27:40 +00:00
Ryan Mulligan 24a7ea3905
Merge pull request #256 from spectre256/main
fix: allow for newlines in keys
2024-04-26 05:59:12 -07:00
Ellis Gibbons 2c1d1fb134
fix: allow for newlines in keys 2024-04-12 17:50:07 -04:00
2 changed files with 58 additions and 29 deletions

View File

@ -14,6 +14,11 @@ with lib; let
users = config.users.users;
sysusersEnabled =
if isDarwin
then false
else options.systemd ? sysusers && config.systemd.sysusers.enable;
mountCommand =
if isDarwin
then ''
@ -261,44 +266,66 @@ in {
}
];
}
(optionalAttrs (!isDarwin) {
# When using sysusers we no longer be started as an activation script
# because those are started in initrd while sysusers is started later.
systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
wantedBy = ["sysinit.target"];
after = ["systemd-sysusers.service"];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "agenix-install" (
builtins.concatStringsSep "\n" [
newGeneration
installSecrets
chownSecrets
]
);
RemainAfterExit = true;
};
};
# Create a new directory full of secrets for symlinking (this helps
# ensure removed secrets are actually removed, or at least become
# invalid symlinks).
system.activationScripts.agenixNewGeneration = {
text = newGeneration;
deps = [
"specialfs"
];
};
system.activationScripts = mkIf (!sysusersEnabled) {
agenixNewGeneration = {
text = newGeneration;
deps = [
"specialfs"
];
};
system.activationScripts.agenixInstall = {
text = installSecrets;
deps = [
"agenixNewGeneration"
"specialfs"
];
};
agenixInstall = {
text = installSecrets;
deps = [
"agenixNewGeneration"
"specialfs"
];
};
# So user passwords can be encrypted.
system.activationScripts.users.deps = ["agenixInstall"];
# So user passwords can be encrypted.
users.deps = ["agenixInstall"];
# Change ownership and group after users and groups are made.
system.activationScripts.agenixChown = {
text = chownSecrets;
deps = [
"users"
"groups"
];
};
# Change ownership and group after users and groups are made.
agenixChown = {
text = chownSecrets;
deps = [
"users"
"groups"
];
};
# So other activation scripts can depend on agenix being done.
system.activationScripts.agenix = {
text = "";
deps = ["agenixChown"];
# So other activation scripts can depend on agenix being done.
agenix = {
text = "";
deps = ["agenixChown"];
};
};
})
(optionalAttrs isDarwin {
launchd.daemons.activate-agenix = {
script = ''

View File

@ -171,7 +171,9 @@ function edit {
ENCRYPT=()
while IFS= read -r key
do
ENCRYPT+=(--recipient "$key")
if [ -n "$key" ]; then
ENCRYPT+=(--recipient "$key")
fi
done <<< "$KEYS"
REENCRYPTED_DIR=$(@mktempBin@ -d)