diff options
| author | pennae <pennae.git@quasiparticle.net> | 2021-09-11 19:53:19 +0200 |
|---|---|---|
| committer | pennae <pennae.git@quasiparticle.net> | 2021-09-11 19:57:55 +0200 |
| commit | 0879125e5d0c796a5710e29674c3aa6d3e7132b0 (patch) | |
| tree | f29127bea88cfd839934428391605bf5eccbc893 | |
| parent | 99d575a882e00e55871db934901e3817f5daba28 (diff) | |
| download | seacrit-0879125e5d0c796a5710e29674c3aa6d3e7132b0.tar.gz seacrit-0879125e5d0c796a5710e29674c3aa6d3e7132b0.tar.xz seacrit-0879125e5d0c796a5710e29674c3aa6d3e7132b0.zip | |
add dry activation support
we temporarily have to disable the specialfs depencendy to make dry activation
work, but since we don't actually need it so far that's no problem. if we do
need it at some point before the dry activation bugs are fixed we'd have to
disable dry activation for the users script instead.
| -rw-r--r-- | modules/default.nix | 52 |
1 files changed, 33 insertions, 19 deletions
diff --git a/modules/default.nix b/modules/default.nix index 8c48542..d2f62f8 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -53,16 +53,21 @@ let maybe0 = s: if s == "root" then "0" else escapeShellArg s; secret = pathOf name; in '' - ( - set -eu - trap "rm -f ${escapeShellArg path}; echo decrypting secret ${escapeShellArg name} failed" ERR - umask 022 - mkdir -p ${escapeShellArg (dirOf path)} - umask 377 - ${pkgs.age}/bin/age -d ${hostKeyArgs} -o ${escapeShellArg path} ${secret} - chown ${maybe0 owner}:${maybe0 group} ${path} - chmod ${escapeShellArg mode} ${escapeShellArg path} - ) + if [ "$NIXOS_ACTION" = dry-activate ]; then + echo would decrypt secret ${escapeShellArg name} + else + echo decrypting secret ${escapeShellArg name} + ( + set -eu + trap "rm -f ${escapeShellArg path}; echo decrypting secret ${escapeShellArg name} failed" ERR + umask 022 + mkdir -p ${escapeShellArg (dirOf path)} + umask 377 + ${pkgs.age}/bin/age -d ${hostKeyArgs} -o ${escapeShellArg path} ${secret} + chown ${maybe0 owner}:${maybe0 group} ${path} + chmod ${escapeShellArg mode} ${escapeShellArg path} + ) + fi ''; activate = secrets: concatStringsSep "\n" (mapAttrsToList decrypt secrets); @@ -196,18 +201,27 @@ in system.activationScripts = { # activate root secrets very early so we have access to them in the activation scripts - seacrit-root = stringAfter [ "specialfs" ] '' - rm -rf /run/seacrit - mkdir -m 0755 /run/seacrit - ${activate (filterAttrs (_: s: isRootSecret s) cfg.secrets)} - ''; + seacrit-root = { + # deps = [ "specialfs" ]; + text = '' + if [ "$NIXOS_ACTION" != dry-activate ]; then + rm -rf /run/seacrit + mkdir -m 0755 /run/seacrit + fi + ${activate (filterAttrs (_: s: isRootSecret s) cfg.secrets)} + ''; + supportsDryActivation = true; + }; users.deps = [ "seacrit-root" ]; - groups.deps = [ "seacrit-root" ]; - seacrit = stringAfter [ "users" "groups" ] '' - ${activate (filterAttrs (_: s: ! isRootSecret s) cfg.secrets)} - ''; + seacrit = { + deps = [ "users" ]; + text = '' + ${activate (filterAttrs (_: s: ! isRootSecret s) cfg.secrets)} + ''; + supportsDryActivation = true; + }; }; }; } |