1 files changed, 33 insertions, 19 deletions

diff --git a/modules/default.nix b/modules/default.nix
index 8c48542..d2f62f8 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -53,16 +53,21 @@ let
       maybe0 = s: if s == "root" then "0" else escapeShellArg s;
       secret = pathOf name;
     in ''
-      (
-        set -eu
-        trap "rm -f ${escapeShellArg path}; echo decrypting secret ${escapeShellArg name} failed" ERR
-        umask 022
-        mkdir -p ${escapeShellArg (dirOf path)}
-        umask 377
-        ${pkgs.age}/bin/age -d ${hostKeyArgs} -o ${escapeShellArg path} ${secret}
-        chown ${maybe0 owner}:${maybe0 group} ${path}
-        chmod ${escapeShellArg mode} ${escapeShellArg path}
-      )
+      if [ "$NIXOS_ACTION" = dry-activate ]; then
+        echo would decrypt secret ${escapeShellArg name}
+      else
+        echo decrypting secret ${escapeShellArg name}
+        (
+          set -eu
+          trap "rm -f ${escapeShellArg path}; echo decrypting secret ${escapeShellArg name} failed" ERR
+          umask 022
+          mkdir -p ${escapeShellArg (dirOf path)}
+          umask 377
+          ${pkgs.age}/bin/age -d ${hostKeyArgs} -o ${escapeShellArg path} ${secret}
+          chown ${maybe0 owner}:${maybe0 group} ${path}
+          chmod ${escapeShellArg mode} ${escapeShellArg path}
+        )
+      fi
     '';
 
   activate = secrets: concatStringsSep "\n" (mapAttrsToList decrypt secrets);
@@ -196,18 +201,27 @@ in
 
     system.activationScripts = {
       # activate root secrets very early so we have access to them in the activation scripts
-      seacrit-root = stringAfter [ "specialfs" ] ''
-        rm -rf /run/seacrit
-        mkdir -m 0755 /run/seacrit
-        ${activate (filterAttrs (_: s: isRootSecret s) cfg.secrets)}
-      '';
+      seacrit-root = {
+        # deps = [ "specialfs" ];
+        text = ''
+          if [ "$NIXOS_ACTION" != dry-activate ]; then
+            rm -rf /run/seacrit
+            mkdir -m 0755 /run/seacrit
+          fi
+          ${activate (filterAttrs (_: s: isRootSecret s) cfg.secrets)}
+        '';
+        supportsDryActivation = true;
+      };
 
       users.deps = [ "seacrit-root" ];
-      groups.deps = [ "seacrit-root" ];
 
-      seacrit = stringAfter [ "users" "groups" ] ''
-        ${activate (filterAttrs (_: s: ! isRootSecret s) cfg.secrets)}
-      '';
+      seacrit = {
+        deps = [ "users" ];
+        text = ''
+          ${activate (filterAttrs (_: s: ! isRootSecret s) cfg.secrets)}
+        '';
+        supportsDryActivation = true;
+      };
     };
   };
 }