From 0879125e5d0c796a5710e29674c3aa6d3e7132b0 Mon Sep 17 00:00:00 2001
From: pennae <pennae.git@quasiparticle.net>
Date: Sat, 11 Sep 2021 19:53:19 +0200
Subject: add dry activation support

we temporarily have to disable the specialfs depencendy to make dry activation
work, but since we don't actually need it so far that's no problem. if we do
need it at some point before the dry activation bugs are fixed we'd have to
disable dry activation for the users script instead.
---
 modules/default.nix | 52 +++++++++++++++++++++++++++++++++-------------------
 1 file changed, 33 insertions(+), 19 deletions(-)

diff --git a/modules/default.nix b/modules/default.nix
index 8c48542..d2f62f8 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -53,16 +53,21 @@ let
       maybe0 = s: if s == "root" then "0" else escapeShellArg s;
       secret = pathOf name;
     in ''
-      (
-        set -eu
-        trap "rm -f ${escapeShellArg path}; echo decrypting secret ${escapeShellArg name} failed" ERR
-        umask 022
-        mkdir -p ${escapeShellArg (dirOf path)}
-        umask 377
-        ${pkgs.age}/bin/age -d ${hostKeyArgs} -o ${escapeShellArg path} ${secret}
-        chown ${maybe0 owner}:${maybe0 group} ${path}
-        chmod ${escapeShellArg mode} ${escapeShellArg path}
-      )
+      if [ "$NIXOS_ACTION" = dry-activate ]; then
+        echo would decrypt secret ${escapeShellArg name}
+      else
+        echo decrypting secret ${escapeShellArg name}
+        (
+          set -eu
+          trap "rm -f ${escapeShellArg path}; echo decrypting secret ${escapeShellArg name} failed" ERR
+          umask 022
+          mkdir -p ${escapeShellArg (dirOf path)}
+          umask 377
+          ${pkgs.age}/bin/age -d ${hostKeyArgs} -o ${escapeShellArg path} ${secret}
+          chown ${maybe0 owner}:${maybe0 group} ${path}
+          chmod ${escapeShellArg mode} ${escapeShellArg path}
+        )
+      fi
     '';
 
   activate = secrets: concatStringsSep "\n" (mapAttrsToList decrypt secrets);
@@ -196,18 +201,27 @@ in
 
     system.activationScripts = {
       # activate root secrets very early so we have access to them in the activation scripts
-      seacrit-root = stringAfter [ "specialfs" ] ''
-        rm -rf /run/seacrit
-        mkdir -m 0755 /run/seacrit
-        ${activate (filterAttrs (_: s: isRootSecret s) cfg.secrets)}
-      '';
+      seacrit-root = {
+        # deps = [ "specialfs" ];
+        text = ''
+          if [ "$NIXOS_ACTION" != dry-activate ]; then
+            rm -rf /run/seacrit
+            mkdir -m 0755 /run/seacrit
+          fi
+          ${activate (filterAttrs (_: s: isRootSecret s) cfg.secrets)}
+        '';
+        supportsDryActivation = true;
+      };
 
       users.deps = [ "seacrit-root" ];
-      groups.deps = [ "seacrit-root" ];
 
-      seacrit = stringAfter [ "users" "groups" ] ''
-        ${activate (filterAttrs (_: s: ! isRootSecret s) cfg.secrets)}
-      '';
+      seacrit = {
+        deps = [ "users" ];
+        text = ''
+          ${activate (filterAttrs (_: s: ! isRootSecret s) cfg.secrets)}
+        '';
+        supportsDryActivation = true;
+      };
     };
   };
 }
-- 
cgit v1.2.3