From 0879125e5d0c796a5710e29674c3aa6d3e7132b0 Mon Sep 17 00:00:00 2001 From: pennae Date: Sat, 11 Sep 2021 19:53:19 +0200 Subject: add dry activation support we temporarily have to disable the specialfs depencendy to make dry activation work, but since we don't actually need it so far that's no problem. if we do need it at some point before the dry activation bugs are fixed we'd have to disable dry activation for the users script instead. --- modules/default.nix | 52 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 33 insertions(+), 19 deletions(-) diff --git a/modules/default.nix b/modules/default.nix index 8c48542..d2f62f8 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -53,16 +53,21 @@ let maybe0 = s: if s == "root" then "0" else escapeShellArg s; secret = pathOf name; in '' - ( - set -eu - trap "rm -f ${escapeShellArg path}; echo decrypting secret ${escapeShellArg name} failed" ERR - umask 022 - mkdir -p ${escapeShellArg (dirOf path)} - umask 377 - ${pkgs.age}/bin/age -d ${hostKeyArgs} -o ${escapeShellArg path} ${secret} - chown ${maybe0 owner}:${maybe0 group} ${path} - chmod ${escapeShellArg mode} ${escapeShellArg path} - ) + if [ "$NIXOS_ACTION" = dry-activate ]; then + echo would decrypt secret ${escapeShellArg name} + else + echo decrypting secret ${escapeShellArg name} + ( + set -eu + trap "rm -f ${escapeShellArg path}; echo decrypting secret ${escapeShellArg name} failed" ERR + umask 022 + mkdir -p ${escapeShellArg (dirOf path)} + umask 377 + ${pkgs.age}/bin/age -d ${hostKeyArgs} -o ${escapeShellArg path} ${secret} + chown ${maybe0 owner}:${maybe0 group} ${path} + chmod ${escapeShellArg mode} ${escapeShellArg path} + ) + fi ''; activate = secrets: concatStringsSep "\n" (mapAttrsToList decrypt secrets); @@ -196,18 +201,27 @@ in system.activationScripts = { # activate root secrets very early so we have access to them in the activation scripts - seacrit-root = stringAfter [ "specialfs" ] '' - rm -rf /run/seacrit - mkdir -m 0755 /run/seacrit - ${activate (filterAttrs (_: s: isRootSecret s) cfg.secrets)} - ''; + seacrit-root = { + # deps = [ "specialfs" ]; + text = '' + if [ "$NIXOS_ACTION" != dry-activate ]; then + rm -rf /run/seacrit + mkdir -m 0755 /run/seacrit + fi + ${activate (filterAttrs (_: s: isRootSecret s) cfg.secrets)} + ''; + supportsDryActivation = true; + }; users.deps = [ "seacrit-root" ]; - groups.deps = [ "seacrit-root" ]; - seacrit = stringAfter [ "users" "groups" ] '' - ${activate (filterAttrs (_: s: ! isRootSecret s) cfg.secrets)} - ''; + seacrit = { + deps = [ "users" ]; + text = '' + ${activate (filterAttrs (_: s: ! isRootSecret s) cfg.secrets)} + ''; + supportsDryActivation = true; + }; }; }; } -- cgit v1.2.3