From 1177a6f475d9ac4b5e8c8bcc3f642ed997026543 Mon Sep 17 00:00:00 2001 From: Nicolas Dumazet Date: Sat, 21 Mar 2026 10:49:43 +0100 Subject: [PATCH] fix(systemd): require mounts for encryption keys. This helps address issues in https://github.com/nix-community/impermanence/issues/294 and in general also works for https://github.com/nix-community/preservation type of workflows which also rely on systemd mounts. --- modules/sops/default.nix | 6 ++++++ modules/sops/secrets-for-users/default.nix | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/modules/sops/default.nix b/modules/sops/default.nix index d7cda1f..23f1e03 100644 --- a/modules/sops/default.nix +++ b/modules/sops/default.nix @@ -484,6 +484,12 @@ in ExecStart = [ "${cfg.package}/bin/sops-install-secrets ${manifest}" ]; RemainAfterExit = true; }; + unitConfig.RequiresMountsFor = lib.concatLists [ + (lib.lists.optional (cfg.gnupg.home != null) cfg.gnupg.home) + cfg.gnupg.sshKeyPaths + (lib.lists.optional (cfg.age.keyFile != null) cfg.age.keyFile) + cfg.age.sshKeyPaths + ]; }; system.activationScripts = { diff --git a/modules/sops/secrets-for-users/default.nix b/modules/sops/secrets-for-users/default.nix index 841eb13..bec3a28 100644 --- a/modules/sops/secrets-for-users/default.nix +++ b/modules/sops/secrets-for-users/default.nix @@ -44,6 +44,12 @@ in ExecStart = [ "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}" ]; RemainAfterExit = true; }; + unitConfig.RequiresMountsFor = lib.concatLists [ + (lib.lists.optional (cfg.gnupg.home != null) cfg.gnupg.home) + cfg.gnupg.sshKeyPaths + (lib.lists.optional (cfg.age.keyFile != null) cfg.age.keyFile) + cfg.age.sshKeyPaths + ]; }; system.activationScripts = lib.mkIf (secretsForUsers != { } && !useSystemdActivation) {