sops-install-secrets: create /run/secrets link before chowning it

fixes https://github.com/Mic92/sops-nix/issues/881
2026-01-13 10:07:55 +08:00 · 2025-12-29 18:58:57 +01:00 · 2025-12-29 18:58:57 +01:00 · 2dd505705c
commit 2dd505705c
parent ea3adcb6d2
1 changed files with 3 additions and 3 deletions
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@ -1410,12 +1410,12 @@ func installSecrets(args []string) error {
 	if isDry {
 		return nil
 	}
-	if err := symlinkSecretsAndTemplates(manifest.SymlinkPath, manifest.Secrets, manifest.Templates, manifest.UserMode); err != nil {
-		return fmt.Errorf("failed to prepare symlinks to secret store: %w", err)
-	}
 	if err := atomicSymlink(*secretDir, manifest.SymlinkPath); err != nil {
 		return fmt.Errorf("cannot update secrets symlink: %w", err)
 	}
+	if err := symlinkSecretsAndTemplates(manifest.SymlinkPath, manifest.Secrets, manifest.Templates, manifest.UserMode); err != nil {
+		return fmt.Errorf("failed to prepare symlinks to secret store: %w", err)
+	}
 	if err := pruneGenerations(manifest.SecretsMountPoint, *secretDir, manifest.KeepGenerations); err != nil {
 		return fmt.Errorf("cannot prune old secrets generations: %w", err)
 	}