From 2dd505705c0370db4047ace068423499e4a063c6 Mon Sep 17 00:00:00 2001
From: Krzysztof Nazarewski <gpg@kdn.im>
Date: Mon, 29 Dec 2025 18:58:57 +0100
Subject: [PATCH] sops-install-secrets: create /run/secrets link before
 chowning it

fixes https://github.com/Mic92/sops-nix/issues/881
---
 pkgs/sops-install-secrets/main.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go
index cd2757e..05e6cfc 100644
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@@ -1410,12 +1410,12 @@ func installSecrets(args []string) error {
 	if isDry {
 		return nil
 	}
-	if err := symlinkSecretsAndTemplates(manifest.SymlinkPath, manifest.Secrets, manifest.Templates, manifest.UserMode); err != nil {
-		return fmt.Errorf("failed to prepare symlinks to secret store: %w", err)
-	}
 	if err := atomicSymlink(*secretDir, manifest.SymlinkPath); err != nil {
 		return fmt.Errorf("cannot update secrets symlink: %w", err)
 	}
+	if err := symlinkSecretsAndTemplates(manifest.SymlinkPath, manifest.Secrets, manifest.Templates, manifest.UserMode); err != nil {
+		return fmt.Errorf("failed to prepare symlinks to secret store: %w", err)
+	}
 	if err := pruneGenerations(manifest.SecretsMountPoint, *secretDir, manifest.KeepGenerations); err != nil {
 		return fmt.Errorf("cannot prune old secrets generations: %w", err)
 	}