From 84a8698b98931c05211925b9d01037697967f2dc Mon Sep 17 00:00:00 2001
From: Ryota <rytswd@gmail.com>
Date: Sat, 17 Jan 2026 02:15:00 +0000
Subject: [PATCH] feat(nixos): wire hardware key deps to secrets-for-users
 module

Add support for activationScriptDeps and systemdDeps in the
secrets-for-users module, ensuring pcscd dependencies are
respected for secrets that need to be available before user
creation (neededForUsers = true).
---
 modules/sops/secrets-for-users/default.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/sops/secrets-for-users/default.nix b/modules/sops/secrets-for-users/default.nix
index 841eb13..69bcc10 100644
--- a/modules/sops/secrets-for-users/default.nix
+++ b/modules/sops/secrets-for-users/default.nix
@@ -35,6 +35,8 @@ in
       {
         wantedBy = [ "systemd-sysusers.service" ];
         before = [ "systemd-sysusers.service" ];
+        after = cfg.age.systemdDeps;
+        wants = cfg.age.systemdDeps;
         environment = cfg.environment;
         unitConfig.DefaultDependencies = "no";
         path = cfg.age.plugins;
@@ -48,7 +50,11 @@ in
 
   system.activationScripts = lib.mkIf (secretsForUsers != { } && !useSystemdActivation) {
     setupSecretsForUsers =
-      lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
+      lib.stringAfter (
+        [ "specialfs" ]
+        ++ lib.optional cfg.age.generateKey "generate-age-key"
+        ++ cfg.age.activationScriptDeps
+      ) ''
         [ -e /run/current-system ] || echo setting up secrets for users...
         ${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}
       ''