pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-12-26 14:14:58 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Revert "modules/sops: allow forcing systemd-based activation"

Browse source 
This reverts commit b80c966e70.

See https://github.com/Mic92/sops-nix/issues/856
This commit is contained in:
Jörg Thalheim 2025-11-13 22:29:16 +01:00
parent b80c966e70
commit a8e1e668f7
1 changed files with 6 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

21
modules/sops/default.nix
View file

@ -29,6 +29,10 @@ let
# Currently, all templates are "regular" (there's no support for `neededForUsers` for templates.)
regularTemplates = cfg.templates;
useSystemdActivation =
(options.systemd ? sysusers && config.systemd.sysusers.enable)
|| (options.services ? userborn && config.services.userborn.enable);
withEnvironment = import ./with-environment.nix {
# sops >=3.10.0 now unconditionally searches
# for an SSH key in $HOME/.ssh/, introduced in #1692 [0]. Since in the
@ -315,19 +319,6 @@ in
'';
};
useSystemdActivation = lib.mkOption {
type = lib.types.bool;
default =
(options.systemd ? sysusers && config.systemd.sysusers.enable)
|| (options.services ? userborn && config.services.userborn.enable);
description = ''
Use a systemd unit to install secrets, instead of deploying them using an activation script.
This option is automatically enabled when systemd-sysusers or userborn are used to manage users and groups.
It can also be useful to specify additional dependencies to be satisfied before secrets are installed, such as required mountpoints for SOPS key files.
'';
};
age = {
keyFile = lib.mkOption {
type = lib.types.nullOr pathNotInStore;
@ -442,7 +433,7 @@ in
);
# When using sysusers we no longer are started as an activation script because those are started in initrd while sysusers is started later.
systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && cfg.useSystemdActivation) {
systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && useSystemdActivation) {
wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ];
environment = cfg.environment;
@ -456,7 +447,7 @@ in
};
system.activationScripts = {
setupSecrets = lib.mkIf (regularSecrets != { } && !cfg.useSystemdActivation) (
setupSecrets = lib.mkIf (regularSecrets != { } && !useSystemdActivation) (
lib.stringAfter
(
[