pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-12-26 14:14:58 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

modules/sops: allow forcing systemd-based activation
Some checks are pending
Test / tests (push) Waiting to run
Details

Browse source 
By allowing users to optionally force using systemd unit-based
activation, they can inject dependencies on other services or
mountpoints (for instance, when the age key is not stored on the root
file system).
This commit is contained in:
Leon Schuermann 2025-11-12 20:15:30 -05:00 committed by Jörg Thalheim
parent d75e4f89e5
commit b80c966e70
1 changed files with 15 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

21
modules/sops/default.nix
View file

@ -29,10 +29,6 @@ let
# Currently, all templates are "regular" (there's no support for `neededForUsers` for templates.)
regularTemplates = cfg.templates;
useSystemdActivation =
(options.systemd ? sysusers && config.systemd.sysusers.enable)
|| (options.services ? userborn && config.services.userborn.enable);
withEnvironment = import ./with-environment.nix {
# sops >=3.10.0 now unconditionally searches
# for an SSH key in $HOME/.ssh/, introduced in #1692 [0]. Since in the
@ -319,6 +315,19 @@ in
'';
};
useSystemdActivation = lib.mkOption {
type = lib.types.bool;
default =
(options.systemd ? sysusers && config.systemd.sysusers.enable)
|| (options.services ? userborn && config.services.userborn.enable);
description = ''
Use a systemd unit to install secrets, instead of deploying them using an activation script.
This option is automatically enabled when systemd-sysusers or userborn are used to manage users and groups.
It can also be useful to specify additional dependencies to be satisfied before secrets are installed, such as required mountpoints for SOPS key files.
'';
};
age = {
keyFile = lib.mkOption {
type = lib.types.nullOr pathNotInStore;
@ -433,7 +442,7 @@ in
);
# When using sysusers we no longer are started as an activation script because those are started in initrd while sysusers is started later.
systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && useSystemdActivation) {
systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && cfg.useSystemdActivation) {
wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ];
environment = cfg.environment;
@ -447,7 +456,7 @@ in
};
system.activationScripts = {
setupSecrets = lib.mkIf (regularSecrets != { } && !useSystemdActivation) (
setupSecrets = lib.mkIf (regularSecrets != { } && !cfg.useSystemdActivation) (
lib.stringAfter
(
[