pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-12-26 14:14:58 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #858 from lschuermann/dev/systemd-activation-option

Browse source 
modules/sops: allow forcing systemd-based activation (attempt #2)
This commit is contained in:
Jörg Thalheim 2025-11-17 19:43:07 +01:00 committed by GitHub
commit e3aa38151e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 19 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

25
modules/sops/default.nix
View file

@ -29,10 +29,6 @@ let
# Currently, all templates are "regular" (there's no support for `neededForUsers` for templates.) # Currently, all templates are "regular" (there's no support for `neededForUsers` for templates.)
regularTemplates = cfg.templates; regularTemplates = cfg.templates;
useSystemdActivation =
(options.systemd ? sysusers && config.systemd.sysusers.enable)
|| (options.services ? userborn && config.services.userborn.enable);
withEnvironment = import ./with-environment.nix { withEnvironment = import ./with-environment.nix {
# sops >=3.10.0 now unconditionally searches # sops >=3.10.0 now unconditionally searches
# for an SSH key in $HOME/.ssh/, introduced in #1692 [0]. Since in the # for an SSH key in $HOME/.ssh/, introduced in #1692 [0]. Since in the
@ -319,6 +315,23 @@ in
''; '';
}; };
useSystemdActivation = lib.mkOption {
type = lib.types.bool;
default =
(options.systemd ? sysusers && config.systemd.sysusers.enable)
|| (options.services ? userborn && config.services.userborn.enable);
defaultText = lib.literalExpression (
"(options.systemd ? sysusers && config.systemd.sysusers.enable) "
+ "|| (options.services ? userborn && config.services.userborn.enable)"
);
description = ''
Use a systemd unit to install secrets, instead of deploying them using an activation script.
This option is automatically enabled when systemd-sysusers or userborn are used to manage users and groups.
It can also be useful to specify additional dependencies to be satisfied before secrets are installed, such as required mountpoints for SOPS key files.
'';
};
age = { age = {
keyFile = lib.mkOption { keyFile = lib.mkOption {
type = lib.types.nullOr pathNotInStore; type = lib.types.nullOr pathNotInStore;
@ -433,7 +446,7 @@ in
); );
# When using sysusers we no longer are started as an activation script because those are started in initrd while sysusers is started later. # When using sysusers we no longer are started as an activation script because those are started in initrd while sysusers is started later.
systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && useSystemdActivation) { systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && cfg.useSystemdActivation) {
wantedBy = [ "sysinit.target" ]; wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ]; after = [ "systemd-sysusers.service" ];
environment = cfg.environment; environment = cfg.environment;
@ -447,7 +460,7 @@ in
}; };
system.activationScripts = { system.activationScripts = {
setupSecrets = lib.mkIf (regularSecrets != { } && !useSystemdActivation) ( setupSecrets = lib.mkIf (regularSecrets != { } && !cfg.useSystemdActivation) (
lib.stringAfter lib.stringAfter
( (
[ [