fix(systemd): require mounts for encryption keys.

This helps address issues in https://github.com/nix-community/impermanence/issues/294 and in general also works for https://github.com/nix-community/preservation type of workflows which also rely on systemd mounts.
2026-05-10 17:45:56 +08:00 · 2026-03-21 10:49:43 +01:00 · 2026-03-21 10:49:43 +01:00 · fbedbb8cb1
commit fbedbb8cb1
parent bc02e2e5f6
2 changed files with 12 additions and 0 deletions
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -484,6 +484,12 @@ in
              ExecStart = [ "${cfg.package}/bin/sops-install-secrets ${manifest}" ];
              RemainAfterExit = true;
            };
+            unitConfig.RequiresMountsFor = lib.concatLists [
+              (lib.lists.optional (cfg.gnupg.home != null) cfg.gnupg.home)
+              cfg.gnupg.sshKeyPaths
+              (lib.lists.optional (cfg.age.keyFile != null) cfg.age.keyFile)
+              cfg.age.sshKeyPaths
+            ];
          };

      system.activationScripts = {
--- a/modules/sops/secrets-for-users/default.nix
+++ b/modules/sops/secrets-for-users/default.nix
@ -44,6 +44,12 @@ in
          ExecStart = [ "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}" ];
          RemainAfterExit = true;
        };
+        unitConfig.RequiresMountsFor = lib.concatLists [
+          (lib.lists.optional (cfg.gnupg.home != null) cfg.gnupg.home)
+          cfg.gnupg.sshKeyPaths
+          (lib.lists.optional (cfg.age.keyFile != null) cfg.age.keyFile)
+          cfg.age.sshKeyPaths
+        ];
      };

  system.activationScripts = lib.mkIf (secretsForUsers != { } && !useSystemdActivation) {