fix(systemd): require mounts for encryption keys.

This helps address issues in nix-community/impermanence#294 and in general also works for https://github.com/nix-community/preservation type of workflows which also rely on systemd mounts.

Author: nicdumz

modules/sops/default.nix

@@ -484,6 +484,12 @@ in
               ExecStart = [ "${cfg.package}/bin/sops-install-secrets ${manifest}" ];
               RemainAfterExit = true;
             };
+            unitConfig.RequiresMountsFor = lib.concatLists [
+              (lib.lists.optional (cfg.gnupg.home != null) cfg.gnupg.home)
+              cfg.gnupg.sshKeyPaths
+              (lib.lists.optional (cfg.age.keyFile != null) cfg.age.keyFile)
+              cfg.age.sshKeyPaths
+            ];
           };
 
       system.activationScripts = {

modules/sops/secrets-for-users/default.nix

@@ -44,6 +44,12 @@ in
           ExecStart = [ "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}" ];
           RemainAfterExit = true;
         };
+        unitConfig.RequiresMountsFor = lib.concatLists [
+          (lib.lists.optional (cfg.gnupg.home != null) cfg.gnupg.home)
+          cfg.gnupg.sshKeyPaths
+          (lib.lists.optional (cfg.age.keyFile != null) cfg.age.keyFile)
+          cfg.age.sshKeyPaths
+        ];
       };
 
   system.activationScripts = lib.mkIf (secretsForUsers != { } && !useSystemdActivation) {