Skip to content

Commit fbedbb8

Browse files
committed
fix(systemd): require mounts for encryption keys.
This helps address issues in nix-community/impermanence#294 and in general also works for https://github.com/nix-community/preservation type of workflows which also rely on systemd mounts.
1 parent bc02e2e commit fbedbb8

2 files changed

Lines changed: 12 additions & 0 deletions

File tree

modules/sops/default.nix

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -484,6 +484,12 @@ in
484484
ExecStart = [ "${cfg.package}/bin/sops-install-secrets ${manifest}" ];
485485
RemainAfterExit = true;
486486
};
487+
unitConfig.RequiresMountsFor = lib.concatLists [
488+
(lib.lists.optional (cfg.gnupg.home != null) cfg.gnupg.home)
489+
cfg.gnupg.sshKeyPaths
490+
(lib.lists.optional (cfg.age.keyFile != null) cfg.age.keyFile)
491+
cfg.age.sshKeyPaths
492+
];
487493
};
488494

489495
system.activationScripts = {

modules/sops/secrets-for-users/default.nix

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,12 @@ in
4444
ExecStart = [ "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}" ];
4545
RemainAfterExit = true;
4646
};
47+
unitConfig.RequiresMountsFor = lib.concatLists [
48+
(lib.lists.optional (cfg.gnupg.home != null) cfg.gnupg.home)
49+
cfg.gnupg.sshKeyPaths
50+
(lib.lists.optional (cfg.age.keyFile != null) cfg.age.keyFile)
51+
cfg.age.sshKeyPaths
52+
];
4753
};
4854

4955
system.activationScripts = lib.mkIf (secretsForUsers != { } && !useSystemdActivation) {

0 commit comments

Comments
 (0)