From 27d8bf123c173f92d0fb7e713ad0addbea9a12b1 Mon Sep 17 00:00:00 2001
From: Yaroslav Bolyukin <iam@lach.pw>
Date: Tue, 02 Jul 2024 18:29:08 +0000
Subject: [PATCH] feat: make secret system compatible with impermanence


---
--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
@@ -119,9 +119,21 @@
   };
   config = {
     environment.systemPackages = [pkgs.fleet-install-secrets];
-    system.activationScripts.decryptSecrets = stringAfter ["users" "groups" "specialfs"] ''
-      1>&2 echo "setting up secrets"
-      ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets install ${secretsFile}
-    '';
+    system.activationScripts.decryptSecrets =
+      stringAfter (
+        [
+          # secrets are owned by user/group, thus we need to refer to those
+          "users"
+          "groups"
+          "specialfs"
+        ]
+        # nixos-impermanence compatibility: secrets are encrypted by host-key,
+        # but with impermanence we expect that the host-key is installed by
+        # persist-file activation script.
+        ++ (lib.optional (config.system.activationScripts ? "persist-file") "persist-file")
+      ) ''
+        1>&2 echo "setting up secrets"
+        ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets install ${secretsFile}
+      '';
   };
 }

-- 
gitstuff