difftreelog
feat make secret system compatible with impermanence
in: trunk
1 file changed
nixos/secrets.nixdiffbeforeafterboth119 };119 };120 config = {120 config = {121 environment.systemPackages = [pkgs.fleet-install-secrets];121 environment.systemPackages = [pkgs.fleet-install-secrets];122 system.activationScripts.decryptSecrets = stringAfter ["users" "groups" "specialfs"] ''122 system.activationScripts.decryptSecrets =123 stringAfter (124 [125 # secrets are owned by user/group, thus we need to refer to those126 "users"127 "groups"128 "specialfs"129 ]130 # nixos-impermanence compatibility: secrets are encrypted by host-key,131 # but with impermanence we expect that the host-key is installed by132 # persist-file activation script.133 ++ (lib.optional (config.system.activationScripts ? "persist-file") "persist-file")134 ) ''123 1>&2 echo "setting up secrets"135 1>&2 echo "setting up secrets"124 ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets install ${secretsFile}136 ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets install ${secretsFile}125 '';137 '';126 };138 };127}139}128140