impermanence: ensure /etc/ssh is populated before we decode machine secrets during activation
the impermanence activation scripts don't appear to mount folders -- only files. rather, the impermanence module creates fstab entries for each bind mount folder, and *something* (systemd?) mounts these *after* /run/current-system/activate is run. therefore, if we want access to a bind-mounted directory during activateion, we have to manually mount it. i.e. `mount /etc/ssh/host_keys`.
This commit is contained in:
parent
6236c14def
commit
34d77542e7
|
@ -75,24 +75,14 @@ in
|
|||
};
|
||||
|
||||
# secret decoding depends on /etc/ssh keys, which are persisted
|
||||
system.activationScripts.setupSecrets.deps = [ "persist-files" ];
|
||||
# `setupSecretsForUsers` should depend on `persist-files`,
|
||||
# but `persist-files` itself depends on `users`, to this would be circular.
|
||||
# we work around that by manually mounting the ssh host key.
|
||||
# strictly speaking, this makes the `setupSecrets -> persist-files` dep extraneous,
|
||||
# but it's a decent safety net in case something goes wrong.
|
||||
# system.activationScripts.setupSecretsForUsers.deps = [ "persist-files" ];
|
||||
system.activationScripts.setupSecretsForUsers= lib.mkIf secretsForUsers {
|
||||
system.activationScripts.setupSecrets.deps = [ "persist-ssh-host-keys" ];
|
||||
system.activationScripts.setupSecretsForUsers = lib.mkIf secretsForUsers {
|
||||
deps = [ "persist-ssh-host-keys" ];
|
||||
};
|
||||
system.activationScripts.persist-ssh-host-keys = lib.mkIf secretsForUsers (
|
||||
let
|
||||
key_dir = "/etc/ssh/host_keys";
|
||||
in ''
|
||||
mkdir -p ${key_dir}
|
||||
mount -o bind /nix/persist${key_dir} ${key_dir}
|
||||
''
|
||||
);
|
||||
system.activationScripts.persist-ssh-host-keys = {
|
||||
text = "mount /etc/ssh/host_keys";
|
||||
deps = [ "createPersistentStorageDirs" ]; # provided by impermanence; ensures both mount endpoints exist
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user