fix activationScript ordering to remove sops double-decrypt hack
This commit is contained in:
parent
e3221bf8b9
commit
f68bc342e8
|
@ -82,19 +82,8 @@ in
|
|||
];
|
||||
};
|
||||
|
||||
systemd.services.sane-sops = {
|
||||
# TODO: it would be better if we could inject the right dependency into setupSecrets instead of patching like this.
|
||||
# /run/current-system/activate contains the precise ordering logic.
|
||||
# it's largely unaware of systemd.
|
||||
# maybe we could insert some activation script which simply waits for /etc/ssh to appear?
|
||||
description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
|
||||
script = ''
|
||||
${config.system.activationScripts.setupSecrets.text}
|
||||
${config.system.activationScripts.linkIwdKeys.text}
|
||||
'';
|
||||
after = [ "fs-local.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
# secret decoding depends on /etc/ssh keys, which are persisted
|
||||
system.activationScripts.setupSecrets.deps = [ "persist-files" ];
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -22,6 +22,7 @@
|
|||
networking.wireless.iwd.enable = true;
|
||||
networking.networkmanager.wifi.backend = "iwd";
|
||||
|
||||
# TODO: don't need to depend on binsh if we were to use a nix-style shebang
|
||||
system.activationScripts.linkIwdKeys = let
|
||||
unwrapped = ../../scripts/install-iwd;
|
||||
install-iwd = pkgs.writeShellApplication {
|
||||
|
@ -30,7 +31,7 @@
|
|||
text = ''${unwrapped} "$@"'';
|
||||
};
|
||||
in (lib.stringAfter
|
||||
[ "setupSecrets" ]
|
||||
[ "setupSecrets" "binsh" ]
|
||||
''
|
||||
mkdir -p /var/lib/iwd
|
||||
${install-iwd}/bin/install-iwd /run/secrets/iwd /var/lib/iwd
|
||||
|
|
Loading…
Reference in New Issue