fix: reprovision secrets via activation script

mrjones2014 · Aug 15, 2024 · 43a9582 · 43a9582
1 parent ec2f625
commit 43a9582
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/modules/op-secrets.nix b/modules/op-secrets.nix
@@ -79,12 +79,19 @@ in {
         serviceConfig = {
           Type = "oneshot";
           EnvironmentFile = cfg.environmentFile;
-          RemainAfterExit = true;
-          ExecReload = opnixScript;
         };
 
         script = opnixScript;
       };
+      # if no generation already exists, rely on the systemd startup job;
+      # otherwise, if there already is an existing generation, reprovision
+      # secrets because we did a nixos-rebuild
+      system.activationScripts.opnix-on-rebuild.text = ''
+        ${scripts.setOpnixGeneration}
+        if (( _opnix_generation > 1 )) && {
+        ${opnixScript}
+        }
+      '';
     }
     {
       systemd.services = builtins.listToAttrs (builtins.map (systemdName: {

diff --git a/modules/scripts.nix b/modules/scripts.nix
@@ -27,9 +27,12 @@ let
     grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts ||
       mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
   '';
-  newGeneration = ''
+  setOpnixGeneration = ''
     _opnix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
     (( ++_opnix_generation ))
+  '';
+  newGeneration = ''
+    ${setOpnixGeneration}
     echo "[opnix] creating new generation in ${cfg.secretsMountPoint}/$_opnix_generation"
     mkdir -p "${cfg.secretsMountPoint}"
     chmod 0751 "${cfg.secretsMountPoint}"
@@ -115,6 +118,7 @@ let
   ] ++ (map installSecret (builtins.attrValues cfg.secrets))
     ++ [ cleanupAndLink ]);
 in {
+  inherit setOpnixGeneration;
   inherit createOpConfigDir;
   inherit installSecrets;
   inherit chownSecrets;