modules/sops/templates: support systemd activation

2025-03-05 16:17:47 +00:00 · 2024-09-11 16:19:07 +08:00 · 2024-09-11 16:19:07 +08:00 · 127a96f49d
commit 127a96f49d
parent 3176c11112
1 changed files with 39 additions and 21 deletions
--- a/modules/sops/templates/default.nix
+++ b/modules/sops/templates/default.nix
@ -6,6 +6,27 @@ let
  cfg = config.sops;
  secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
  users = config.users.users;
+  useSystemdActivation = (options.systemd ? sysusers && config.systemd.sysusers.enable) ||
+    (options.services ? userborn && config.services.userborn.enable);
+  renderScript = ''
+    echo Setting up sops templates...
+    ${concatMapStringsSep "\n" (name:
+      let
+        tpl = config.sops.templates.${name};
+        substitute = pkgs.writers.writePython3 "substitute" { }
+          (readFile ./subs.py);
+        subst-pairs = pkgs.writeText "pairs" (concatMapStringsSep "\n"
+          (name:
+            "${toString config.sops.placeholder.${name}} ${
+              config.sops.secrets.${name}.path
+            }") (attrNames config.sops.secrets));
+      in ''
+        mkdir -p "${dirOf tpl.path}"
+        (umask 077; ${substitute} ${tpl.file} ${subst-pairs} > ${tpl.path})
+        chmod "${tpl.mode}" "${tpl.path}"
+        chown "${tpl.owner}:${tpl.group}" "${tpl.path}"
+      '') (attrNames config.sops.templates)}
+  '';
 in {
  options.sops = {
    templates = mkOption {
@ -84,26 +105,23 @@ in {
        (name: _: mkDefault "<SOPS:${hashString "sha256" name}:PLACEHOLDER>")
        config.sops.secrets;

-      system.activationScripts.renderSecrets = mkIf (cfg.templates != { })
-        (stringAfter ([ "setupSecrets" ]
-          ++ optional (secretsForUsers != { }) "setupSecretsForUsers") ''
-            echo Setting up sops templates...
-            ${concatMapStringsSep "\n" (name:
-              let
-                tpl = config.sops.templates.${name};
-                substitute = pkgs.writers.writePython3 "substitute" { }
-                  (readFile ./subs.py);
-                subst-pairs = pkgs.writeText "pairs" (concatMapStringsSep "\n"
-                  (name:
-                    "${toString config.sops.placeholder.${name}} ${
-                      config.sops.secrets.${name}.path
-                    }") (attrNames config.sops.secrets));
-              in ''
-                mkdir -p "${dirOf tpl.path}"
-                (umask 077; ${substitute} ${tpl.file} ${subst-pairs} > ${tpl.path})
-                chmod "${tpl.mode}" "${tpl.path}"
-                chown "${tpl.owner}:${tpl.group}" "${tpl.path}"
-              '') (attrNames config.sops.templates)}
-          '');
+      systemd.services.sops-render-secrets = let
+        installServices = [ "sops-install-secrets.service" ] ++ optional (secretsForUsers != { }) "sops-install-secrets-for-users.service";
+      in lib.mkIf (cfg.templates != { } && useSystemdActivation) {
+        wantedBy = [  "sysinit.target" ];
+        requires = installServices;
+        after = installServices;
+        unitConfig.DefaultDependencies = "no";
+
+        script = renderScript;
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
+
+      system.activationScripts.renderSecrets = mkIf (cfg.templates != { } && !useSystemdActivation)
+        (stringAfter ([ "setupSecrets" ] ++ optional (secretsForUsers != { }) "setupSecretsForUsers")
+          renderScript);
    });
 }