From 48afd3264ec52bee85231a7122612e2c5202fa74 Mon Sep 17 00:00:00 2001
From: Sirio Balmelli <sirio@b-ad.ch>
Date: Tue, 13 Feb 2024 17:06:49 +0100
Subject: [PATCH] home-manager/darwin: run sops-nix-user _once_ on login or
 activation

Correct a bug where 'KeepAlive' in the launchd service
'org.nix-community.home.sops-nix.plist'
re-runs 'sops-nix-user' every few seconds.

This should run:

- once at boot
- once at home-manager profile activation

Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>
---
 modules/home-manager/sops.nix | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
index a063bc6..f4f4b4a 100644
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@@ -244,18 +244,27 @@ in {
       Install.WantedBy = if cfg.gnupg.home != null then [ "graphical-session-pre.target" ] else [ "default.target" ];
     };
 
+    # Darwin: load secrets once on login
     launchd.agents.sops-nix = {
       enable = true;
       config = {
-        ProgramArguments = [ script ];
-        KeepAlive = {
-          Crashed = false;
-          SuccessfulExit = false;
-        };
-        ProcessType = "Background";
+        Program = script;
+        KeepAlive = false;
+        RunAtLoad = true;
         StandardOutPath = "${config.home.homeDirectory}/Library/Logs/SopsNix/stdout";
         StandardErrorPath = "${config.home.homeDirectory}/Library/Logs/SopsNix/stderr";
       };
     };
+
+    # darwin: [re]load secrets on home-manager activation
+    home.activation = lib.mkIf pkgs.stdenv.hostPlatform.isDarwin {
+      sops-nix = let
+        domain-target = "gui/$(id -u ${config.home.username})";
+      in ''
+        /bin/launchctl bootout ${domain-target}/org.nix-community.home.sops-nix && true
+        /bin/launchctl bootstrap ${domain-target} ${config.home.homeDirectory}/Library/LaunchAgents/org.nix-community.home.sops-nix.plist
+      '';
+    };
+
   };
 }