From 26edd03a5a457826d406beb1b2f768122061d46a Mon Sep 17 00:00:00 2001 From: Jan Tojnar Date: Thu, 6 Jan 2022 22:50:56 +0100 Subject: [PATCH 1/2] Ensure /run is created before mounting secrets Otherwise /run/agenix might disappear if specialfs is toposorted between agenixMountSecrets and agenixRoot. Fixes: https://github.com/ryantm/agenix/issues/92 --- modules/age.nix | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/modules/age.nix b/modules/age.nix index 7798cca..96b8f5f 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -147,22 +147,27 @@ in # Create a new directory full of secrets for symlinking (this helps # ensure removed secrets are actually removed, or at least become # invalid symlinks). - system.activationScripts.agenixMountSecrets = '' - _agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)" - (( ++_agenix_generation )) - echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..." - mkdir -p "${cfg.secretsMountPoint}" - chmod 0751 "${cfg.secretsMountPoint}" - grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751 - mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation" - chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation" - ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" /run/agenix + system.activationScripts.agenixMountSecrets = { + text = '' + _agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)" + (( ++_agenix_generation )) + echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..." + mkdir -p "${cfg.secretsMountPoint}" + chmod 0751 "${cfg.secretsMountPoint}" + grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751 + mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation" + chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation" + ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" /run/agenix - (( _agenix_generation > 1 )) && { - echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." - rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))" - } - ''; + (( _agenix_generation > 1 )) && { + echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." + rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))" + } + ''; + deps = [ + "specialfs" + ]; + }; # Secrets with root owner and group can be installed before users # exist. This allows user password files to be encrypted. From 35ecba57048d8c4bd4268872c456b1ff8245a138 Mon Sep 17 00:00:00 2001 From: Jan Tojnar Date: Thu, 6 Jan 2022 22:55:10 +0100 Subject: [PATCH 2/2] Do not try to create /run/agenix in when installing secrets That is a job for agenixMountSecrets, which should have already created a symlink there so the directory creation attempt would fail anyway. --- modules/age.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/age.nix b/modules/age.nix index 96b8f5f..f20b080 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -24,7 +24,7 @@ let echo "decrypting '${secretType.file}' to '$_truePath'..." TMP_FILE="$_truePath.tmp" mkdir -p "$(dirname "$_truePath")" - mkdir -p "$(dirname "${secretType.path}")" + [ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")" ( umask u=r,g=,o= LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}"