[module] change order of operations #118
Conversation
|
Ow wow, that sounds like a circular dependency. |
|
It seems like if we want to make this somewhat atomic, we need to make the root and nonRoot generations more separate. |
|
Alternatively, we could give up on making the owner and group of a file atomic, and actually combine the root and non root secrets and just have a chowning activation script happen after "users" and "groups"! |
I think maybe that is the least of all evil. Splitting root and nonroot secrets into completely different activations is a bit beyond my comfort level. edit: I will leave this PR here for reference, however I am unsure about how to do what you suggest. |
|
I think maybe I have it done how you suggest. I would very much appreciate a review by someone more versed in the activiation scripts :) |
Change the order of operations to: 1. create new generation 2. decrypt secrets into new generation 3. symlink and remove old generation/secrets Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
|
Yeah, I think this is very close. I think I want to followup by simplifying some other things, but this is looking pretty good. |
|
Closing this in favor of #119 |
Fixes #117
Change the order of operations to:
This results in the following log:
[agenix] creating new generation in /run/agenix.d/9
[agenix] decrypting root secrets...
decrypting '/nix/store/xxx.age' to '/run/agenix.d/9/xxx'...
decrypting '/nix/store/yyy.age' to '/run/agenix.d/9/yyy'...
[agenix] decrypting non-root secrets...
decrypting '/nix/store/zzz.age' to '/run/agenix.d/9/zzz'...
[agenix] symlinking new secrets to /run/agenix (generation 9)...
[agenix] removing old secrets (generation 8)...
Signed-off-by: Jeroen Simonetti jeroen@simonetti.nl