ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add tmpfiles placeholders for secrets and ensure parent dirs

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-09 18:32:37 -06:00
parent adca8e52f4
commit 792a63bebf
1 changed files with 25 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

24
flakes/secrets-bao/nixos-module.nix
View file

@ -488,11 +488,31 @@ in
sec sec
]; ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules =
[
"d /run/openbao 0700 root root - -" "d /run/openbao 0700 root root - -"
"f /run/openbao/zitadel.jwt 0400 root root - -" "f /run/openbao/zitadel.jwt 0400 root root - -"
"d /run/secrets 0711 root root - -" "d /run/secrets 0711 root root - -"
]; ]
# Create empty placeholder files for all secret destinations so
# services that reference env files don't fail when offline.
++ (lib.unique (
lib.concatLists (
lib.mapAttrsToList (
_: secret:
let
dir = builtins.dirOf secret.path;
in
# Ensure the parent dir exists if a custom path is used.
[ "d ${dir} 0755 root root - -" ]
) cfg.secrets
)
))
++ (lib.mapAttrsToList (
_: secret:
"f ${secret.path} ${secret.mode} ${secret.owner} ${secret.group} - -"
) cfg.secrets);
systemd.paths = systemd.paths =
(lib.mapAttrs' ( (lib.mapAttrs' (