Add tmpfiles placeholders for secrets and ensure parent dirs

2026-01-09 18:32:37 -06:00 · 2026-01-09 18:32:37 -06:00 · 792a63bebf
commit 792a63bebf
parent adca8e52f4
1 changed files with 25 additions and 5 deletions
--- a/flakes/secrets-bao/nixos-module.nix
+++ b/flakes/secrets-bao/nixos-module.nix
@ -488,11 +488,31 @@ in
          sec
        ];

-         systemd.tmpfiles.rules = [
+         systemd.tmpfiles.rules =
+           [
             "d /run/openbao 0700 root root - -"
             "f /run/openbao/zitadel.jwt 0400 root root - -"
             "d /run/secrets 0711 root root - -"
-         ];
+           ]
+           # Create empty placeholder files for all secret destinations so
+           # services that reference env files don't fail when offline.
+           ++ (lib.unique (
+             lib.concatLists (
+               lib.mapAttrsToList (
+                 _: secret:
+                 let
+                   dir = builtins.dirOf secret.path;
+                 in
+                 # Ensure the parent dir exists if a custom path is used.
+                 [ "d ${dir} 0755 root root - -" ]
+               ) cfg.secrets
+             )
+           ))
+           ++ (lib.mapAttrsToList (
+             _: secret:
+             "f ${secret.path} ${secret.mode} ${secret.owner} ${secret.group} - -"
+           ) cfg.secrets);
+

         systemd.paths =
           (lib.mapAttrs' (