oignon: nftables: open 8776 for radicle-node

[julm/julm-nix.git] / nixos / modules / security / systemd-creds.nix

diff --git a/nixos/modules/security/systemd-creds.nix b/nixos/modules/security/systemd-creds.nix
index 04a0c2f88bbb9391e457fdf5d475d06d5fdf4bac..d1d0d50163f5c9ec84efccb27ad07cc28f7056a6 100644 (file)
--- a/nixos/modules/security/systemd-creds.nix
+++ b/nixos/modules/security/systemd-creds.nix
@@ -105,10 +105,10 @@ let cfg = config.security.systemd-creds; in
 
         ::: {.warning}
         To be able to access the relative path of the `.cred` file,
-        `inputs.self` has to be used in `LoadCredentialEncrypted`.
+        `inputs.self` has to be used in `LoadCredentialEncrypted=`.
         Note that `inputs` is a `config._module.args` or `specialArgs`
         usually set in your `flake.nix`.
-        Using `''${wireguard/wg-intra/privatekey}`
+        In other words, using `''${wireguard/wg-intra/privatekey}` here,
         would not work, because it drops the `wireguard/wg-intra/` part.
         :::
       '';
@@ -133,7 +133,8 @@ let cfg = config.security.systemd-creds; in
               credPath=${escapeShellArg credPath}
               credBase=''${credPath#${builtins.storeDir}/*/}
               if test "''${SYSTEMD_CREDS_FORCE_REENCRYPT:+set}" \
-                      -o ! -s "$credBase"; then
+                      -o ! -s "$credBase" \
+                      -o -e "''${credBase%.cred}.gpg" -a "$credBase" -ot "''${credBase%.cred}.gpg"; then
                 { ${cfg.decrypt}; } |
                 { ${cfg.shell} -- ${cfg.encrypt} - -; } |
                 { ${cfg.install}; }