nix: fix security.pass services

diff --git a/nixos/modules/security/pass.nix b/nixos/modules/security/pass.nix
index 2a9fd1d2b62863a4288942fd66f2bd98659ad359..57442d214337cc56ed560a452f8857e43af6d174 100644 (file)
--- a/nixos/modules/security/pass.nix
+++ b/nixos/modules/security/pass.nix
@@ -124,8 +124,6 @@ config = lib.mkIf (pass.secrets != {}) {
     lib.mapAttrs' (target: secret:
       lib.nameValuePair (lib.removeSuffix ".service" secret.service) {
         description = "Install secret ${secret.path}";
-        after = [ "network.target" "network-online.target" ];
-        wantedBy = lib.mkIf (!config.boot.isContainer) [ "multi-user.target" ];
         script = ''
           set -o pipefail
           set -eux
@@ -146,11 +144,12 @@ config = lib.mkIf (pass.secrets != {}) {
         serviceConfig = {
           Type = "oneshot";
           PrivateTmp = true;
+          RemainAfterExit = true;
           WorkingDirectory = dirname secret.gnupgHome;
         } // lib.optionalAttrs (match "^/.*" target == null) {
-          RuntimeDirectory = dirname secret.path;
+          RuntimeDirectory = lib.removePrefix "/run/" (dirname secret.path);
           RuntimeDirectoryMode = "711";
-          RuntimeDirectoryPreserve = false; # FIXME: when does the removal actualy occur with with Type=oneshot?
+          RuntimeDirectoryPreserve = false;
         };
       }
     ) pass.secrets;

diff --git a/servers/losurdo/system.nix b/servers/losurdo/system.nix
index 3e955b1e186e76b3c4aefa2050902c21add9cb22..4f6f40720e201b452765528c4826db57b27184cf 100644 (file)
--- a/servers/losurdo/system.nix
+++ b/servers/losurdo/system.nix
@@ -17,9 +17,11 @@ install = {
   enable = true;
   shellScript = lib.mkBefore ''
     PATH="$PATH:${with pkgs; lib.makeBinPath [gnupg openssh]}"
+    (
     set -x
     gpg --decrypt '${pass.store}/root/key.pass.gpg' |
     ssh '${config.install.target}' install -D -m 400 -o root -g root /dev/stdin /root/key.pass
+    )
   '';
 };
 security.pass = {