Merge 2b558e9af1 into 8d37c5bdea

Fix typo

README.md

@@ -445,7 +445,7 @@ Example:
 #### `age.secrets.<name>.symlink`
 
 `age.secrets.<name>.symlink` is a boolean. If true (the default),
-secrets are symlinked to `age.secrets.<name>.path`. If false, secerts
+secrets are symlinked to `age.secrets.<name>.path`. If false, secrets
 are copied to `age.secrets.<name>.path`. Usually, you want to keep
 this as true, because it secure cleanup of secrets no longer
 used. (The symlink will still be there, but it will be broken.) If

modules/age.nix

@@ -14,6 +14,11 @@ with lib; let
 
   users = config.users.users;
 
+  sysusersEnabled =
+    if isDarwin
+    then false
+    else options.systemd ? sysusers && config.systemd.sysusers.enable;
+
   mountCommand =
     if isDarwin
     then ''
@@ -261,44 +266,66 @@ in {
         }
       ];
     }
-
     (optionalAttrs (!isDarwin) {
+      # When using sysusers we no longer be started as an activation script
+      # because those are started in initrd while sysusers is started later.
+      systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
+        wantedBy = ["sysinit.target"];
+        after = ["systemd-sysusers.service"];
+        unitConfig.DefaultDependencies = "no";
+
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = pkgs.writeShellScript "agenix-install" (
+            builtins.concatStringsSep "\n" [
+              newGeneration
+              installSecrets
+              chownSecrets
+            ]
+          );
+          RemainAfterExit = true;
+        };
+      };
+
       # Create a new directory full of secrets for symlinking (this helps
       # ensure removed secrets are actually removed, or at least become
       # invalid symlinks).
-      system.activationScripts.agenixNewGeneration = {
+      system.activationScripts = mkIf (!sysusersEnabled) {
-        text = newGeneration;
+        agenixNewGeneration = {
-        deps = [
+          text = newGeneration;
-          "specialfs"
+          deps = [
-        ];
+            "specialfs"
-      };
+          ];
+        };
 
-      system.activationScripts.agenixInstall = {
+        agenixInstall = {
-        text = installSecrets;
+          text = installSecrets;
-        deps = [
+          deps = [
-          "agenixNewGeneration"
+            "agenixNewGeneration"
-          "specialfs"
+            "specialfs"
-        ];
+          ];
-      };
+        };
 
-      # So user passwords can be encrypted.
+        # So user passwords can be encrypted.
-      system.activationScripts.users.deps = ["agenixInstall"];
+        users.deps = ["agenixInstall"];
 
-      # Change ownership and group after users and groups are made.
+        # Change ownership and group after users and groups are made.
-      system.activationScripts.agenixChown = {
+        agenixChown = {
-        text = chownSecrets;
+          text = chownSecrets;
-        deps = [
+          deps = [
-          "users"
+            "users"
-          "groups"
+            "groups"
-        ];
+          ];
-      };
+        };
 
-      # So other activation scripts can depend on agenix being done.
+        # So other activation scripts can depend on agenix being done.
-      system.activationScripts.agenix = {
+        agenix = {
-        text = "";
+          text = "";
-        deps = ["agenixChown"];
+          deps = ["agenixChown"];
+        };
       };
     })
+
     (optionalAttrs isDarwin {
       launchd.daemons.activate-agenix = {
         script = ''