Mic92
commented
2 years ago Since it's implemented as an activation script, this seems hard. We could somehow write a state file that makes a service fail.
Open bjornfor opened 2 years ago
Mic92
commented
2 years ago Since it's implemented as an activation script, this seems hard. We could somehow write a state file that makes a service fail.
bjornfor
commented
1 year ago Any thoughts on what the state file should look like?
Here's an idea (JSON):
{
"exit_code": 1, # definitely a field like this must exist
"stderr": ..., # could be used to forward error message to the service?
"stdout": ...
}I guess the format doesn't need to be very stable, only the sops-nix service should know about it.
bjornfor
commented
1 year ago Or is this something that is better implemented in NixOS, for example nixos-activation-scripts.service, that indicates success/failure for all activation scripts combined?
Mic92
commented
1 year ago Or is this something that is better implemented in NixOS, for example
nixos-activation-scripts.service, that indicates success/failure for all activation scripts combined?
Sounds like a good idea.
bjornfor
commented
1 year ago PR to implement this: https://github.com/NixOS/nixpkgs/pull/208942
SuperSandro2000
commented
1 year ago Since it's implemented as an activation script
Wouldn't it be a better idea to implement it via a systemd service? Then secrets could also survive a soft-reboot.
Hi, I recently started using sops-nix and I'm very happy with it.
However, one thing that bothered me today is I found I had forgotten to add keys for a machine I deployed to and the only indication it didn't work was this log output in the journal:
I was hoping to find some unit error in
systemd --failed, but there is none.Is there anything sops-nix can/should do to indicate to systemd that it failed to decrypt the secrets? Or is that impossible since it's implemented as a NixOS activation scripts? Perhaps this should be seen as a general issue with NixOS activation scripts?