do not use activation script for script with dependencies

The issue with activation script is the order is alphabetical, meaning the order the script is assembled is not really set in stone. Here, because the script had a name starting with `restic`, it was ran before the `sops` secret generation script. And since the restic script was trying to use the secrets, it failed.
ibizaman · Nov 15, 2024 · 6a3c43d · 6a3c43d
1 parent 6bdd8fe
commit 6a3c43d
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/modules/blocks/restic.nix b/modules/blocks/restic.nix
@@ -363,10 +363,13 @@ in
             mkMerge (flatten (mapAttrsToList mkSettings (enabledInstances // enabledDatabases)));
       }
       {
-        system.activationScripts = let
+        systemd.services = let
           mkEnv = name: instance:
-            nameValuePair "${fullName name instance.settings.repository}_gen"
-              (shblib.replaceSecrets {
+            nameValuePair "${fullName name instance.settings.repository}_restore_gen" {
+              enable = true;
+              wantedBy = [ "multi-user.target" ];
+              serviceConfig.Type = "oneshot";
+              script = (shblib.replaceSecrets {
                 userConfig = instance.settings.repository.secrets // {
                   RESTIC_PASSWORD_FILE = instance.settings.passphraseFile;
                   RESTIC_REPOSITORY = instance.settings.repository.path;
@@ -375,6 +378,7 @@ in
                 generator = name: v: pkgs.writeText (fullName name instance.settings.repository) (generators.toINIWithGlobalSection {} { globalSection = v; });
                 user = instance.request.user;
               });
+            };
         in
           listToAttrs (flatten (mapAttrsToList mkEnv (cfg.instances // cfg.databases)));
       }