adding a new VM for testing

Re-key all the secrets.
author: Franck Cuny <franck@fcuny.net> 2026-01-24 10:55:16 -0800
committer: Franck Cuny <franck@fcuny.net> 2026-01-24 10:55:16 -0800
commit: 737b74c58de0712973f81c91aa07748c02deef70 (patch)
tree: 671639fb8ae43ff9482d36331cf6f706bfb01d1a /profiles/defaults.nix
parent: update documentation for creating an ISO (diff)
download: infra-737b74c58de0712973f81c91aa07748c02deef70.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/profiles/defaults.nix b/profiles/defaults.nix
index 2683c5a..834c28d 100644
--- a/profiles/defaults.nix
+++ b/profiles/defaults.nix
@@ -5,6 +5,17 @@
   adminUser,
   ...
 }:
+let
+  inherit (lib // builtins)
+    attrNames
+    hasAttr
+    mkIf
+    length
+    ;
+  hasState =
+    hasAttr "persistence" config.environment && (length (attrNames config.environment.persistence)) > 0;
+  hasSecrets = config.age.secrets != { };
+in
 {
   imports = [
     ./cgroups.nix
@@ -145,4 +156,8 @@
     vim
     wireguard-tools
   ];
+
+  system.activationScripts.agenixNewGeneration = mkIf (
+    hasSecrets && hasState && config.ephemeralRoot
+  ) { deps = [ "persist-files" ]; };
 }
author	Franck Cuny <franck@fcuny.net>	2026-01-24 10:55:16 -0800
committer	Franck Cuny <franck@fcuny.net>	2026-01-24 10:55:16 -0800
commit	737b74c58de0712973f81c91aa07748c02deef70 (patch)
tree	671639fb8ae43ff9482d36331cf6f706bfb01d1a /profiles/defaults.nix
parent	update documentation for creating an ISO (diff)
download	infra-737b74c58de0712973f81c91aa07748c02deef70.tar.gz