From 737b74c58de0712973f81c91aa07748c02deef70 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sat, 24 Jan 2026 10:55:16 -0800
Subject: adding a new VM for testing

Re-key all the secrets.
---
 profiles/defaults.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'profiles/defaults.nix')

diff --git a/profiles/defaults.nix b/profiles/defaults.nix
index 2683c5a..834c28d 100644
--- a/profiles/defaults.nix
+++ b/profiles/defaults.nix
@@ -5,6 +5,17 @@
   adminUser,
   ...
 }:
+let
+  inherit (lib // builtins)
+    attrNames
+    hasAttr
+    mkIf
+    length
+    ;
+  hasState =
+    hasAttr "persistence" config.environment && (length (attrNames config.environment.persistence)) > 0;
+  hasSecrets = config.age.secrets != { };
+in
 {
   imports = [
     ./cgroups.nix
@@ -145,4 +156,8 @@
     vim
     wireguard-tools
   ];
+
+  system.activationScripts.agenixNewGeneration = mkIf (
+    hasSecrets && hasState && config.ephemeralRoot
+  ) { deps = [ "persist-files" ]; };
 }
-- 
cgit v1.2.3