b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

genJqSecretsReplacementSnippet: Propagate secret file read errors

Browse source 
If an error occurs while trying to read a secret file, we want that
error to propagate to the main shell context. That means we have to
set the `inherit_errexit` option, which allows errors from subshells
to propagate to the outer shell. Also, the subshell cannot run as part
of another command, such as `export`, since that will simply ignore
the subshell exit status and only respect `export`s exit status; first
assigning the value to a variable and then exporting it solves issue.
This commit is contained in:
talyz 2022-01-31 12:44:54 +01:00
parent 689b76bcf3
commit 95069d76d3
No known key found for this signature in database
GPG key ID: 2DED2151F4671A2B
1 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
nixos/lib/utils.nix
View file

@ -149,10 +149,16 @@ rec {
if [[ -h '${output}' ]]; then
rm '${output}'
fi
inherit_errexit_restore=$(shopt -p inherit_errexit)
shopt -s inherit_errexit
''
+ concatStringsSep
"\n"
(imap1 (index: name: "export secret${toString index}=$(<'${secrets.${name}}')")
(imap1 (index: name: ''
secret${toString index}=$(<'${secrets.${name}}')
export secret${toString index}
'')
(attrNames secrets))
+ "\n"
+ "${pkgs.jq}/bin/jq >'${output}' '"
@ -164,6 +170,7 @@ rec {
' <<'EOF'
${builtins.toJSON set}
EOF
$inherit_errexit_restore
'';
systemdUtils = {