fix: tolerate missing agenix secrets in image build

joshp123 · joshp123 · commit a809f2915433 · 2026-01-10T19:00:07.000+01:00
diff --git a/nix/modules/clawdinator.nix b/nix/modules/clawdinator.nix
@@ -498,6 +498,30 @@ in
       '';
     };
 
+    system.activationScripts.agenixChown = lib.mkIf cfg.bootstrap.enable (lib.mkForce {
+      text =
+        let
+          secrets = lib.attrValues config.age.secrets;
+          chownLines = lib.concatMapStringsSep "\n"
+            (secret:
+              let
+                path = secret.path;
+                owner = if secret.owner == null then "root" else secret.owner;
+                group = if secret.group == null then "root" else secret.group;
+              in
+              lib.optionalString (path != null) ''
+                if [ -e "${path}" ]; then
+                  chown ${owner}:${group} "${path}"
+                fi
+              '')
+            secrets;
+        in
+        ''
+          set -euo pipefail
+          ${chownLines}
+        '';
+    });
+
     systemd.tmpfiles.rules = [
       "d ${cfg.stateDir} 0750 ${cfg.user} ${cfg.group} - -"
       "d ${workspaceDir} 0750 ${cfg.user} ${cfg.group} - -"
diff --git a/scripts/import-image.sh b/scripts/import-image.sh
@@ -88,6 +88,7 @@ for _ in {1..120}; do
         --region "${region}" \
         --resources "${image_id}" \
         --tags "Key=Name,Value=${ami_name}" "Key=clawdinator,Value=true"
+      echo "AMI_ID=${image_id}" >&2
       echo "${image_id}"
       exit 0
       ;;
