genJqSecretsReplacementSnippet: Propagate secret file read errors

If an error occurs while trying to read a secret file, we want that
error to propagate to the main shell context. That means we have to
set the `inherit_errexit` option, which allows errors from subshells
to propagate to the outer shell. Also, the subshell cannot run as part
of another command, such as `export`, since that will simply ignore
the subshell exit status and only respect `export`s exit status; first
assigning the value to a variable and then exporting it solves issue.

1 files changed, 8 insertions, 1 deletions

diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix
index bbebf8ba35a..190c4db4d49 100644
--- a/nixos/lib/utils.nix
+++ b/nixos/lib/utils.nix
@@ -149,10 +149,16 @@ rec {
       if [[ -h '${output}' ]]; then
         rm '${output}'
       fi
+
+      inherit_errexit_restore=$(shopt -p inherit_errexit)
+      shopt -s inherit_errexit
     ''
     + concatStringsSep
         "\n"
-        (imap1 (index: name: "export secret${toString index}=$(<'${secrets.${name}}')")
+        (imap1 (index: name: ''
+                  secret${toString index}=$(<'${secrets.${name}}')
+                  export secret${toString index}
+                '')
                (attrNames secrets))
     + "\n"
     + "${pkgs.jq}/bin/jq >'${output}' '"
@@ -164,6 +170,7 @@ rec {
       ' <<'EOF'
       ${builtins.toJSON set}
       EOF
+      $inherit_errexit_restore
     '';
 
   systemdUtils = {