diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix index 575c5fc..ad6fe64 100644 --- a/modules/home-manager/sops.nix +++ b/modules/home-manager/sops.nix @@ -294,51 +294,34 @@ in }; config = lib.mkIf (cfg.secrets != { }) { - assertions = - [ - { - assertion = - cfg.gnupg.home != null - || cfg.gnupg.sshKeyPaths != [ ] - || cfg.gnupg.qubes-split-gpg.enable == true - || cfg.age.keyFile != null - || cfg.age.sshKeyPaths != [ ]; - message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home or sops.gnupg.qubes-split-gpg.enable"; - } - { - assertion = - !(cfg.gnupg.home != null && cfg.gnupg.sshKeyPaths != [ ]) - && !(cfg.gnupg.home != null && cfg.gnupg.qubes-split-gpg.enable == true) - && !(cfg.gnupg.sshKeyPaths != [ ] && cfg.gnupg.qubes-split-gpg.enable == true); - message = "Exactly one of sops.gnupg.home, sops.gnupg.qubes-split-gpg.enable and sops.gnupg.sshKeyPaths must be set"; - } - { - assertion = - cfg.gnupg.qubes-split-gpg.enable == false - || ( - cfg.gnupg.qubes-split-gpg.enable == true - && cfg.gnupg.qubes-split-gpg.domain != null - && cfg.gnupg.qubes-split-gpg.domain != "" - ); - message = "sops.gnupg.qubes-split-gpg.domain is required when sops.gnupg.qubes-split-gpg.enable is set to true"; - } - ] - ++ lib.optionals cfg.validateSopsFiles ( - lib.concatLists ( - lib.mapAttrsToList (name: secret: [ - { - assertion = builtins.pathExists secret.sopsFile; - message = "Cannot find path '${secret.sopsFile}' set in sops.secrets.${lib.strings.escapeNixIdentifier name}.sopsFile"; - } - { - assertion = - builtins.isPath secret.sopsFile - || (builtins.isString secret.sopsFile && lib.hasPrefix builtins.storeDir secret.sopsFile); - message = "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false"; - } - ]) cfg.secrets - ) - ); + assertions = [ + { + assertion = + cfg.gnupg.home != null + || cfg.gnupg.sshKeyPaths != [ ] + || cfg.gnupg.qubes-split-gpg.enable == true + || cfg.age.keyFile != null + || cfg.age.sshKeyPaths != [ ]; + message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home or sops.gnupg.qubes-split-gpg.enable"; + } + { + assertion = + !(cfg.gnupg.home != null && cfg.gnupg.sshKeyPaths != [ ]) + && !(cfg.gnupg.home != null && cfg.gnupg.qubes-split-gpg.enable == true) + && !(cfg.gnupg.sshKeyPaths != [ ] && cfg.gnupg.qubes-split-gpg.enable == true); + message = "Exactly one of sops.gnupg.home, sops.gnupg.qubes-split-gpg.enable and sops.gnupg.sshKeyPaths must be set"; + } + { + assertion = + cfg.gnupg.qubes-split-gpg.enable == false + || ( + cfg.gnupg.qubes-split-gpg.enable == true + && cfg.gnupg.qubes-split-gpg.domain != null + && cfg.gnupg.qubes-split-gpg.domain != "" + ); + message = "sops.gnupg.qubes-split-gpg.domain is required when sops.gnupg.qubes-split-gpg.enable is set to true"; + } + ]; home.sessionVariables = lib.mkIf cfg.gnupg.qubes-split-gpg.enable { # TODO: Add this package to nixpkgs and use it from the store diff --git a/modules/sops/manifest-for.nix b/modules/sops/manifest-for.nix index 8886f30..1824668 100644 --- a/modules/sops/manifest-for.nix +++ b/modules/sops/manifest-for.nix @@ -24,7 +24,7 @@ let ) [ ] (builtins.attrValues secrets); in -if failedAssertions != [ ] then +if cfg.validateSopsFiles && failedAssertions != [ ] then throw "\nFailed assertions:\n${lib.concatStringsSep "\n" (map (x: "- ${x}") failedAssertions)}" else writeTextFile {