Make assertions lazy

2025-12-26 14:14:58 +08:00 · 2025-01-15 15:55:51 +01:00 · 2025-01-15 15:55:51 +01:00 · 7eb645636c
commit 7eb645636c
parent d016ce0365
3 changed files with 56 additions and 51 deletions
--- a/modules/nix-darwin/default.nix
+++ b/modules/nix-darwin/default.nix
@ -356,16 +356,6 @@ in
        ++ lib.optionals cfg.validateSopsFiles (
          lib.concatLists (
            lib.mapAttrsToList (name: secret: [
-              {
-                assertion = builtins.pathExists secret.sopsFile;
-                message = "Cannot find path '${secret.sopsFile}' set in sops.secrets.${lib.strings.escapeNixIdentifier name}.sopsFile";
-              }
-              {
-                assertion =
-                  builtins.isPath secret.sopsFile
-                  || (builtins.isString secret.sopsFile && lib.hasPrefix builtins.storeDir secret.sopsFile);
-                message = "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false";
-              }
              {
                assertion = secret.uid != null && secret.uid != 0 -> secret.owner == null;
                message = "In ${secret.name} exactly one of sops.owner and sops.uid must be set";
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -406,16 +406,6 @@ in
        ++ lib.optionals cfg.validateSopsFiles (
          lib.concatLists (
            lib.mapAttrsToList (name: secret: [
-              {
-                assertion = builtins.pathExists secret.sopsFile;
-                message = "Cannot find path '${secret.sopsFile}' set in sops.secrets.${lib.strings.escapeNixIdentifier name}.sopsFile";
-              }
-              {
-                assertion =
-                  builtins.isPath secret.sopsFile
-                  || (builtins.isString secret.sopsFile && lib.hasPrefix builtins.storeDir secret.sopsFile);
-                message = "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false";
-              }
              {
                assertion = secret.uid != null && secret.uid != 0 -> secret.owner == null;
                message = "In ${secret.name} exactly one of sops.owner and sops.uid must be set";
--- a/modules/sops/manifest-for.nix
+++ b/modules/sops/manifest-for.nix
@ -1,34 +1,59 @@
-{ writeTextFile, cfg }:
+{
+  writeTextFile,
+  cfg,
+  lib,
+}:

 suffix: secrets: templates: extraJson:

-writeTextFile {
-  name = "manifest${suffix}.json";
-  text = builtins.toJSON (
-    {
-      secrets = builtins.attrValues secrets;
-      templates = builtins.attrValues templates;
-      # Does this need to be configurable?
-      secretsMountPoint = "/run/secrets.d";
-      symlinkPath = "/run/secrets";
-      keepGenerations = cfg.keepGenerations;
-      gnupgHome = cfg.gnupg.home;
-      sshKeyPaths = cfg.gnupg.sshKeyPaths;
-      ageKeyFile = cfg.age.keyFile;
-      ageSshKeyPaths = cfg.age.sshKeyPaths;
-      useTmpfs = cfg.useTmpfs;
-      placeholderBySecretName = cfg.placeholder;
-      userMode = false;
-      logging = {
-        keyImport = builtins.elem "keyImport" cfg.log;
-        secretChanges = builtins.elem "secretChanges" cfg.log;
-      };
-    }
-    // extraJson
-  );
-  checkPhase = ''
-    ${cfg.validationPackage}/bin/sops-install-secrets -check-mode=${
-      if cfg.validateSopsFiles then "sopsfile" else "manifest"
-    } "$out"
-  '';
-}
+let
+
+  failedAssertions = builtins.foldl' (
+    acc: secret:
+    acc
+    ++ (lib.optional (!builtins.pathExists secret.sopsFile)
+      "Cannot find path '${secret.sopsFile}' set in sops.secrets.${lib.strings.escapeNixIdentifier secret.name}.sopsFile\n"
+    )
+    ++
+      lib.optional
+        (
+          !builtins.isPath secret.sopsFile
+          && !(builtins.isString secret.sopsFile && lib.hasPrefix builtins.storeDir secret.sopsFile)
+        )
+        "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false"
+  ) [ ] (builtins.attrValues secrets);
+
+in
+if failedAssertions != [ ] then
+  throw "\nFailed assertions:\n${lib.concatStringsSep "\n" (map (x: "- ${x}") failedAssertions)}"
+else
+  writeTextFile {
+    name = "manifest${suffix}.json";
+    text = builtins.toJSON (
+      {
+        secrets = builtins.attrValues secrets;
+        templates = builtins.attrValues templates;
+        # Does this need to be configurable?
+        secretsMountPoint = "/run/secrets.d";
+        symlinkPath = "/run/secrets";
+        keepGenerations = cfg.keepGenerations;
+        gnupgHome = cfg.gnupg.home;
+        sshKeyPaths = cfg.gnupg.sshKeyPaths;
+        ageKeyFile = cfg.age.keyFile;
+        ageSshKeyPaths = cfg.age.sshKeyPaths;
+        useTmpfs = cfg.useTmpfs;
+        placeholderBySecretName = cfg.placeholder;
+        userMode = false;
+        logging = {
+          keyImport = builtins.elem "keyImport" cfg.log;
+          secretChanges = builtins.elem "secretChanges" cfg.log;
+        };
+      }
+      // extraJson
+    );
+    checkPhase = ''
+      ${cfg.validationPackage}/bin/sops-install-secrets -check-mode=${
+        if cfg.validateSopsFiles then "sopsfile" else "manifest"
+      } "$out"
+    '';
+  }