Merge pull request #121 from Mic92/improve-assertions

Improve assertions
2026-01-08 22:57:34 +08:00 · 2021-09-30 21:37:47 +02:00 · 2021-09-30 21:37:47 +02:00 · 827696f6a2
commit 827696f6a2
parent d7a6402532 e0e57da497
2 changed files with 34 additions and 31 deletions
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -190,8 +190,11 @@ in {
  ];
  config = mkIf (cfg.secrets != {}) {
    assertions = [{
-      assertion = (cfg.age.keyFile == null && cfg.age.sshKeyPaths == []) -> (cfg.gnupg.home == null) != (cfg.gnupg.sshKeyPaths == []);
-      message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set for gnupg mode";
+      assertion = cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [] || cfg.age.keyFile != null || cfg.age.sshKeyPaths != [];
+      message = "No key source configurated for sops";
+    } {
+      assertion = !(cfg.gnupg.home != null && cfg.gnupg.sshKeyPaths != []);
+      message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set";
    }] ++ optionals cfg.validateSopsFiles (
      concatLists (mapAttrsToList (name: secret: [{
        assertion = builtins.pathExists secret.sopsFile;
--- a/pkgs/sops-install-secrets/nixos-test.nix
+++ b/pkgs/sops-install-secrets/nixos-test.nix
@ -1,43 +1,43 @@
 { makeTest ? import <nixpkgs/nixos/tests/make-test-python.nix>, pkgs ? import <nixpkgs> }:
 {
 ssh-keys = makeTest {
-  name = "sops-ssh-keys";
-  nodes.server = { ... }: {
-    imports = [ ../../modules/sops ];
-    services.openssh.enable = true;
-    services.openssh.hostKeys = [{
-      type = "rsa";
-      bits = 4096;
-      path = ./test-assets/ssh-key;
-    }];
-    sops.defaultSopsFile = ./test-assets/secrets.yaml;
-    sops.secrets.test_key = {};
-  };
+   name = "sops-ssh-keys";
+   nodes.server = { ... }: {
+     imports = [ ../../modules/sops ];
+     services.openssh.enable = true;
+     services.openssh.hostKeys = [{
+       type = "rsa";
+       bits = 4096;
+       path = ./test-assets/ssh-key;
+     }];
+     sops.defaultSopsFile = ./test-assets/secrets.yaml;
+     sops.secrets.test_key = {};
+   };

-  testScript = ''
-    start_all()
-    server.succeed("cat /run/secrets/test_key | grep -q test_value")
-  '';
+   testScript = ''
+     start_all()
+     server.succeed("cat /run/secrets/test_key | grep -q test_value")
+   '';
 } {
   inherit pkgs;
   inherit (pkgs) system;
 };

 age-keys = makeTest {
-  name = "sops-age-keys";
-  machine = {
-    imports = [ ../../modules/sops ];
-    sops = {
-      age.keyFile = ./test-assets/age-keys.txt;
-      defaultSopsFile = ./test-assets/secrets.yaml;
-      secrets.test_key = {};
-    };
-  };
+   name = "sops-age-keys";
+   machine = {
+     imports = [ ../../modules/sops ];
+     sops = {
+       age.keyFile = ./test-assets/age-keys.txt;
+       defaultSopsFile = ./test-assets/secrets.yaml;
+       secrets.test_key = {};
+     };
+   };

-  testScript = ''
-    start_all()
-    machine.succeed("cat /run/secrets/test_key | grep -q test_value")
-  '';
+   testScript = ''
+     start_all()
+     machine.succeed("cat /run/secrets/test_key | grep -q test_value")
+   '';
  } {
    inherit pkgs;
    inherit (pkgs) system;