deprecate sopsFile

2026-05-11 10:05:54 +08:00 · 2023-10-10 21:54:43 +02:00 · 2023-10-10 21:54:43 +02:00 · abcc999367
commit abcc999367
parent 3147535526
4 changed files with 95 additions and 140 deletions
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -11,10 +11,7 @@ let
  secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
  secretType = types.submodule ({ config, ... }: {
    config = {
-      sopsFile = lib.mkOptionDefault cfg.defaultSopsFile;
-      #sopsFiles = lib.mkOptionDefault cfg.defaultSopsFiles;
-      sopsFiles = lib.mkOptionDefault [];
-      sopsFileHash = mkOptionDefault (optionalString cfg.validateSopsFiles "${builtins.hashFile "sha256" config.sopsFile}");
+      sopsFiles = lib.mkOptionDefault cfg.defaultSopsFiles;
      sopsFilesHash = mkOptionDefault (optionals cfg.validateSopsFiles (forEach config.sopsFiles (builtins.hashFile "sha256")));
    };
    options = {
@ -73,32 +70,18 @@ let
          Group of the file.
        '';
      };
-      sopsFile = mkOption {
-        type = types.path;
-        defaultText = "\${config.sops.defaultSopsFile}";
-        description = ''
-          Sops file the secret is loaded from.
-        '';
-      };
      sopsFiles = mkOption {
-        type = types.listOf types.path;
-        defaultText = "\${config.sops.defaultSopsFile}";
+        type = types.nonEmptyListOf types.path;
+        defaultText = "\${config.sops.defaultSopsFiles}";
        description = ''
-          Sops file the secret is loaded from.
-        '';
-      };
-      sopsFileHash = mkOption {
-        type = types.str;
-        readOnly = true;
-        description = ''
-          Hash of the sops file, useful in <xref linkend="opt-systemd.services._name_.restartTriggers" />.
+          Sops files the secret is loaded from.
        '';
      };
      sopsFilesHash = mkOption {
-        type = types.listOf types.str;
+        type = types.nonEmptyListOf types.str;
        readOnly = true;
        description = ''
-          Hash of the sops file, useful in <xref linkend="opt-systemd.services._name_.restartTriggers" />.
+          Hash of the sops files, useful in <xref linkend="opt-systemd.services._name_.restartTriggers" />.
        '';
      };
      restartUnits = mkOption {
@ -183,15 +166,8 @@ in {
      '';
    };

-    defaultSopsFile = mkOption {
-      type = types.path;
-      description = ''
-        Default sops file used for all secrets.
-      '';
-    };
    defaultSopsFiles = mkOption {
-      type = types.listOf types.path;
-      default = [ cfg.defaulSopsFile ];
+      type = types.nonEmptyListOf types.path;
      description = ''
        Default sops file used for all secrets.
      '';
@ -342,6 +318,7 @@ in {
    ./templates
    (mkRenamedOptionModule [ "sops" "gnupgHome" ] [ "sops" "gnupg" "home" ])
    (mkRenamedOptionModule [ "sops" "sshKeyPaths" ] [ "sops" "gnupg" "sshKeyPaths" ])
+    (mkRemovedOptionModule [ "sops" "defaultSopsFile" ] ''use `sops.defaultSopsFiles` instead'')
  ];
  config = mkMerge [
    (mkIf (cfg.secrets != {}) {
@ -355,31 +332,20 @@ in {
        assertion = (filterAttrs (_: v: v.owner != "root" || v.group != "root") secretsForUsers) == {};
        message = "neededForUsers cannot be used for secrets that are not root-owned";
      }] ++ optionals cfg.validateSopsFiles (
-        (concatLists (mapAttrsToList (name: secret: [{
-          assertion = builtins.pathExists secret.sopsFile;
-          message = "Cannot find path '${secret.sopsFile}' set in sops.secrets.${strings.escapeNixIdentifier name}.sopsFile";
-        } {
-          assertion =
-            builtins.isPath secret.sopsFile ||
-            (builtins.isString secret.sopsFile && hasPrefix builtins.storeDir secret.sopsFile);
-          message = "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false";
-        }]) cfg.secrets)
-        ) ++ (concatLists (mapAttrsToList
+        concatLists (mapAttrsToList
          (name: secret:
            concatMap
              (sopsFile: [{
                assertion = builtins.pathExists sopsFile;
                message = "Cannot find path '${sopsFile}' set in sops.secrets.${strings.escapeNixIdentifier name}.sopsFiles";
-              }
-                {
-                  assertion =
+              } {
+                assertion =
                    builtins.isPath sopsFile ||
-                      (builtins.isString sopsFile && hasPrefix builtins.storeDir sopsFile);
-                  message = "'${sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false";
-                }])
-              (toList (if (secret.sopsFiles == null) then [ ] else secret.sopsFiles)))
+                    (builtins.isString sopsFile && hasPrefix builtins.storeDir sopsFile);
+                message = "'${sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false";
+              }])
+              secret.sopsFiles)
          cfg.secrets)
-        )
      );

      sops.environment.SOPS_GPG_EXEC = mkIf (cfg.gnupg.home != null) (mkDefault "${pkgs.gnupg}/bin/gpg");