From e0e57da4973a37b946ddeb5f6dcbf7f06f56e0e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Thu, 30 Sep 2021 06:59:08 +0200
Subject: [PATCH] fix documentation and assertions for age.keyFile

---
 modules/sops/default.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index eabc1ec..727813b 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -190,8 +190,11 @@ in {
   ];
   config = mkIf (cfg.secrets != {}) {
     assertions = [{
-      assertion = (cfg.age.keyFile == null && cfg.age.sshKeyPaths == []) -> (cfg.gnupg.home == null) != (cfg.gnupg.sshKeyPaths == []);
-      message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set for gnupg mode";
+      assertion = cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [] || cfg.age.keyFile != null || cfg.age.sshKeyPaths != [];
+      message = "No key source configurated for sops";
+    } {
+      assertion = !(cfg.gnupg.home != null && cfg.gnupg.sshKeyPaths != []);
+      message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set";
     }] ++ optionals cfg.validateSopsFiles (
       concatLists (mapAttrsToList (name: secret: [{
         assertion = builtins.pathExists secret.sopsFile;