From 3af7d23a467af96b2c989fa6195bac069a0ab696 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Sat, 28 Feb 2026 00:06:19 +0100
Subject: [PATCH] sops: Add assertion to validate that all secrets are actually
 used

---
 modules/home/sops.nix  | 22 ++++++++++++++++------
 modules/nixos/sops.nix | 22 ++++++++++++++++------
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/modules/home/sops.nix b/modules/home/sops.nix
index 99b75c6..16b6ff9 100644
--- a/modules/home/sops.nix
+++ b/modules/home/sops.nix
@@ -38,11 +38,21 @@ in
     };
 
     assertions =
-      config.sops.secrets
-      |> lib.attrNames
-      |> lib.map (secretPath: {
-        assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
-        message = "Sops secret `${secretPath}` must be defined in secrets.json";
-      });
+      (
+        config.sops.secrets
+        |> lib.attrNames
+        |> lib.map (secretPath: {
+          assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
+          message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json";
+        })
+      )
+      ++ (
+        lib.removeAttrs cfg.secrets [ "sops" ]
+        |> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/")
+        |> lib.map (secretPath: {
+          assertion = config.sops.secrets |> lib.hasAttr secretPath;
+          message = "Sops secret `${secretPath}` is defined in secrets.json but not used in any module";
+        })
+      );
   };
 }
diff --git a/modules/nixos/sops.nix b/modules/nixos/sops.nix
index 760fceb..6ade5bc 100644
--- a/modules/nixos/sops.nix
+++ b/modules/nixos/sops.nix
@@ -36,11 +36,21 @@ in
     };
 
     assertions =
-      config.sops.secrets
-      |> lib.attrNames
-      |> lib.map (secretPath: {
-        assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
-        message = "Sops secret `${secretPath}` must be defined in secrets.json";
-      });
+      (
+        config.sops.secrets
+        |> lib.attrNames
+        |> lib.map (secretPath: {
+          assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
+          message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json";
+        })
+      )
+      ++ (
+        lib.removeAttrs cfg.secrets [ "sops" ]
+        |> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/")
+        |> lib.map (secretPath: {
+          assertion = config.sops.secrets |> lib.hasAttr secretPath;
+          message = "Sops secret `${secretPath}` is defined in secrets.json but not used in any module";
+        })
+      );
   };
 }