SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 22:29:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

sops: Add assertion to validate that all secrets are actually used

Browse source
This commit is contained in:
SebastianStork 2026-02-28 00:06:19 +01:00
parent 1fc79bee5c
commit 3af7d23a46
Signed by: SebastianStork
SSH key fingerprint: SHA256:tRrGdjYOwgHxpSc/wTOZQZEjxcb15P0tyXRsbAfd+2Q
2 changed files with 32 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

22
modules/home/sops.nix
View file

@ -38,11 +38,21 @@ in
}; };
assertions = assertions =
config.sops.secrets (
|> lib.attrNames config.sops.secrets
|> lib.map (secretPath: { |> lib.attrNames
assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); |> lib.map (secretPath: {
message = "Sops secret `${secretPath}` must be defined in secrets.json"; assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
}); message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json";
})
)
++ (
lib.removeAttrs cfg.secrets [ "sops" ]
|> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/")
|> lib.map (secretPath: {
assertion = config.sops.secrets |> lib.hasAttr secretPath;
message = "Sops secret `${secretPath}` is defined in secrets.json but not used in any module";
})
);
}; };
} }

22
modules/nixos/sops.nix
View file

@ -36,11 +36,21 @@ in
}; };
assertions = assertions =
config.sops.secrets (
|> lib.attrNames config.sops.secrets
|> lib.map (secretPath: { |> lib.attrNames
assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); |> lib.map (secretPath: {
message = "Sops secret `${secretPath}` must be defined in secrets.json"; assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
}); message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json";
})
)
++ (
lib.removeAttrs cfg.secrets [ "sops" ]
|> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/")
|> lib.map (secretPath: {
assertion = config.sops.secrets |> lib.hasAttr secretPath;
message = "Sops secret `${secretPath}` is defined in secrets.json but not used in any module";
})
);
}; };
} }