From 653a6f310be3a12d13f781008085d4feface27d0 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Thu, 26 Feb 2026 19:27:34 +0100
Subject: [PATCH] sops: Add assertions to validate secret existence at eval
 time

---
 modules/home/sops.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/home/sops.nix b/modules/home/sops.nix
index 9ff4bea..99b75c6 100644
--- a/modules/home/sops.nix
+++ b/modules/home/sops.nix
@@ -36,5 +36,13 @@ in
       age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
       defaultSopsFile = cfg.secretsFile;
     };
+
+    assertions =
+      config.sops.secrets
+      |> lib.attrNames
+      |> lib.map (secretPath: {
+        assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
+        message = "Sops secret `${secretPath}` must be defined in secrets.json";
+      });
   };
 }