From d83843e5e16c5b5b1c5100d6bc20af3edffb36d3 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Thu, 26 Feb 2026 00:32:25 +0100
Subject: [PATCH] lib: Add `existingPath` type to validate path existence at
 eval time

---
 flake-parts/lib.nix                        | 4 ++++
 modules/home/programs/ssh.nix              | 2 +-
 modules/home/sops.nix                      | 2 +-
 modules/system/services/nebula/default.nix | 6 +++---
 modules/system/sops.nix                    | 2 +-
 5 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/flake-parts/lib.nix b/flake-parts/lib.nix
index 5922d99..c330513 100644
--- a/flake-parts/lib.nix
+++ b/flake-parts/lib.nix
@@ -15,5 +15,9 @@
       name: "${name} should only be exposed on private networks; access control isn't yet configured";
 
     relativePath = path: path |> toString |> lib.removePrefix "${self}/";
+
+    types.existingPath = (lib.types.addCheck lib.types.path lib.pathExists) // {
+      description = "path that exists";
+    };
   };
 }
diff --git a/modules/home/programs/ssh.nix b/modules/home/programs/ssh.nix
index afc18a0..8222747 100644
--- a/modules/home/programs/ssh.nix
+++ b/modules/home/programs/ssh.nix
@@ -9,7 +9,7 @@
   options.custom.programs.ssh = {
     enable = lib.mkEnableOption "";
     publicKeyFile = lib.mkOption {
-      type = lib.types.path;
+      type = self.lib.types.existingPath;
       default = "${self}/users/${config.home.username}/@${osConfig.networking.hostName}/keys/ssh.pub";
     };
   };
diff --git a/modules/home/sops.nix b/modules/home/sops.nix
index 37d2c8f..9ff4bea 100644
--- a/modules/home/sops.nix
+++ b/modules/home/sops.nix
@@ -22,7 +22,7 @@ in
         |> lib.trim;
     };
     secretsFile = lib.mkOption {
-      type = lib.types.path;
+      type = self.lib.types.existingPath;
       default = "${self}/users/${config.home.username}/@${osConfig.networking.hostName}/secrets.json";
     };
     secrets = lib.mkOption {
diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix
index edc86ee..2fa908f 100644
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@@ -28,15 +28,15 @@ in
     };
 
     caCertificateFile = lib.mkOption {
-      type = lib.types.path;
+      type = self.lib.types.existingPath;
       default = ./ca.crt;
     };
     publicKeyFile = lib.mkOption {
-      type = lib.types.path;
+      type = self.lib.types.existingPath;
       default = "${self}/hosts/${netCfg.hostName}/keys/nebula.pub";
     };
     certificateFile = lib.mkOption {
-      type = lib.types.path;
+      type = self.lib.types.existingPath;
       default = "${self}/hosts/${netCfg.hostName}/keys/nebula.crt";
     };
     privateKeyFile = lib.mkOption {
diff --git a/modules/system/sops.nix b/modules/system/sops.nix
index a8f25be..4add3a9 100644
--- a/modules/system/sops.nix
+++ b/modules/system/sops.nix
@@ -18,7 +18,7 @@ in
       default = "${self}/hosts/${config.networking.hostName}/keys/age.pub" |> lib.readFile |> lib.trim;
     };
     secretsFile = lib.mkOption {
-      type = lib.types.path;
+      type = self.lib.types.existingPath;
       default = "${self}/hosts/${config.networking.hostName}/secrets.json";
     };
     secrets = lib.mkOption {