From 1fc79bee5ceb8866c45a2a2792303e2d3bc9c04e Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Fri, 27 Feb 2026 23:42:14 +0100 Subject: [PATCH 1/3] atuin: Move from `services` namespace to `web-services` --- hosts/homeserver/default.nix | 4 ++-- modules/nixos/{services => web-services}/atuin.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) rename modules/nixos/{services => web-services}/atuin.nix (92%) diff --git a/hosts/homeserver/default.nix b/hosts/homeserver/default.nix index a8beb12..e6c18bd 100644 --- a/hosts/homeserver/default.nix +++ b/hosts/homeserver/default.nix @@ -29,14 +29,14 @@ gui.domain = "syncthing.${privateDomain}"; doBackups = true; }; + }; + web-services = { atuin = { enable = true; domain = "atuin.${privateDomain}"; }; - }; - web-services = { filebrowser = { enable = true; domain = "files.${privateDomain}"; diff --git a/modules/nixos/services/atuin.nix b/modules/nixos/web-services/atuin.nix similarity index 92% rename from modules/nixos/services/atuin.nix rename to modules/nixos/web-services/atuin.nix index 234cf84..79bf168 100644 --- a/modules/nixos/services/atuin.nix +++ b/modules/nixos/web-services/atuin.nix @@ -1,10 +1,10 @@ { config, lib, ... }: let - cfg = config.custom.services.atuin; + cfg = config.custom.web-services.atuin; dataDir = "/var/lib/atuin"; in { - options.custom.services.atuin = { + options.custom.web-services.atuin = { enable = lib.mkEnableOption ""; domain = lib.mkOption { type = lib.types.nonEmptyStr; From 3af7d23a467af96b2c989fa6195bac069a0ab696 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Sat, 28 Feb 2026 00:06:19 +0100 Subject: [PATCH 2/3] sops: Add assertion to validate that all secrets are actually used --- modules/home/sops.nix | 22 ++++++++++++++++------ modules/nixos/sops.nix | 22 ++++++++++++++++------ 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/modules/home/sops.nix b/modules/home/sops.nix index 99b75c6..16b6ff9 100644 --- a/modules/home/sops.nix +++ b/modules/home/sops.nix @@ -38,11 +38,21 @@ in }; assertions = - config.sops.secrets - |> lib.attrNames - |> lib.map (secretPath: { - assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); - message = "Sops secret `${secretPath}` must be defined in secrets.json"; - }); + ( + config.sops.secrets + |> lib.attrNames + |> lib.map (secretPath: { + assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); + message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json"; + }) + ) + ++ ( + lib.removeAttrs cfg.secrets [ "sops" ] + |> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/") + |> lib.map (secretPath: { + assertion = config.sops.secrets |> lib.hasAttr secretPath; + message = "Sops secret `${secretPath}` is defined in secrets.json but not used in any module"; + }) + ); }; } diff --git a/modules/nixos/sops.nix b/modules/nixos/sops.nix index 760fceb..6ade5bc 100644 --- a/modules/nixos/sops.nix +++ b/modules/nixos/sops.nix @@ -36,11 +36,21 @@ in }; assertions = - config.sops.secrets - |> lib.attrNames - |> lib.map (secretPath: { - assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); - message = "Sops secret `${secretPath}` must be defined in secrets.json"; - }); + ( + config.sops.secrets + |> lib.attrNames + |> lib.map (secretPath: { + assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); + message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json"; + }) + ) + ++ ( + lib.removeAttrs cfg.secrets [ "sops" ] + |> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/") + |> lib.map (secretPath: { + assertion = config.sops.secrets |> lib.hasAttr secretPath; + message = "Sops secret `${secretPath}` is defined in secrets.json but not used in any module"; + }) + ); }; } From 4887e06117d49b607688e4e4cde5df9ff0c2ed5e Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Sat, 28 Feb 2026 00:13:51 +0100 Subject: [PATCH 3/3] sops: Rename `secrets` option to `secretsData` --- modules/home/programs/git.nix | 4 ++-- modules/home/sops.nix | 6 +++--- modules/nixos/networking/underlay.nix | 2 +- modules/nixos/services/syncthing.nix | 2 +- modules/nixos/sops.nix | 6 +++--- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/home/programs/git.nix b/modules/home/programs/git.nix index a2488f7..671075b 100644 --- a/modules/home/programs/git.nix +++ b/modules/home/programs/git.nix @@ -4,7 +4,7 @@ config = lib.mkIf config.custom.programs.git.enable { sops.secrets = - config.custom.sops.secrets.ssh-key + config.custom.sops.secretsData.ssh-key |> lib.mapAttrs' ( name: _: lib.nameValuePair "ssh-key/${name}" { path = "${config.home.homeDirectory}/.ssh/${name}"; } ); @@ -42,7 +42,7 @@ lazygit.enable = true; ssh.matchBlocks = - config.custom.sops.secrets.ssh-key + config.custom.sops.secretsData.ssh-key |> lib.mapAttrs (name: _: { identityFile = config.sops.secrets."ssh-key/${name}".path; }); }; }; diff --git a/modules/home/sops.nix b/modules/home/sops.nix index 16b6ff9..ff3cf3b 100644 --- a/modules/home/sops.nix +++ b/modules/home/sops.nix @@ -25,7 +25,7 @@ in type = self.lib.types.existingPath; default = "${self}/users/${config.home.username}/@${osConfig.networking.hostName}/secrets.json"; }; - secrets = lib.mkOption { + secretsData = lib.mkOption { type = lib.types.anything; default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON; }; @@ -42,12 +42,12 @@ in config.sops.secrets |> lib.attrNames |> lib.map (secretPath: { - assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); + assertion = cfg.secretsData |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json"; }) ) ++ ( - lib.removeAttrs cfg.secrets [ "sops" ] + lib.removeAttrs cfg.secretsData [ "sops" ] |> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/") |> lib.map (secretPath: { assertion = config.sops.secrets |> lib.hasAttr secretPath; diff --git a/modules/nixos/networking/underlay.nix b/modules/nixos/networking/underlay.nix index 125cc75..20f9efa 100644 --- a/modules/nixos/networking/underlay.nix +++ b/modules/nixos/networking/underlay.nix @@ -33,7 +33,7 @@ in enable = lib.mkEnableOption ""; networks = lib.mkOption { type = lib.types.listOf lib.types.nonEmptyStr; - default = config.custom.sops.secrets.iwd |> lib.attrNames; + default = config.custom.sops.secretsData.iwd |> lib.attrNames; }; }; }; diff --git a/modules/nixos/services/syncthing.nix b/modules/nixos/services/syncthing.nix index 44bd538..73fe5f7 100644 --- a/modules/nixos/services/syncthing.nix +++ b/modules/nixos/services/syncthing.nix @@ -11,7 +11,7 @@ let inherit (config.services.syncthing) dataDir; - useSopsSecrets = config.custom.sops.secrets |> lib.hasAttr "syncthing"; + useSopsSecrets = config.custom.sops.secretsData |> lib.hasAttr "syncthing"; in { options.custom.services.syncthing = { diff --git a/modules/nixos/sops.nix b/modules/nixos/sops.nix index 6ade5bc..1dd2c27 100644 --- a/modules/nixos/sops.nix +++ b/modules/nixos/sops.nix @@ -21,7 +21,7 @@ in type = self.lib.types.existingPath; default = "${self}/hosts/${config.networking.hostName}/secrets.json"; }; - secrets = lib.mkOption { + secretsData = lib.mkOption { type = lib.types.anything; default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON; }; @@ -40,12 +40,12 @@ in config.sops.secrets |> lib.attrNames |> lib.map (secretPath: { - assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); + assertion = cfg.secretsData |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json"; }) ) ++ ( - lib.removeAttrs cfg.secrets [ "sops" ] + lib.removeAttrs cfg.secretsData [ "sops" ] |> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/") |> lib.map (secretPath: { assertion = config.sops.secrets |> lib.hasAttr secretPath;