nixosMod/secrix: only require hostPubKey if any secret is defined

1 year ago · d698fb99e2
parent aa9ab0ba2f
commit d698fb99e2
1 changed files with 20 additions and 6 deletions
--- a/nix/nixos-modules/secrix.nix
+++ b/nix/nixos-modules/secrix.nix
@ -42,12 +42,26 @@ in

  config = lib.mkIf cfg.enable {

-    assertions = [
-      {
-        assertion = config.secrix.hostPubKey != null;
-        message = "secrix.hostPubKey must be defined";
-      }
-    ];
+    # cannot be part of upstream because secrets may also have individual keys
+    # but I will not use any individual keys
+    assertions =
+      let
+        inherit (builtins) attrValues concatLists;
+        secr = config.secrix;
+        systemSecrets = attrValues secr.system.secrets;
+        serviceSecrets = concatLists (map attrValues (attrValues secr.services));
+        allSecrets = concatLists [
+          systemSecrets
+          serviceSecrets
+        ];
+        anySecretDefined = allSecrets != [ ];
+      in
+      [
+        {
+          assertion = anySecretDefined -> config.secrix.hostPubKey != null;
+          message = "secrix.hostPubKey must be defined";
+        }
+      ];

    secrix =
      let