From d698fb99e23705e7b33a51b595c9dd92330819ea Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@banananet.work>
Date: Sun, 25 Aug 2024 18:25:52 +0000
Subject: [PATCH] nixosMod/secrix: only require hostPubKey if any secret is
 defined

---
 nix/nixos-modules/secrix.nix | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/nix/nixos-modules/secrix.nix b/nix/nixos-modules/secrix.nix
index 5c97bc1..5125a81 100644
--- a/nix/nixos-modules/secrix.nix
+++ b/nix/nixos-modules/secrix.nix
@@ -42,12 +42,26 @@ in
 
   config = lib.mkIf cfg.enable {
 
-    assertions = [
-      {
-        assertion = config.secrix.hostPubKey != null;
-        message = "secrix.hostPubKey must be defined";
-      }
-    ];
+    # cannot be part of upstream because secrets may also have individual keys
+    # but I will not use any individual keys
+    assertions =
+      let
+        inherit (builtins) attrValues concatLists;
+        secr = config.secrix;
+        systemSecrets = attrValues secr.system.secrets;
+        serviceSecrets = concatLists (map attrValues (attrValues secr.services));
+        allSecrets = concatLists [
+          systemSecrets
+          serviceSecrets
+        ];
+        anySecretDefined = allSecrets != [ ];
+      in
+      [
+        {
+          assertion = anySecretDefined -> config.secrix.hostPubKey != null;
+          message = "secrix.hostPubKey must be defined";
+        }
+      ];
 
     secrix =
       let