From 4096ea3adb04438a4bd74b62c31c1ac9df43405b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 19 Sep 2023 22:57:44 +0200
Subject: [PATCH] don't set age keyfile if don't have a secret for it

---
 nixosModules/clanCore/secrets/sops.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/nixosModules/clanCore/secrets/sops.nix b/nixosModules/clanCore/secrets/sops.nix
index a752e0c5..b26b5120 100644
--- a/nixosModules/clanCore/secrets/sops.nix
+++ b/nixosModules/clanCore/secrets/sops.nix
@@ -54,6 +54,8 @@ in
       secrets;
     # To get proper error messages about missing secrets we need a dummy secret file that is always present
     sops.defaultSopsFile = lib.mkIf config.sops.validateSopsFiles (lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" "")));
-    sops.age.keyFile = lib.mkDefault "/var/lib/sops-nix/key.txt";
+
+    sops.age.keyFile = lib.mkIf (builtins.pathExists (config.clanCore.clanDir + "/sops/secrets/${config.clanCore.machineName}-age.key/secret"))
+      (lib.mkDefault "/var/lib/sops-nix/key.txt");
   };
 }