assertions

2026-03-19 16:17:20 -05:00
parent dd04320fe7
commit d229cdbf6a
43 changed files with 1190 additions and 997 deletions
--- a/modules/nixos/boot/common/default.nix
+++ b/modules/nixos/boot/common/default.nix
@@ -22,6 +22,17 @@ in
  };

  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !cfg.yubikeyEncryption || config.${namespace}.hardware.disko.enableLuks;
+        message = "mjallen.boot.common.yubikeyEncryption requires mjallen.hardware.disko.enableLuks = true.";
+      }
+      {
+        assertion = !cfg.yubikeyEncryption || config.${namespace}.hardware.disko.enable;
+        message = "mjallen.boot.common.yubikeyEncryption requires mjallen.hardware.disko.enable = true (disko-managed disk layout).";
+      }
+    ];
+
    boot = {

      kernelModules = [ "kvm" ];
@@ -78,7 +89,7 @@ in
                };
                slot = 2;
                twoFactor = false;
-                gracePeriod = yubikeyGracePeriod;
+                gracePeriod = cfg.yubikeyGracePeriod;
              };
            };
          };
--- a/modules/nixos/boot/lanzaboote/default.nix
+++ b/modules/nixos/boot/lanzaboote/default.nix
@@ -17,6 +17,13 @@ in
  };

  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.configLimit > 0;
+        message = "mjallen.bootloader.lanzaboote.configLimit must be a positive integer (got ${toString cfg.configLimit}).";
+      }
+    ];
+
    boot = {
      loader = {
        efi = {
--- a/modules/nixos/disko/default.nix
+++ b/modules/nixos/disko/default.nix
@@ -104,6 +104,21 @@ in
 {
  imports = [ ./options.nix ];
  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.rootDisk != "";
+        message = "mjallen.hardware.disko.rootDisk must be set to a non-empty device path (e.g. \"/dev/nvme0n1\").";
+      }
+      {
+        assertion = !(cfg.enableSwap && cfg.swapSize == "");
+        message = "mjallen.hardware.disko.swapSize must be a non-empty size string when enableSwap is true (e.g. \"16G\").";
+      }
+      {
+        assertion = cfg.compression != "";
+        message = "mjallen.hardware.disko.compression must be a non-empty compression type (e.g. \"zstd\").";
+      }
+    ];
+
    disko.devices = lib.mkMerge [
      {
        nodev."/" = {
--- a/modules/nixos/gaming/default.nix
+++ b/modules/nixos/gaming/default.nix
@@ -7,11 +7,21 @@
 }:
 let
  cfg = config.${namespace}.gaming;
+  hasDesktop =
+    config.${namespace}.desktop.gnome.enable
+    || config.${namespace}.desktop.hyprland.enable
+    || config.${namespace}.desktop.cosmic.enable;
 in
 {
  imports = [ ./options.nix ];

  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = hasDesktop;
+        message = "mjallen.gaming.enable requires a desktop environment (gnome, hyprland, or cosmic) to be enabled.";
+      }
+    ];
    # Network option required using sysctl to let Ubisoft Connect work as of 7-12-2023
    # Use mkDefault so jovian-nixos steam module (which sets this to `true`) wins.
    boot.kernel.sysctl."net.ipv4.tcp_mtu_probing" = lib.mkDefault 1;
--- a/modules/nixos/hardware/amd/default.nix
+++ b/modules/nixos/hardware/amd/default.nix
@@ -22,6 +22,17 @@ in
  };

  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !(cfg.lact.enable && cfg.corectrl.enable);
+        message = "mjallen.hardware.amd: lact and corectrl cannot both be enabled — they both manage AMD GPU power profiles and will conflict.";
+      }
+      {
+        assertion = !cfg.corectrl.enablePolkit || cfg.corectrl.polkitGroup != "";
+        message = "mjallen.hardware.amd.corectrl.polkitGroup must be a non-empty group name when enablePolkit is true.";
+      }
+    ];
+
    boot = {
      kernelModules = [
        "nct6775"
--- a/modules/nixos/hardware/battery/default.nix
+++ b/modules/nixos/hardware/battery/default.nix
@@ -21,6 +21,17 @@ in
  };

  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.battery != "";
+        message = "mjallen.hardware.battery.battery must be set to the sysfs path of the battery charge limit file (e.g. \"/sys/class/power_supply/BAT0/charge_control_end_threshold\").";
+      }
+      {
+        assertion = cfg.chargeLimit > 0 && cfg.chargeLimit <= 100;
+        message = "mjallen.hardware.battery.chargeLimit must be between 1 and 100 (got ${toString cfg.chargeLimit}).";
+      }
+    ];
+
    systemd = {
      services = {
        set-charge-limit = {
--- a/modules/nixos/hardware/raspberry-pi/default.nix
+++ b/modules/nixos/hardware/raspberry-pi/default.nix
@@ -260,6 +260,20 @@ in
  ];

  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.bootType != "uboot" || cfg.firmwarePackage != null;
+        message = "mjallen.hardware.raspberry-pi.firmwarePackage must be set when bootType is \"uboot\".";
+      }
+      {
+        assertion = cfg.bootType != "kernel" || cfg.firmwarePackage != null;
+        message = "mjallen.hardware.raspberry-pi.firmwarePackage must be set when bootType is \"kernel\".";
+      }
+      {
+        assertion = cfg.nixosGenerationsDir != "";
+        message = "mjallen.hardware.raspberry-pi.nixosGenerationsDir must be a non-empty path.";
+      }
+    ];

    boot = {
      initrd.availableKernelModules = [
--- a/modules/nixos/headless/default.nix
+++ b/modules/nixos/headless/default.nix
@@ -15,6 +15,16 @@ in
  };

  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion =
+          !config.${namespace}.desktop.gnome.enable
+          && !config.${namespace}.desktop.hyprland.enable
+          && !config.${namespace}.desktop.cosmic.enable;
+        message = "mjallen.headless.enable = true is incompatible with having a desktop environment enabled (gnome, hyprland, or cosmic).";
+      }
+    ];
+
    boot.initrd.systemd.suppressedUnits = lib.mkIf config.systemd.enableEmergencyMode [
      "emergency.service"
      "emergency.target"
--- a/modules/nixos/home/default.nix
+++ b/modules/nixos/home/default.nix
@@ -36,6 +36,30 @@ in
  };

  config = {
+    assertions =
+      let
+        desktopCount = lib.count lib.id [
+          config.${namespace}.desktop.gnome.enable
+          config.${namespace}.desktop.hyprland.enable
+          config.${namespace}.desktop.cosmic.enable
+        ];
+      in
+      [
+        {
+          assertion = desktopCount <= 1;
+          message = ''
+            At most one desktop environment may be enabled simultaneously.
+            Currently enabled: ${
+              lib.concatStringsSep ", " (
+                lib.optional config.${namespace}.desktop.gnome.enable "gnome"
+                ++ lib.optional config.${namespace}.desktop.hyprland.enable "hyprland"
+                ++ lib.optional config.${namespace}.desktop.cosmic.enable "cosmic"
+              )
+            }.
+          '';
+        }
+      ];
+
    # ${namespace}.home.extraOptions = {
    #   home.file = lib.mkAliasDefinitions options.${namespace}.home.file;
    #   home.stateVersion = lib.mkOptionDefault config.system.stateVersion;
--- a/modules/nixos/impermanence/default.nix
+++ b/modules/nixos/impermanence/default.nix
@@ -50,6 +50,17 @@ in
  };

  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = lib.hasPrefix "/" cfg.persistencePath;
+        message = "mjallen.impermanence.persistencePath must be an absolute path (got \"${cfg.persistencePath}\").";
+      }
+      {
+        assertion = cfg.persistencePath != "/";
+        message = "mjallen.impermanence.persistencePath must not be the filesystem root \"/\".";
+      }
+    ];
+
    environment.persistence."/nix/persist/system" = {
      hideMounts = true;
      directories = [
--- a/modules/nixos/network/default.nix
+++ b/modules/nixos/network/default.nix
@@ -57,6 +57,33 @@ in
  ];

  config = {
+    assertions = [
+      {
+        assertion = cfg.hostName != "";
+        message = "mjallen.network.hostName must be set to a non-empty string.";
+      }
+      {
+        assertion = cfg.ipv4.method == "auto" || cfg.ipv4.method == "manual";
+        message = "mjallen.network.ipv4.method must be either \"auto\" or \"manual\" (got \"${cfg.ipv4.method}\").";
+      }
+      {
+        assertion = cfg.ipv4.method != "manual" || cfg.ipv4.interface != "";
+        message = "mjallen.network.ipv4.interface must be set when ipv4.method is \"manual\".";
+      }
+      {
+        assertion = cfg.ipv4.method != "manual" || cfg.ipv4.address != "";
+        message = "mjallen.network.ipv4.address must be set when ipv4.method is \"manual\".";
+      }
+      {
+        assertion = cfg.ipv4.method != "manual" || cfg.ipv4.gateway != "";
+        message = "mjallen.network.ipv4.gateway must be set when ipv4.method is \"manual\".";
+      }
+      {
+        assertion = cfg.nat.enable -> cfg.nat.externalInterface != "";
+        message = "mjallen.network.nat.externalInterface must be set when NAT is enabled.";
+      }
+    ];
+
    systemd = {
      services = {
        NetworkManager-wait-online.enable = false;
--- a/modules/nixos/nix/default.nix
+++ b/modules/nixos/nix/default.nix
@@ -1,7 +1,6 @@
 {
  config,
  lib,
-  inputs,
  namespace,
  ...
 }:
--- a/modules/nixos/power/default.nix
+++ b/modules/nixos/power/default.nix
@@ -20,6 +20,21 @@ in
  };

  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.upsName != "";
+        message = "mjallen.power.ups.upsName must be a non-empty string.";
+      }
+      {
+        assertion = cfg.upsUser != "";
+        message = "mjallen.power.ups.upsUser must be a non-empty string.";
+      }
+      {
+        assertion = builtins.hasAttr "jallen-nas/ups_password" config.sops.secrets;
+        message = "mjallen.power.ups requires a sops secret \"jallen-nas/ups_password\" to be declared.";
+      }
+    ];
+
    power.ups = {
      enable = true;
      openFirewall = true;
--- a/modules/nixos/services/netbootxyz/default.nix
+++ b/modules/nixos/services/netbootxyz/default.nix
@@ -25,8 +25,14 @@ in
      ];
      extraConfig = {
        networking.firewall = lib.mkIf cfg.openFirewall {
-          allowedTCPPorts = [ cfg.assetPort cfg.tftpPort ];
-          allowedUDPPorts = [ cfg.assetPort cfg.tftpPort ];
+          allowedTCPPorts = [
+            cfg.assetPort
+            cfg.tftpPort
+          ];
+          allowedUDPPorts = [
+            cfg.assetPort
+            cfg.tftpPort
+          ];
        };
        virtualisation.oci-containers.containers.netbootxyz.ports = lib.mkForce [
          "${toString cfg.port}:3000"
--- a/modules/nixos/sops/default.nix
+++ b/modules/nixos/sops/default.nix
@@ -14,6 +14,13 @@ in
  imports = [ ./options.nix ];

  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.sshKeyPaths != [ ];
+        message = "mjallen.sops.sshKeyPaths must contain at least one SSH key path for age decryption.";
+      }
+    ];
+
    sops = {
      defaultSopsFile = if cfg.defaultSopsFile != null then cfg.defaultSopsFile else defaultSops;
      age.sshKeyPaths = cfg.sshKeyPaths;