fallback knockd sequence when sops placeholder is absent

syscod3 · syscod3 · commit 46de8d9d00b0 · 2026-03-16T02:01:35.000Z
diff --git a/modules/networking/firewall-knockd.nix b/modules/networking/firewall-knockd.nix
@@ -1,14 +1,17 @@
 { config, pkgs, lib, ... }:
 
 let
+  knockSequence =
+    lib.attrByPath [ "sops" "placeholder" "knockd/sequence" ] [ "7000" "8000" "9000" ] config;
+
   # Port knocking sequence will be loaded from sops
   # This is just the module structure
   knockdConfig = ''
     [options]
       UseSyslog
 
     [openSSH]
-      sequence    = ${builtins.concatStringsSep "," config.sops.placeholder."knockd/sequence"}
+      sequence    = ${builtins.concatStringsSep "," knockSequence}
       seq_timeout = 15
       tcpflags    = syn
       command     = ${pkgs.iptables}/bin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
