diff --git a/nixosModules/clanCore/vars/default.nix b/nixosModules/clanCore/vars/default.nix index 453aa740b..b7173c951 100644 --- a/nixosModules/clanCore/vars/default.nix +++ b/nixosModules/clanCore/vars/default.nix @@ -51,6 +51,7 @@ in _name: file: { inherit (file) name + mode deploy secret neededForUsers diff --git a/nixosModules/clanCore/vars/interface.nix b/nixosModules/clanCore/vars/interface.nix index 4067254f4..7c830810d 100644 --- a/nixosModules/clanCore/vars/interface.nix +++ b/nixosModules/clanCore/vars/interface.nix @@ -213,6 +213,10 @@ in description = "The group name or id that will own the secret file."; default = "root"; }; + mode = lib.mkOption { + type = lib.types.strMatching "^[0-7]{3}$"; + default = "400"; + }; value = lib.mkOption { description = '' diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py index 7053f8d50..dc51c7b9b 100644 --- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py +++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py @@ -170,7 +170,7 @@ class SecretStore(SecretStoreBase): tar_file = tarfile.TarInfo(name=f"{generator.name}/{file.name}") content = self.get(generator, file.name) tar_file.size = len(content) - tar_file.mode = 0o440 + tar_file.mode = file.mode tar_file.uname = file.owner tar_file.gname = file.group if file.needed_for_users: diff --git a/pkgs/clan-cli/clan_cli/vars/var.py b/pkgs/clan-cli/clan_cli/vars/var.py index d562623d6..74324a406 100644 --- a/pkgs/clan-cli/clan_cli/vars/var.py +++ b/pkgs/clan-cli/clan_cli/vars/var.py @@ -15,6 +15,7 @@ class Var: deploy: bool = False owner: str = "root" group: str = "root" + mode: int = 0o400 needed_for_users: bool = False # TODO: those shouldn't be set here @@ -75,5 +76,6 @@ class Var: deploy=data["deploy"], owner=data.get("owner", "root"), group=data.get("group", "root"), + mode=int(data.get("mode", "400"), 8), needed_for_users=data.get("neededForUsers", False), )