vars/password-store: replace passBackend option with passPackage

The `clan.core.vars.settings.passBackend` option has been replaced with `clan.vars.password-store.passPackage` to provide better type safety and clearer configuration. Changes: - Remove problematic mkRemovedOptionModule that caused circular dependency - Add proper option definition with assertion-based migration - Users setting the old option get clear migration instructions - Normal evaluation continues to work for users not using the old option Migration: Replace `clan.core.vars.settings.passBackend = "passage"` with `clan.vars.password-store.passPackage = pkgs.passage`
2025-06-29 10:51:18 +02:00
parent bd82de6001
commit 8302f3ffde
8 changed files with 129 additions and 98 deletions
--- a/nixosModules/clanCore/vars/default.nix
+++ b/nixosModules/clanCore/vars/default.nix
@@ -40,6 +40,18 @@ in
  };

  config = {
+    # Check for removed passBackend option usage
+    assertions = [
+      {
+        assertion = config.clan.core.vars.settings.passBackend == null;
+        message = ''
+          The option `clan.core.vars.settings.passBackend' has been removed.
+          Use clan.vars.password-store.passPackage instead.
+          Set it to pkgs.pass for GPG or pkgs.passage for age encryption.
+        '';
+      }
+    ];
+
    # check all that all non-secret files have no owner/group/mode set
    warnings = lib.foldl' (
      warnings: generator:
--- a/nixosModules/clanCore/vars/secret/password-store.nix
+++ b/nixosModules/clanCore/vars/secret/password-store.nix
@@ -62,6 +62,13 @@ in
        location where the tarball with the password-store secrets will be uploaded to and the manifest
      '';
    };
+    passPackage = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.pass;
+      description = ''
+        Password store package to use. Can be pkgs.pass for GPG-based storage or pkgs.passage for age-based storage.
+      '';
+    };
  };
  config = {
    clan.core.vars.settings =
@@ -76,7 +83,7 @@ in
                else if file.config.neededFor == "services" then
                  "/run/secrets/${file.config.generatorName}/${file.config.name}"
                else if file.config.neededFor == "activation" then
-                  "${config.clan.password-store.secretLocation}/activation/${file.config.generatorName}/${file.config.name}"
+                  "${config.clan.vars.password-store.secretLocation}/activation/${file.config.generatorName}/${file.config.name}"
                else if file.config.neededFor == "partitioning" then
                  "/run/partitioning-secrets/${file.config.generatorName}/${file.config.name}"
                else
--- a/nixosModules/clanCore/vars/settings-opts.nix
+++ b/nixosModules/clanCore/vars/settings-opts.nix
@@ -15,17 +15,6 @@
    '';
  };

-  passBackend = lib.mkOption {
-    type = lib.types.enum [
-      "passage"
-      "pass"
-    ];
-    default = "pass";
-    description = ''
-      password-store backend to use. Valid options are `pass` and `passage`
-    '';
-  };
-
  secretModule = lib.mkOption {
    type = lib.types.str;
    internal = true;
@@ -65,4 +54,15 @@
      the python import path to the public module
    '';
  };
+
+  # Legacy option that guides migration
+  passBackend = lib.mkOption {
+    type = lib.types.nullOr lib.types.str;
+    default = null;
+    visible = false;
+    description = ''
+      DEPRECATED: This option has been removed. Use clan.vars.password-store.passPackage instead.
+      Set it to pkgs.pass for GPG or pkgs.passage for age encryption.
+    '';
+  };
 }