From 93d20f48c9c5cbb3cc24536bad483274693fac38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Thu, 8 May 2025 17:06:49 +0200
Subject: [PATCH] vars: improve warnings for non-public secrets

---
 nixosModules/clanCore/vars/default.nix | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/nixosModules/clanCore/vars/default.nix b/nixosModules/clanCore/vars/default.nix
index 4f8538e90..d6f308911 100644
--- a/nixosModules/clanCore/vars/default.nix
+++ b/nixosModules/clanCore/vars/default.nix
@@ -58,7 +58,25 @@ in
               )
             )
             ''
-              The config.clan.core.vars.generators.${generator.name}.files.${file.name} is not secret, but has non-default owner/group/mode set.
+              The config.clan.core.vars.generators.${generator.name}.files.${file.name} is not secret:
+              ${lib.optionalString
+                (file.owner != "root")
+                ''
+                  The owner is set to ${file.owner}, but should be root.
+                ''
+              }
+              ${lib.optionalString
+                (file.group != (if _class == "darwin" then "wheel" else "root"))
+                ''
+                  The group is set to ${file.group}, but should be ${if _class == "darwin" then "wheel" else "root"}.
+                ''
+              }
+              ${lib.optionalString
+                (file.mode != "0400")
+                ''
+                  The mode is set to ${file.mode}, but should be 0400.
+                ''
+              }
               This doesn't work because the file will be added to the nix store
             ''
       ) [ ] (lib.attrValues generator.files)