vars: eval finalScript lazy

2024-12-13 18:30:54 +01:00
parent a364a5b800
commit c888f01823
6 changed files with 67 additions and 31 deletions
--- a/nixosModules/clanCore/vars/default.nix
+++ b/nixosModules/clanCore/vars/default.nix
@@ -41,7 +41,6 @@ in
          inherit (generator)
            name
            dependencies
-            finalScript
            validationHash
            migrateFact
            prompts
--- a/nixosModules/clanCore/vars/generator.nix
+++ b/nixosModules/clanCore/vars/generator.nix
@@ -24,35 +24,37 @@ let
  filePromptNames = attrNames (filterAttrs (_name: prompt: prompt.createFile) config.prompts);
 in
 {
-  finalScript = mkOptionDefault ''
-    set -eu -o pipefail
+  finalScript = mkOptionDefault (
+    pkgs.writeScript "generator-${config.name}" ''
+      set -eu -o pipefail

-    export PATH="${makeBinPath config.runtimeInputs}:${pkgs.coreutils}/bin"
+      export PATH="${makeBinPath config.runtimeInputs}:${pkgs.coreutils}/bin"

-    ${optionalString (pkgs.stdenv.hostPlatform.isLinux) ''
-      # prepare sandbox user on platforms where this is supported
-      mkdir -p /etc
+      ${optionalString (pkgs.stdenv.hostPlatform.isLinux) ''
+        # prepare sandbox user on platforms where this is supported
+        mkdir -p /etc

-      cat > /etc/group <<EOF
-      root:x:0:
-      nixbld:!:$(id -g):
-      nogroup:x:65534:
-      EOF
+        cat > /etc/group <<EOF
+        root:x:0:
+        nixbld:!:$(id -g):
+        nogroup:x:65534:
+        EOF

-      cat > /etc/passwd <<EOF
-      root:x:0:0:Nix build user:/build:/noshell
-      nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
-      nobody:x:65534:65534:Nobody:/:/noshell
-      EOF
+        cat > /etc/passwd <<EOF
+        root:x:0:0:Nix build user:/build:/noshell
+        nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
+        nobody:x:65534:65534:Nobody:/:/noshell
+        EOF

-      cat > /etc/hosts <<EOF
-      127.0.0.1 localhost
-      ::1 localhost
-      EOF
-    ''}
-    ${promptsToFilesScript filePromptNames}
-    ${config.script}
-  '';
+        cat > /etc/hosts <<EOF
+        127.0.0.1 localhost
+        ::1 localhost
+        EOF
+      ''}
+      ${promptsToFilesScript filePromptNames}
+      ${config.script}
+    ''
+  );

  files = genAttrs filePromptNames (_name: { });
 }
--- a/nixosModules/clanCore/vars/interface.nix
+++ b/nixosModules/clanCore/vars/interface.nix
@@ -322,7 +322,7 @@ in
                  - all required programs are in PATH
                  - sandbox is set up correctly
              '';
-              type = lib.types.str;
+              type = lib.types.path;
              readOnly = true;
              internal = true;
            };
--- a/nixosModules/clanCore/vars/secret/on-machine.nix
+++ b/nixosModules/clanCore/vars/secret/on-machine.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  sortedGenerators = lib.toposort (a: b: builtins.elem a.name b.dependencies) (
+    lib.attrValues config.clan.core.vars.generators
+  );
+  generateSecrets = ''
+    ${lib.concatStringsSep "\n" (_gen: ''
+      v
+    '') sortedGenerators}
+  '';
+in
+{
+  config = lib.mkIf (config.clan.core.vars.settings.secretStore == "on-machine") {
+    environment.systemPackages = [
+      (pkgs.writeShellApplication {
+        text = generateSecrets;
+      })
+    ];
+  };
+}