From f8bbd91c4a2bf8adbf69d3a13f19c9718c3de8fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 4 May 2025 14:49:15 +0200
Subject: [PATCH] vars: warn if mode/owner/user is used on non-secret var

---
 nixosModules/clanCore/vars/default.nix | 34 +++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/nixosModules/clanCore/vars/default.nix b/nixosModules/clanCore/vars/default.nix
index ccbe5fe71..4f8538e90 100644
--- a/nixosModules/clanCore/vars/default.nix
+++ b/nixosModules/clanCore/vars/default.nix
@@ -39,9 +39,35 @@ in
     type = submodule { imports = [ ./interface.nix ]; };
   };
 
-  config.system.clan.deployment.data = {
-    vars = config.clan.core.vars._serialized;
-    inherit (config.clan.core.networking) targetHost buildHost;
-    inherit (config.clan.core.deployment) requireExplicitUpdate;
+  config = {
+    # check all that all non-secret files have no owner/group/mode set
+    warnings = lib.foldl' (
+      warnings: generator:
+      warnings
+      ++ lib.foldl' (
+        warnings: file:
+        warnings
+        ++
+          lib.optional
+            (
+              !file.secret
+              && (
+                file.owner != "root"
+                || file.group != (if _class == "darwin" then "wheel" else "root")
+                || file.mode != "0400"
+              )
+            )
+            ''
+              The config.clan.core.vars.generators.${generator.name}.files.${file.name} is not secret, but has non-default owner/group/mode set.
+              This doesn't work because the file will be added to the nix store
+            ''
+      ) [ ] (lib.attrValues generator.files)
+    ) [ ] (lib.attrValues config.clan.core.vars.generators);
+
+    system.clan.deployment.data = {
+      vars = config.clan.core.vars._serialized;
+      inherit (config.clan.core.networking) targetHost buildHost;
+      inherit (config.clan.core.deployment) requireExplicitUpdate;
+    };
   };
 }