From a364a5b8002b3eab91a4ec2820c829fa6984344b Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Sat, 14 Dec 2024 13:37:40 +0100
Subject: [PATCH 1/4] cli nix_build: don't create output symlink if no gcroot
 is given

---
 pkgs/clan-cli/clan_cli/nix/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/clan-cli/clan_cli/nix/__init__.py b/pkgs/clan-cli/clan_cli/nix/__init__.py
index e075e417b..58bbee025 100644
--- a/pkgs/clan-cli/clan_cli/nix/__init__.py
+++ b/pkgs/clan-cli/clan_cli/nix/__init__.py
@@ -37,7 +37,7 @@ def nix_build(flags: list[str], gcroot: Path | None = None) -> list[str]:
             "--print-out-paths",
             "--print-build-logs",
             *(["--show-trace"] if log.isEnabledFor(logging.DEBUG) else []),
-            *(["--out-root", str(gcroot)] if gcroot is not None else []),
+            *(["--out-root", str(gcroot)] if gcroot is not None else ["--no-link"]),
             *flags,
         ]
     )

From c888f01823d6bff2822e16c9e0f2f228f223e225 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Fri, 13 Dec 2024 18:30:54 +0100
Subject: [PATCH 2/4] vars: eval finalScript lazy

---
 nixosModules/clanCore/vars/default.nix        |  1 -
 nixosModules/clanCore/vars/generator.nix      | 50 ++++++++++---------
 nixosModules/clanCore/vars/interface.nix      |  2 +-
 .../clanCore/vars/secret/on-machine.nix       | 25 ++++++++++
 pkgs/clan-cli/clan_cli/machines/machines.py   |  6 ++-
 pkgs/clan-cli/clan_cli/vars/generate.py       | 14 ++++--
 6 files changed, 67 insertions(+), 31 deletions(-)
 create mode 100644 nixosModules/clanCore/vars/secret/on-machine.nix

diff --git a/nixosModules/clanCore/vars/default.nix b/nixosModules/clanCore/vars/default.nix
index 3a7fe5db2..0c8042e7b 100644
--- a/nixosModules/clanCore/vars/default.nix
+++ b/nixosModules/clanCore/vars/default.nix
@@ -41,7 +41,6 @@ in
           inherit (generator)
             name
             dependencies
-            finalScript
             validationHash
             migrateFact
             prompts
diff --git a/nixosModules/clanCore/vars/generator.nix b/nixosModules/clanCore/vars/generator.nix
index cbd50a4f0..c3ee1033a 100644
--- a/nixosModules/clanCore/vars/generator.nix
+++ b/nixosModules/clanCore/vars/generator.nix
@@ -24,35 +24,37 @@ let
   filePromptNames = attrNames (filterAttrs (_name: prompt: prompt.createFile) config.prompts);
 in
 {
-  finalScript = mkOptionDefault ''
-    set -eu -o pipefail
+  finalScript = mkOptionDefault (
+    pkgs.writeScript "generator-${config.name}" ''
+      set -eu -o pipefail
 
-    export PATH="${makeBinPath config.runtimeInputs}:${pkgs.coreutils}/bin"
+      export PATH="${makeBinPath config.runtimeInputs}:${pkgs.coreutils}/bin"
 
-    ${optionalString (pkgs.stdenv.hostPlatform.isLinux) ''
-      # prepare sandbox user on platforms where this is supported
-      mkdir -p /etc
+      ${optionalString (pkgs.stdenv.hostPlatform.isLinux) ''
+        # prepare sandbox user on platforms where this is supported
+        mkdir -p /etc
 
-      cat > /etc/group <<EOF
-      root:x:0:
-      nixbld:!:$(id -g):
-      nogroup:x:65534:
-      EOF
+        cat > /etc/group <<EOF
+        root:x:0:
+        nixbld:!:$(id -g):
+        nogroup:x:65534:
+        EOF
 
-      cat > /etc/passwd <<EOF
-      root:x:0:0:Nix build user:/build:/noshell
-      nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
-      nobody:x:65534:65534:Nobody:/:/noshell
-      EOF
+        cat > /etc/passwd <<EOF
+        root:x:0:0:Nix build user:/build:/noshell
+        nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
+        nobody:x:65534:65534:Nobody:/:/noshell
+        EOF
 
-      cat > /etc/hosts <<EOF
-      127.0.0.1 localhost
-      ::1 localhost
-      EOF
-    ''}
-    ${promptsToFilesScript filePromptNames}
-    ${config.script}
-  '';
+        cat > /etc/hosts <<EOF
+        127.0.0.1 localhost
+        ::1 localhost
+        EOF
+      ''}
+      ${promptsToFilesScript filePromptNames}
+      ${config.script}
+    ''
+  );
 
   files = genAttrs filePromptNames (_name: { });
 }
diff --git a/nixosModules/clanCore/vars/interface.nix b/nixosModules/clanCore/vars/interface.nix
index dee8c5561..64532dae0 100644
--- a/nixosModules/clanCore/vars/interface.nix
+++ b/nixosModules/clanCore/vars/interface.nix
@@ -322,7 +322,7 @@ in
                   - all required programs are in PATH
                   - sandbox is set up correctly
               '';
-              type = lib.types.str;
+              type = lib.types.path;
               readOnly = true;
               internal = true;
             };
diff --git a/nixosModules/clanCore/vars/secret/on-machine.nix b/nixosModules/clanCore/vars/secret/on-machine.nix
new file mode 100644
index 000000000..0af081b78
--- /dev/null
+++ b/nixosModules/clanCore/vars/secret/on-machine.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  sortedGenerators = lib.toposort (a: b: builtins.elem a.name b.dependencies) (
+    lib.attrValues config.clan.core.vars.generators
+  );
+  generateSecrets = ''
+    ${lib.concatStringsSep "\n" (_gen: ''
+      v
+    '') sortedGenerators}
+  '';
+in
+{
+  config = lib.mkIf (config.clan.core.vars.settings.secretStore == "on-machine") {
+    environment.systemPackages = [
+      (pkgs.writeShellApplication {
+        text = generateSecrets;
+      })
+    ];
+  };
+}
diff --git a/pkgs/clan-cli/clan_cli/machines/machines.py b/pkgs/clan-cli/clan_cli/machines/machines.py
index 725901f8b..a4577b835 100644
--- a/pkgs/clan-cli/clan_cli/machines/machines.py
+++ b/pkgs/clan-cli/clan_cli/machines/machines.py
@@ -166,7 +166,11 @@ class Machine:
         generators: dict[str, Any] = clan_vars.get("generators")
         if generators is None:
             return []
-        return [Generator.from_json(gen) for gen in generators.values()]
+        _generators = [Generator.from_json(gen) for gen in generators.values()]
+        for gen in _generators:
+            gen.machine(self)
+
+        return _generators
 
     @property
     def secrets_upload_directory(self) -> str:
diff --git a/pkgs/clan-cli/clan_cli/vars/generate.py b/pkgs/clan-cli/clan_cli/vars/generate.py
index f1830a02b..fffd3f73c 100644
--- a/pkgs/clan-cli/clan_cli/vars/generate.py
+++ b/pkgs/clan-cli/clan_cli/vars/generate.py
@@ -40,7 +40,6 @@ class Generator:
     files: list[Var] = field(default_factory=list)
     share: bool = False
     validation: str | None = None
-    final_script: str = ""
     prompts: list[Prompt] = field(default_factory=list)
     dependencies: list[str] = field(default_factory=list)
 
@@ -62,7 +61,6 @@ class Generator:
         return cls(
             name=data["name"],
             share=data["share"],
-            final_script=data["finalScript"],
             files=[Var.from_json(data["name"], f) for f in data["files"].values()],
             validation=data["validationHash"],
             dependencies=data["dependencies"],
@@ -70,6 +68,14 @@ class Generator:
             prompts=[Prompt.from_json(p) for p in data["prompts"].values()],
         )
 
+    @property
+    def final_script(self) -> Path:
+        assert self._machine is not None
+        final_script = self._machine.build_nix(
+            f"config.clan.core.vars.generators.{self.name}.finalScript"
+        )
+        return final_script
+
 
 def bubblewrap_cmd(generator: str, tmpdir: Path) -> list[str]:
     # fmt: off
@@ -188,7 +194,7 @@ def execute_generator(
                 prompt_file.write_text(value)
 
         if sys.platform == "linux":
-            cmd = bubblewrap_cmd(generator.final_script, tmpdir)
+            cmd = bubblewrap_cmd(str(generator.final_script), tmpdir)
         else:
             cmd = ["bash", "-c", generator.final_script]
         run(cmd, RunOpts(env=env))
@@ -201,7 +207,7 @@ def execute_generator(
             secret_file = tmpdir_out / file.name
             if not secret_file.is_file():
                 msg = f"did not generate a file for '{file.name}' when running the following command:\n"
-                msg += generator.final_script
+                msg += str(generator.final_script)
                 raise ClanError(msg)
             if file.secret:
                 file_path = secret_vars_store.set(

From 0ce51a4e5c91618322f7a51aba3d4293483b45a4 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Sat, 14 Dec 2024 13:42:31 +0100
Subject: [PATCH 3/4] cli test_vars: make output check less sensible to nix
 output

---
 pkgs/clan-cli/tests/test_vars.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/clan-cli/tests/test_vars.py b/pkgs/clan-cli/tests/test_vars.py
index 25cde260a..c052d30ef 100644
--- a/pkgs/clan-cli/tests/test_vars.py
+++ b/pkgs/clan-cli/tests/test_vars.py
@@ -858,7 +858,7 @@ def test_stdout_of_generate(
             "my_generator",
             regenerate=True,
         )
-    assert "Updated" not in caplog.text
+    assert "Updated var" not in caplog.text
     assert "hello" in caplog.text
     caplog.clear()
     with caplog.at_level(logging.INFO):

From e0f95a7a16aea342829b4867a873c1517d078815 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Sat, 14 Dec 2024 17:05:27 +0100
Subject: [PATCH 4/4] cli vars generate: mount test_store into bwrap

---
 pkgs/clan-cli/clan_cli/vars/generate.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/clan-cli/clan_cli/vars/generate.py b/pkgs/clan-cli/clan_cli/vars/generate.py
index fffd3f73c..ced01e90d 100644
--- a/pkgs/clan-cli/clan_cli/vars/generate.py
+++ b/pkgs/clan-cli/clan_cli/vars/generate.py
@@ -17,7 +17,7 @@ from clan_cli.completions import (
 from clan_cli.errors import ClanError
 from clan_cli.git import commit_files
 from clan_cli.machines.inventory import get_all_machines, get_selected_machines
-from clan_cli.nix import nix_shell
+from clan_cli.nix import nix_shell, nix_test_store
 from clan_cli.vars._types import StoreBase
 
 from .check import check_vars
@@ -78,6 +78,8 @@ class Generator:
 
 
 def bubblewrap_cmd(generator: str, tmpdir: Path) -> list[str]:
+    test_store = nix_test_store()
+
     # fmt: off
     return nix_shell(
         [
@@ -87,6 +89,7 @@ def bubblewrap_cmd(generator: str, tmpdir: Path) -> list[str]:
         [
             "bwrap",
             "--ro-bind", "/nix/store", "/nix/store",
+            *(["--ro-bind", str(test_store), str(test_store)] if test_store else []),
             "--tmpfs",  "/usr/lib/systemd",
             "--dev", "/dev",
             "--bind", str(tmpdir), str(tmpdir),