For secrets not part of the nix store there is no other way in NixOS to
restart a service after the secret is updated. One example is changing
password in userborn, which doesn't run as a activation script but as a
systemd service.
Create a store path per in repo secret/var to be copied, this prevents
unused secrets from being leaked.
For example the `root-password` generator contains both the hashed and
unhashed password but only the hash is used.
revert vars: use writeShellApplication to shellcheck generators
Cannot re-generate the vars for data-mesher or any of our tests anymore
cc @DavHau @Qubasa Can we work together to fix this.
I like shellchecking but if we loose the ability to add tests thats unfortunate
This is blocking: the new 'restic' and 'zerotier' migrations because we need to write integration tests from the beginning.
There is not reason that there needs to be a default. Machines are usually defined as an attrset, so there is no reason to have a default.
Also make this readOnly as we never want to override it.
This will change in the future once we finish the networking Clan module
and we'll have a reliable way of addressing every node automagically.
Until then, this will have to do.
Calling it fix in double quotes since that's still quite hand-crafted,
but at least you can now specify options with `@` inside them (e.g.
`ProxyJump`) and have it work properly.
Moreover this fixes the syntax for GET-like variables in the networking
clanCore module. Only the fixed syntax is supported since that's what
was tested, and actually parsed in the code.
Also replace `documentation.nixos.enable = false` with
`documentation.doc.enable` to opt out of only `nixos-help` and the HTML
manual but leave `man configuration.nix`.
Change `prompt.persist` default to false.
We want a consistent default that is not conditionally dependent on
other values.
This makes communication on how the functionality is used more
consistent and easier understood.
