For secrets not part of the nix store there is no other way in NixOS to
restart a service after the secret is updated. One example is changing
password in userborn, which doesn't run as a activation script but as a
systemd service.
Create a store path per in repo secret/var to be copied, this prevents
unused secrets from being leaked.
For example the `root-password` generator contains both the hashed and
unhashed password but only the hash is used.
revert vars: use writeShellApplication to shellcheck generators
Cannot re-generate the vars for data-mesher or any of our tests anymore
cc @DavHau @Qubasa Can we work together to fix this.
I like shellchecking but if we loose the ability to add tests thats unfortunate
This is blocking: the new 'restic' and 'zerotier' migrations because we need to write integration tests from the beginning.
There is not reason that there needs to be a default. Machines are usually defined as an attrset, so there is no reason to have a default.
Also make this readOnly as we never want to override it.
This will change in the future once we finish the networking Clan module
and we'll have a reliable way of addressing every node automagically.
Until then, this will have to do.
Calling it fix in double quotes since that's still quite hand-crafted,
but at least you can now specify options with `@` inside them (e.g.
`ProxyJump`) and have it work properly.
Moreover this fixes the syntax for GET-like variables in the networking
clanCore module. Only the fixed syntax is supported since that's what
was tested, and actually parsed in the code.
Also replace `documentation.nixos.enable = false` with
`documentation.doc.enable` to opt out of only `nixos-help` and the HTML
manual but leave `man configuration.nix`.
Change `prompt.persist` default to false.
We want a consistent default that is not conditionally dependent on
other values.
This makes communication on how the functionality is used more
consistent and easier understood.
Some test were referring to the whole source code via ${self} which amde them rebuild on every single commit.
This is not mitigated by introduceing `self.filter { include = [...]; }` allowin to a content addressed subset of the source code in tests.
