data-mesher: don't set owner for public_key

move single dont-depend-on-repo-root check into checks
Doesn't seem to be a pattern yet with a single check.
2025-05-08 17:10:38 +02:00 · 2025-05-08 17:07:43 +02:00 · 2025-05-08 17:07:43 +02:00
4 changed files with 22 additions and 10 deletions
--- a/checks/sanity-checks/dont-depend-on-repo-root.nix
+++ b/checks/sanity-checks/dont-depend-on-repo-root.nix
--- a/checks/flake-module.nix
+++ b/checks/flake-module.nix
@@ -14,7 +14,7 @@ in
    ./installation/flake-module.nix
    ./morph/flake-module.nix
    ./nixos-documentation/flake-module.nix
-    ./sanity-checks/dont-depend-on-repo-root.nix
+    ./dont-depend-on-repo-root.nix
  ];
  perSystem =
    {
--- a/clanModules/data-mesher/shared.nix
+++ b/clanModules/data-mesher/shared.nix
@@ -105,10 +105,7 @@ in
          private_key = {
            inherit owner;
          };
-          public_key = {
-            inherit owner;
-            secret = false;
-          };
+          public_key.secret = false;
        };

      runtimeInputs = [
@@ -134,10 +131,7 @@ in
          private_key = {
            inherit owner;
          };
-          public_key = {
-            inherit owner;
-            secret = false;
-          };
+          public_key.secret = false;
        };

      runtimeInputs = [
--- a/nixosModules/clanCore/vars/default.nix
+++ b/nixosModules/clanCore/vars/default.nix
@@ -58,7 +58,25 @@ in
              )
            )
            ''
-              The config.clan.core.vars.generators.${generator.name}.files.${file.name} is not secret, but has non-default owner/group/mode set.
+              The config.clan.core.vars.generators.${generator.name}.files.${file.name} is not secret:
+              ${lib.optionalString
+                (file.owner != "root")
+                ''
+                  The owner is set to ${file.owner}, but should be root.
+                ''
+              }
+              ${lib.optionalString
+                (file.group != (if _class == "darwin" then "wheel" else "root"))
+                ''
+                  The group is set to ${file.group}, but should be ${if _class == "darwin" then "wheel" else "root"}.
+                ''
+              }
+              ${lib.optionalString
+                (file.mode != "0400")
+                ''
+                  The mode is set to ${file.mode}, but should be 0400.
+                ''
+              }
              This doesn't work because the file will be added to the nix store
            ''
      ) [ ] (lib.attrValues generator.files)
Author	SHA1	Message	Date
Jörg Thalheim	223b81a8f5	data-mesher: don't set owner for public_key	2025-05-08 17:10:38 +02:00
Jörg Thalheim	2794da9a73	move single dont-depend-on-repo-root check into checks Doesn't seem to be a pattern yet with a single check.	2025-05-08 17:07:43 +02:00
Jörg Thalheim	93d20f48c9	vars: improve warnings for non-public secrets	2025-05-08 17:07:43 +02:00