Attribute: clan.core.vars
Generated Variables
Define generators that prompt for or generate variables and secrets to store, deploy, and rotate them easily. For example, generators can be used to:
Type: submodule
Declared in: nixosModules/clanCore/vars/secret/password-store.nix
Attribute: clan.core.vars.generators
A set of generators that can be used to generate files. Generators are scripts that produce files based on the values of other generators and user input. Each generator is expected to produce a set of files under a directory.
Type: attribute set of (submodule)
Default:
{ }Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.dependencies
A list of other generators that this generator depends on. The output values of these generators will be available to the generator script as files.
For example:
A file file1 of a generator named dep1 will be available via $in/dep1/file1
Type: list of string
Default:
[ ]Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.files
A set of files to generate. The generator 'script' is expected to produce exactly these files under $out.
Type: attribute set of (submodule)
Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.deploy
Whether the file should be deployed to the target machine.
Disable this if the generated file is only used as an input to other generators.
Type: boolean
Default:
trueDeclared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.exists
Returns true if the file exists. This is used to guard against reading not set value in evaluation. This currently only works for non secret files.
Type: boolean
Default:
"Throws error because the existence of a secret file cannot be determined"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.flakePath
The path to the file containing the content of the generated value. This will be set automatically
Type: null or absolute path
Default:
nullDeclared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.generatorName
name of the generator
Type: string
Default:
"Name of the generator that generates this file"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.group
The group name or id that will own the file.
Type: string
Default:
if pkgs.stdenv.hostPlatform.isDarwin then "wheel" else "root"Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.mode
The unix file mode of the file. Must be a 4-digit octal number.
Type: string matching the pattern ^[0-7]{4}$
Default:
"0400"Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.name
Readonly
name of the public fact
Type: string
Default:
"Name of the file"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.neededFor
This option determines when the secret will be decrypted and deployed to the target machine.
By setting this to partitioning, the secret will be deployed prior to running disko allowing
you to manage filesystem encryption keys. These will only be deployed when installing the system.
By setting this to activation, the secret will be deployed prior to running nixos-rebuild or nixos-install.
By setting this to user, the secret will be deployed prior to users and groups are created, allowing
users' passwords to be managed by vars. The secret will be stored in /run/secrets-for-users and owner and group must be root.
Type: one of "partitioning", "activation", "users", "services"
Default:
"services"Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.owner
The user name or id that will own the file.
Type: string
Default:
"root"Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.path
The path to the file containing the content of the generated value. This will be set automatically
Type: string
Default:
''
builtins.path {
name = "$''${file.config.generatorName}_$''${file.config.name}";
path = file.config.flakePath;
}
''Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.restartUnits
A list of systemd units that should be restarted after the file is deployed. This is useful for services that need to reload their configuration after the file is updated.
WARNING: currently only sops-nix implements this option.
NOTE: This option is not supported on Darwin systems.
Type: list of string
Default:
[ ]Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.secret
Whether the file should be treated as a secret.
Type: boolean
Default:
trueDeclared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.generators.<name>.files.<name>.value
The content of the generated value. Only available if the file is not secret.
Type: string
Default:
"Throws error because the value of a secret file is not accessible"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.generators.<name>.name
Readonly
The name of the generator. This name will be used to refer to the generator in other generators.
Type: string
Default:
"Name of the generator"Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.prompts
A set of prompts to ask the user for values. Prompts are available to the generator script as files. For example, a prompt named 'prompt1' will be available via $prompts/prompt1
Type: attribute set of (submodule)
Default:
{ }Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.prompts.<name>.description
The description of the prompted value
Type: string
Default:
"Name of the prompt""SSH private key"Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.prompts.<name>.display
Attribute: clan.core.vars.generators.<name>.prompts.<name>.display.group
The group to display the prompt in. This is useful to group prompts together.
Type: null or string
Default:
nullDeclared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.prompts.<name>.display.helperText
Additional text to display next to the prompt. This can be used to provide additional information about the prompt.
Type: null or string
Default:
nullDeclared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.prompts.<name>.display.label
The label to display for the prompt. If not set, the name of the prompt will be used.
Type: null or string
Default:
nullDeclared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.prompts.<name>.display.required
Whether the prompt is required. If set to false, the user will be able to continue without providing a value.
Type: boolean
Default:
trueDeclared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.prompts.<name>.name
The name of the prompt. This name will be used to refer to the prompt in the generator script.
Type: string
Default:
"Name of the prompt"Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.prompts.<name>.persist
Whether the prompted value should be stored in a file with the same name as the prompt.
If enabled, the behavior is equivalent to the following configuration:
{
files.<name>.secret = true;
script = "cp $prompts/<name> $out/<name>";
}Type: boolean
Default:
falseDeclared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.prompts.<name>.type
The input type of the prompt. The following types are available:
Type: one of "hidden", "line", "multiline", "multiline-hidden"
Default:
"line"Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.runtimeInputs
A list of packages that the generator script requires. These packages will be available in the PATH when the script is run.
Type: list of package
Default:
[ ]Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.script
The script to run to generate the files. The script will be run with the following environment variables:
The script should produce the files specified in the 'files' attribute under $out.
Type: string or absolute path
Default:
""Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.share
Whether the generated vars should be shared between machines. Shared vars are only generated once, when the first machine using it is deployed. Subsequent machines will re-use the already generated values.
Type: boolean
Default:
falseDeclared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.generators.<name>.validation
A set of values that invalidate the generated values. If any of these values change, the generated values will be re-generated. Lists are not allowed as of now due to potential ordering issues
Type: null or boolean or signed integer or string or attribute set of (boolean or signed integer or string or attribute set of (boolean or signed integer or string))
Default:
nullDeclared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.globalSettings
Attribute: clan.core.vars.globalSettings.fileModule
Attribute: clan.core.vars.globalSettings.fileModule.exists
Returns true if the file exists. This is used to guard against reading not set value in evaluation. This currently only works for non secret files.
Type: boolean
Default:
"Throws error because the existence of a secret file cannot be determined"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.globalSettings.fileModule.flakePath
The path to the file containing the content of the generated value. This will be set automatically
Type: null or absolute path
Default:
nullDeclared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.globalSettings.fileModule.generatorName
name of the generator
Type: string
Default:
"Name of the generator that generates this file"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.globalSettings.fileModule.name
Readonly
name of the public fact
Type: string
Default:
"Name of the file"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.globalSettings.fileModule.path
The path to the file containing the content of the generated value. This will be set automatically
Type: string
Default:
''
builtins.path {
name = "$''${file.config.generatorName}_$''${file.config.name}";
path = file.config.flakePath;
}
''Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.globalSettings.fileModule.secret
Whether the file should be treated as a secret.
Type: boolean
Default:
trueDeclared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.globalSettings.fileModule.value
The content of the generated value. Only available if the file is not secret.
Type: string
Default:
"Throws error because the value of a secret file is not accessible"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.globalSettings.publicStore
Method to store public vars. Currently only 'in_repo' is supported, which stores public vars in the clan repository.
Type: value "in_repo" (singular enum)
Default:
"in_repo"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.globalSettings.secretStore
method to store secret vars. custom can be used to define a custom secret var store.
Type: one of "sops", "password-store", "vm", "fs", "custom"
Default:
"sops"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.password-store
Attribute: clan.core.vars.password-store.passCommand
Password store command to use, must be available in PATH. E.g.
Type: one of "pass", "passage"
Default:
"passage"Declared in: nixosModules/clanCore/vars/secret/password-store.nix
Attribute: clan.core.vars.password-store.secretLocation
location where the tarball with the password-store secrets will be uploaded to and the manifest
Type: absolute path
Default:
"/etc/secret-vars"Declared in: nixosModules/clanCore/vars/secret/password-store.nix
Attribute: clan.core.vars.settings
Settings for the vars module.
Type: submodule
Default:
{ }Declared in: nixosModules/clanCore/vars/interface.nix
Attribute: clan.core.vars.settings.fileModule
Attribute: clan.core.vars.settings.fileModule.exists
Returns true if the file exists. This is used to guard against reading not set value in evaluation. This currently only works for non secret files.
Type: boolean
Default:
"Throws error because the existence of a secret file cannot be determined"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.settings.fileModule.flakePath
The path to the file containing the content of the generated value. This will be set automatically
Type: null or absolute path
Default:
nullDeclared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.settings.fileModule.generatorName
name of the generator
Type: string
Default:
"Name of the generator that generates this file"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.settings.fileModule.name
Readonly
name of the public fact
Type: string
Default:
"Name of the file"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.settings.fileModule.path
The path to the file containing the content of the generated value. This will be set automatically
Type: string
Default:
''
builtins.path {
name = "$''${file.config.generatorName}_$''${file.config.name}";
path = file.config.flakePath;
}
''Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.settings.fileModule.secret
Whether the file should be treated as a secret.
Type: boolean
Default:
trueDeclared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.settings.fileModule.value
The content of the generated value. Only available if the file is not secret.
Type: string
Default:
"Throws error because the value of a secret file is not accessible"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.settings.publicStore
Method to store public vars. Currently only 'in_repo' is supported, which stores public vars in the clan repository.
Type: value "in_repo" (singular enum)
Default:
"in_repo"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.settings.secretStore
method to store secret vars. custom can be used to define a custom secret var store.
Type: one of "sops", "password-store", "vm", "fs", "custom"
Default:
"sops"Declared in: modules/clan/vars/settings-opts.nix
Attribute: clan.core.vars.sops
Attribute: clan.core.vars.sops.secretUploadDirectory
The directory where sops-related files are uploaded to on the target machine. This includes the age private key used for decryption and activation secrets.
Type: absolute path
Default:
"/var/lib/sops-nix"Declared in: nixosModules/clanCore/vars/secret/sops