Troubleshooting Vars
Quick reference for diagnosing and fixing vars issues. For basic usage, see the Getting Started guide.
Common Issues
Generator Script Fails
Symptom: Error during clan vars generate or deployment
Possible causes and solutions:
-
Missing runtime inputs
-
Wrong output path
-
Missing declared files
Cannot Access Generated Files
Symptom: "attribute 'value' missing" or file not found
Solutions:
-
Secret files don't have
.value# Wrong - secret files can't use .value files."secret" = { secret = true; }; # ... environment.etc."app.conf".text = config.clan.core.vars.generators.app.files."secret".value; # Correct - use .path for secrets environment.etc."app.conf".source = config.clan.core.vars.generators.app.files."secret".path; -
Public files should use
.value
Dependencies Not Available
Symptom: "No such file or directory" when accessing $in/...
Solution: Declare dependencies correctly
clan.core.vars.generators.child = {
# Wrong - missing dependency
script = ''
cat $in/parent/file > $out/newfile
'';
# Correct
dependencies = [ "parent" ];
script = ''
cat $in/parent/file > $out/newfile
'';
};
Permission Denied
Symptom: Service cannot read generated secret file
Solution: Set correct ownership and permissions
files."service.key" = {
secret = true;
owner = "myservice"; # Match service user
group = "myservice";
mode = "0400"; # Read-only for owner
};
Vars Not Regenerating
Symptom: Changes to generator script don't trigger regeneration
Solution: Use --regenerate flag
Prompts Not Working
Symptom: Script fails with "No such file or directory" for prompts
Solution: Access prompts correctly
# Wrong
script = ''
echo $password > $out/file
'';
# Correct
prompts.password.type = "hidden";
script = ''
cat $prompts/password > $out/file
'';
Debugging Techniques
1. Check Generator Status
See what vars are set:
2. Inspect Generated Files
For shared vars:
For per-machine vars:
3. Test Generators Locally
Create a test script to debug:
# test-generator.nix
{ pkgs ? import <nixpkgs> {} }:
pkgs.stdenv.mkDerivation {
name = "test-generator";
buildInputs = [ pkgs.openssl ]; # Your runtime inputs
buildCommand = ''
# Your generator script here
mkdir -p $out
openssl rand -hex 32 > $out/secret
ls -la $out/
'';
}
Run with:
4. Enable Debug Logging
Set debug mode:
5. Check File Permissions
Verify generated secret permissions:
Recovery Procedures
Regenerate All Vars
If vars are corrupted or need refresh:
# Regenerate all for a machine
clan vars generate my-machine --regenerate
# Regenerate specific generator
clan vars generate my-machine --generator my-generator --regenerate
Manual Secret Injection
For recovery or testing:
# Set a var manually (bypass generator)
echo "temporary-secret" | clan vars set my-machine my-generator/my-file
Restore from Backup
Vars are stored in the repository:
# Restore previous version
git checkout HEAD~1 -- vars/
# Check and regenerate if needed
clan vars list my-machine
Storage Backend Issues
SOPS Decryption Fails
Symptom: "Failed to decrypt" or permission errors
Solution: Ensure your user/machine has the correct age keys configured. Clan manages encryption keys automatically based on the configured users and machines in your flake.
Check that: 1. Your machine is properly configured in the flake 2. Your user has access to the machine's secrets 3. The age key is available in the expected location
Password Store Issues
Symptom: "pass: store not initialized"
Solution: Initialize password store:
Getting Help
If these solutions don't resolve your issue:
- Check the clan-core issue tracker
- Ask in the Clan community channels
- Provide:
- The generator configuration
- The exact error message
- Output of
clan --debug vars generate