Skip to content

Clan Documentation

vars

vars

Attribute: clan.core.vars

Generated Variables

Define generators that prompt for or generate variables like facts and secrets to store, deploy, and rotate them easily. For example, generators can be used to: - prompt the user for input, like passwords or host names - generate secrets like private keys automatically when they are needed - output multiple values like private and public keys simultaneously

Type: submodule

generators

Attribute: clan.core.vars.generators

A set of generators that can be used to generate files. Generators are scripts that produce files based on the values of other generators and user input. Each generator is expected to produce a set of files under a directory.

Type: attribute set of (submodule)

Default:

{ }

dependencies

Attribute: clan.core.vars.generators.<name>.dependencies

A list of other generators that this generator depends on. The output values of these generators will be available to the generator script as files.

For example:

A file file1 of a generator named dep1 will be available via $in/dep1/file1

Type: list of string

Default:

[ ]

files

Attribute: clan.core.vars.generators.<name>.files

A set of files to generate. The generator 'script' is expected to produce exactly these files under $out.

Type: attribute set of (submodule)

deploy

Attribute: clan.core.vars.generators.<name>.files.<name>.deploy

Whether the file should be deployed to the target machine.

Enable this if the generated file is only used as an input to other generators.

Type: boolean

Default:

true

generatorName

Attribute: clan.core.vars.generators.<name>.files.<name>.generatorName

Readonly

name of the generator

Type: string

Default:

"Name of the generator that generates this file"

group

Attribute: clan.core.vars.generators.<name>.files.<name>.group

The group name or id that will own the file.

Type: unspecified value

Default:

"root"

mode

Attribute: clan.core.vars.generators.<name>.files.<name>.mode

The unix file mode of the file. Must be a 3-digit octal number.

Type: string matching the pattern ^[0-7]{3}$

Default:

"400"

name

Attribute: clan.core.vars.generators.<name>.files.<name>.name

Readonly

name of the public fact

Type: string

Default:

"Name of the file"

neededFor

Attribute: clan.core.vars.generators.<name>.files.<name>.neededFor

This option determines when the secret will be decrypted and deployed to the target machine.

By setting this to partitioning, the secret will be deployed prior to running disko allowing you to manage filesystem encryption keys. These will only be deployed when installing the system. By setting this to activation, the secret will be deployed prior to running nixos-rebuild or nixos-install. By setting this to user, the secret will be deployed prior to users and groups are created, allowing users' passwords to be managed by vars. The secret will be stored in /run/secrets-for-users and owner and group must be root.

Type: one of "partitioning", "activation", "users", "services"

Default:

"services"

owner

Attribute: clan.core.vars.generators.<name>.files.<name>.owner

The user name or id that will own the file.

Type: unspecified value

Default:

"root"

path

Attribute: clan.core.vars.generators.<name>.files.<name>.path

The path to the file containing the content of the generated value. This will be set automatically

Type: string

secret

Attribute: clan.core.vars.generators.<name>.files.<name>.secret

Whether the file should be treated as a secret.

Type: boolean

Default:

true

value

Attribute: clan.core.vars.generators.<name>.files.<name>.value

The content of the generated value. Only available if the file is not secret.

Type: string

Default:

"Throws error because the value of a secret file is not accessible"

migrateFact

Attribute: clan.core.vars.generators.<name>.migrateFact

The fact service name to import the files from.

Use this to migrate legacy facts to the new vars system.

Type: null or string

Default:

null

Example

"my_service"

name

Attribute: clan.core.vars.generators.<name>.name

Readonly

The name of the generator. This name will be used to refer to the generator in other generators.

Type: string

Default:

"Name of the generator"

prompts

Attribute: clan.core.vars.generators.<name>.prompts

A set of prompts to ask the user for values. Prompts are available to the generator script as files. For example, a prompt named 'prompt1' will be available via $prompts/prompt1

Type: attribute set of (submodule)

Default:

{ }

description

Attribute: clan.core.vars.generators.<name>.prompts.<name>.description

The description of the prompted value

Type: string

Default:

"Name of the prompt"

Example

"SSH private key"

name

Attribute: clan.core.vars.generators.<name>.prompts.<name>.name

The name of the prompt. This name will be used to refer to the prompt in the generator script.

Type: string

Default:

"Name of the prompt"

persist

Attribute: clan.core.vars.generators.<name>.prompts.<name>.persist

Whether the prompted value should be stored in a file with the same name as the prompt.

If enabled, the behavior is equivalent to the following configuration:

{
  files.<name>.secret = true;
  script = "cp $prompts/<name> $out/<name>";
}

Type: boolean

Default:

false

type

Attribute: clan.core.vars.generators.<name>.prompts.<name>.type

The input type of the prompt. The following types are available: - hidden: A hidden text (e.g. password) - line: A single line of text - multiline: A multiline text

Type: one of "hidden", "line", "multiline"

Default:

"line"

runtimeInputs

Attribute: clan.core.vars.generators.<name>.runtimeInputs

A list of packages that the generator script requires. These packages will be available in the PATH when the script is run.

Type: list of package

Default:

[ ]

script

Attribute: clan.core.vars.generators.<name>.script

The script to run to generate the files. The script will be run with the following environment variables:

$in: The directory containing the output values of all declared dependencies
$out: The output directory to put the generated files
$prompts: The directory containing the prompted values as files

The script should produce the files specified in the 'files' attribute under $out.

Type: string or path

Default:

""

Attribute: clan.core.vars.generators.<name>.share

Whether the generated vars should be shared between machines. Shared vars are only generated once, when the first machine using it is deployed. Subsequent machines will re-use the already generated values.

Type: boolean

Default:

false

validation

Attribute: clan.core.vars.generators.<name>.validation

A set of values that invalidate the generated values. If any of these values change, the generated values will be re-generated. Lists are not allowed as of now due to potential ordering issues

Type: null or boolean or signed integer or string or attribute set of (boolean or signed integer or string or attribute set of (boolean or signed integer or string))

Default:

null

settings

Attribute: clan.core.vars.settings

publicStore

Attribute: clan.core.vars.settings.publicStore

method to store public vars. custom can be used to define a custom public vars store.

Type: one of "in_repo", "vm", "custom"

Default:

"in_repo"

secretStore

Attribute: clan.core.vars.settings.secretStore

method to store secret facts custom can be used to define a custom secret var store.

Type: one of "sops", "password-store", "vm", "custom"

Default:

"sops"