From 32e6c40e3ef46fec476eb2069f21e788910a53b4 Mon Sep 17 00:00:00 2001
From: cinereal <cinereal@riseup.net>
Date: Sat, 5 Jul 2025 10:54:06 +0200
Subject: [PATCH] add file rights: owner, group, mode

further increases parity with
https://git.clan.lol/clan/clan-core/src/branch/main/nixosModules/clanCore/vars/interface.nix,
particularly:
-
https://git.clan.lol/clan/clan-core/commit/f540ab91a16a6120a593dbfab6b4583702938e91#diff-7b681998bb14b48b80f83251424be17c6e3ce3bf
-
https://git.clan.lol/clan/clan-core/commit/19a251d6fc86e286c3e0daac5f8d980c51bc8410#diff-7b681998bb14b48b80f83251424be17c6e3ce3bf
-
https://git.clan.lol/clan/clan-core/commit/222915a9ed2ad527f0208fd2859a80eacb2158de#diff-7b681998bb14b48b80f83251424be17c6e3ce3bf
---
 backends/on-machine.nix | 21 ++++++++++++++-------
 options.nix             | 13 +++++++++++++
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/backends/on-machine.nix b/backends/on-machine.nix
index a3f552e..df072b0 100644
--- a/backends/on-machine.nix
+++ b/backends/on-machine.nix
@@ -46,6 +46,12 @@ let
           fi
         '') (lib.attrValues gen.files)}
 
+        # outputs
+        out=$(mktemp -d)
+        trap 'rm -rf $out' EXIT
+        export out
+        mkdir -p "$out"
+
         if [ $all_files_missing = false ] && [ $all_files_present = false ] ; then
           echo "Inconsistent state for generator: ${gen.name}"
           exit 1
@@ -80,12 +86,6 @@ let
             '') (lib.attrValues config.vars.generators.${input}.files)}
           '') gen.dependencies}
 
-          # outputs
-          out=$(mktemp -d)
-          trap 'rm -rf $out' EXIT
-          export out
-          mkdir -p "$out"
-
           (
             # prepare PATH
             unset PATH
@@ -112,8 +112,15 @@ let
             mkdir -p "$(dirname "$OUT_FILE")"
             mv "$out"/${file.name} "$OUT_FILE"
           '') (lib.attrValues gen.files)}
-          rm -rf "$out"
         fi
+
+        # move the files to the correct location
+        ${lib.concatMapStringsSep "\n" (file: ''
+          OUT_FILE="$OUT_DIR"/${if file.secret then "secret" else "public"}/${file.generator}/${file.name}
+          chown ${file.owner}:${file.group} "''${OUT_FILE}"
+          chmod ${file.mode} "''${OUT_FILE}"
+        '') (lib.attrValues gen.files)}
+        rm -rf "$out"
       '') sortedGenerators}
     '';
   };
diff --git a/options.nix b/options.nix
index 3c390d0..377b2d4 100644
--- a/options.nix
+++ b/options.nix
@@ -82,6 +82,19 @@
                       default = generator.config.name;
                       defaultText = "Name of the generator";
                     };
+                    owner = lib.mkOption {
+                      description = "The user name or id that will own the file.";
+                      default = "root";
+                    };
+                    group = lib.mkOption {
+                      description = "The group name or id that will own the file.";
+                      default = "root";
+                    };
+                    mode = lib.mkOption {
+                      type = lib.types.strMatching "^[0-7]{4}$";
+                      description = "The unix file mode of the file. Must be a 4-digit octal number.";
+                      default = "0400";
+                    };
                     deploy = lib.mkOption {
                       description = ''
                         Whether the file should be deployed to the target machine.