From 52ee8bab58593573f809374b79c009dfa832d52a Mon Sep 17 00:00:00 2001
From: cinereal <cinereal@riseup.net>
Date: Sat, 5 Jul 2025 10:54:06 +0200
Subject: [PATCH 1/3] add file rights: owner, group, mode

further increases parity with
https://git.clan.lol/clan/clan-core/src/branch/main/nixosModules/clanCore/vars/interface.nix,
particularly:
-
https://git.clan.lol/clan/clan-core/commit/f540ab91a16a6120a593dbfab6b4583702938e91#diff-7b681998bb14b48b80f83251424be17c6e3ce3bf
-
https://git.clan.lol/clan/clan-core/commit/19a251d6fc86e286c3e0daac5f8d980c51bc8410#diff-7b681998bb14b48b80f83251424be17c6e3ce3bf
-
https://git.clan.lol/clan/clan-core/commit/222915a9ed2ad527f0208fd2859a80eacb2158de#diff-7b681998bb14b48b80f83251424be17c6e3ce3bf
---
 backends/on-machine.nix | 21 ++++++++++++++-------
 options.nix             | 13 +++++++++++++
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/backends/on-machine.nix b/backends/on-machine.nix
index a3f552e..df072b0 100644
--- a/backends/on-machine.nix
+++ b/backends/on-machine.nix
@@ -46,6 +46,12 @@ let
           fi
         '') (lib.attrValues gen.files)}
 
+        # outputs
+        out=$(mktemp -d)
+        trap 'rm -rf $out' EXIT
+        export out
+        mkdir -p "$out"
+
         if [ $all_files_missing = false ] && [ $all_files_present = false ] ; then
           echo "Inconsistent state for generator: ${gen.name}"
           exit 1
@@ -80,12 +86,6 @@ let
             '') (lib.attrValues config.vars.generators.${input}.files)}
           '') gen.dependencies}
 
-          # outputs
-          out=$(mktemp -d)
-          trap 'rm -rf $out' EXIT
-          export out
-          mkdir -p "$out"
-
           (
             # prepare PATH
             unset PATH
@@ -112,8 +112,15 @@ let
             mkdir -p "$(dirname "$OUT_FILE")"
             mv "$out"/${file.name} "$OUT_FILE"
           '') (lib.attrValues gen.files)}
-          rm -rf "$out"
         fi
+
+        # move the files to the correct location
+        ${lib.concatMapStringsSep "\n" (file: ''
+          OUT_FILE="$OUT_DIR"/${if file.secret then "secret" else "public"}/${file.generator}/${file.name}
+          chown ${file.owner}:${file.group} "''${OUT_FILE}"
+          chmod ${file.mode} "''${OUT_FILE}"
+        '') (lib.attrValues gen.files)}
+        rm -rf "$out"
       '') sortedGenerators}
     '';
   };
diff --git a/options.nix b/options.nix
index 3c390d0..377b2d4 100644
--- a/options.nix
+++ b/options.nix
@@ -82,6 +82,19 @@
                       default = generator.config.name;
                       defaultText = "Name of the generator";
                     };
+                    owner = lib.mkOption {
+                      description = "The user name or id that will own the file.";
+                      default = "root";
+                    };
+                    group = lib.mkOption {
+                      description = "The group name or id that will own the file.";
+                      default = "root";
+                    };
+                    mode = lib.mkOption {
+                      type = lib.types.strMatching "^[0-7]{4}$";
+                      description = "The unix file mode of the file. Must be a 4-digit octal number.";
+                      default = "0400";
+                    };
                     deploy = lib.mkOption {
                       description = ''
                         Whether the file should be deployed to the target machine.

From f5ec539a6815ef907c8c7f9e0ff40a9abaab973b Mon Sep 17 00:00:00 2001
From: cinereal <cinereal@riseup.net>
Date: Wed, 13 Aug 2025 11:02:12 +0200
Subject: [PATCH 2/3] default mode

---
 options.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/options.nix b/options.nix
index 377b2d4..80595b4 100644
--- a/options.nix
+++ b/options.nix
@@ -93,7 +93,7 @@
                     mode = lib.mkOption {
                       type = lib.types.strMatching "^[0-7]{4}$";
                       description = "The unix file mode of the file. Must be a 4-digit octal number.";
-                      default = "0400";
+                      default = if file.config.group == "root" then "0400" else "0440";
                     };
                     deploy = lib.mkOption {
                       description = ''

From 8cf40cc342947742016b32de06728798b8a990ba Mon Sep 17 00:00:00 2001
From: cinereal <cinereal@riseup.net>
Date: Thu, 21 Aug 2025 11:53:11 +0200
Subject: [PATCH 3/3] specify option types

---
 options.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/options.nix b/options.nix
index 80595b4..56698f1 100644
--- a/options.nix
+++ b/options.nix
@@ -84,15 +84,17 @@
                     };
                     owner = lib.mkOption {
                       description = "The user name or id that will own the file.";
+                      type = lib.types.str;
                       default = "root";
                     };
                     group = lib.mkOption {
                       description = "The group name or id that will own the file.";
+                      type = lib.types.str;
                       default = "root";
                     };
                     mode = lib.mkOption {
-                      type = lib.types.strMatching "^[0-7]{4}$";
                       description = "The unix file mode of the file. Must be a 4-digit octal number.";
+                      type = lib.types.strMatching "^[0-7]{4}$";
                       default = if file.config.group == "root" then "0400" else "0440";
                     };
                     deploy = lib.mkOption {