 | NixOS Module System | 143 Members |
| 28 Servers |
| NixOS Module System | 143 Members |
| 28 Servers |
| Sender | Message | Time |
|---|---|---|
| 16 Dec 2025 | ||
 n4ch723hr3r (putting stuff in your name is cringe) joined the room. | 04:30:36 | |
 MOVED TO n4ch7@n3831.net left the room. | 04:30:46 | |
| 19 Dec 2025 | ||
 zsuper joined the room. | 02:37:47 | |
| zsuper | im writing a NixOS module for the bore TCP tunnel service. So far I have a working version in my own flake that im using in a few of my servers right now: https://github.com/zSuperx/nix-bore. But I was thinking that this could be nice to have within nixpkgs itself as a builtin module, so I'm going through the contributing guide for modules and editing some of the types and whatnot. These are the questions I have right now: Since the module im writing has options for setting ports, im assuming i should be using type = lib.types.port whenever possible? Likewise, I'm adding a secretFile option so the systemd service reads the secret from a file rather than plaintext. Should I be using type = lib.types.path for this option? I see a few path options in the type definitions file for nixpkgs, so just wanted to double check. When actually evaluating and creating the systemd service file, since the set options values are being processed and interpolated into the serviceConfig.ExecStart bash script, when should I be using lib.escapeShellArg(s)? and last thing (for now) that im unsure about is the use of lib.literalExpression. I see it show up in a few modules I've been reading here and there, but I don't know what the actual use-case is or when it's preferred over a string. sorry if this is a lot of text to send at once. I had originally asked someone via the NixOS discord, and they directed me here. Let me know if I should post this in a different channel or something. | 02:40:31 |
| zsuper | * im writing a NixOS module for the bore TCP tunnel service. So far I have a working version in my own flake that im using in a few of my servers right now: https://github.com/zSuperx/nix-bore. But I was thinking that this could be nice to have within nixpkgs itself as a builtin module, so I'm going through the contributing guide for modules and editing some of the types and whatnot. These are the questions I have right now: Since the module im writing has options for setting ports, im assuming i should be using Likewise, I'm adding a When actually evaluating and creating the systemd service file, since the set options values are being processed and interpolated into the and last thing (for now) that im unsure about is the use of sorry if this is a lot of text to send at once. I had originally asked someone via the NixOS discord, and they directed me here. Let me know if I should post this in a different channel or something. | 02:42:43 |
| zsuper | * im writing a NixOS module for the bore TCP tunnel service. So far I have a working version in my own flake that im using in a few of my servers right now: https://github.com/zSuperx/nix-bore. But I was thinking that this could be nice to have within nixpkgs itself as a builtin module, so I'm going through the contributing guide for modules and editing some of the types and whatnot. These are the questions I have right now: Since the module im writing has options for setting ports, im assuming i should be using Likewise, I'm adding a When actually evaluating and creating the systemd service file, since the set options values are being processed and interpolated into the and last thing (for now) that im unsure about is the use of sorry if this is a lot of text to send at once. I had originally asked someone via the NixOS discord, and they directed me here. Let me know if I should post this in a different channel or something. And thanks in advance! | 02:43:26 |
 hexa | yes, lib.types.port | 02:49:24 |
| hexa | for secrets either lib.types.str, because paths could leak into the store, which is world-readable | 02:49:50 |
| hexa | alternatively lib.types.pathWith { inStore = false; } | 02:50:07 |
| hexa | but that might make it hard to test | 02:50:11 |
| hexa | escapeShellArgs makes sense when there is user input, that needs escaping | 02:51:18 |
| hexa | there is also utils.escapeSystemdExecArgs, which is more suited to systemd units | 02:51:35 |
| zsuper | okay, i have the raw secret option as str, but you're saying make the secretFile option also just a str? | 02:51:36 |
| hexa | the nixos config being built might also end up in the nix store, so plain text secret string options are also a bad idea | 02:52:27 |
| hexa | I would also recommend to construct ExecStart from a list for proper tokenization | 02:52:47 |
| hexa | so escapeShellArgs or escapeSystemdExecArgs, the plural versions | 02:53:00 |
| hexa | literalExpression gets used in e.g. defaultText or exampleText to render the string as nix code without evaluating it | 02:53:37 |
| hexa | it gets rendered in place of the actual default or example value | 02:53:49 |
| hexa | which might be a reference to something else | 02:54:06 |
| zsuper | regarding this, my plan is to create a raw secret option as well as a secretFile option (where the latter takes precedence), just to keep options open for users. But I'll use a regular str for both to avoid secret paths getting copied to the store. | 02:57:58 |
| hexa | the raw secret string option is a bad idea | 02:58:32 |
| zsuper | but it's fine if used with sopsnix right? | 02:58:59 |
| hexa | they pass files | 02:59:24 |
| hexa | not strings | 02:59:25 |
| zsuper | i have not yet setup/learned how sopsnix works, so I am unsure tbh | 02:59:31 |
| hexa | agenix/sopsnix encrypt and pass files | 02:59:42 |
| zsuper | i see, okay thanks | 02:59:57 |
| zsuper | then ill re-evaluate how i go about this. but thanks for the advice regardless! | 03:00:17 |
 班泽 💕 joined the room. | 08:08:40 | |
| 班泽 💕 left the room. | 08:25:17 | |