Merge pull request 'user-password: migrate to vars' (#3227) from user-password into main

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/3227

checks/installation-without-system/flake-module.nix

@@ -164,6 +164,7 @@
               imports = [
                 (modulesPath + "/../tests/common/auto-format-root-device.nix")
               ];
+              networking.useNetworkd = true;
               services.openssh.enable = true;
               system.nixos.variant_id = "installer";
               environment.systemPackages = [ pkgs.nixos-facter ];
@@ -192,6 +193,7 @@
               system.extraDependencies = dependencies;
             };
           nodes.client = {
+            networking.useNetworkd = true;
             environment.systemPackages = [
               self.packages.${pkgs.system}.clan-cli
             ] ++ self.packages.${pkgs.system}.clan-cli.runtimeDependencies;

checks/installation/flake-module.nix

@@ -20,6 +20,7 @@
           (modulesPath + "/profiles/qemu-guest.nix")
           ../lib/minify.nix
         ];
+        networking.useNetworkd = true;
 
         environment.etc."install-successful".text = "ok";
 
@@ -140,6 +141,7 @@
               imports = [
                 (modulesPath + "/../tests/common/auto-format-root-device.nix")
               ];
+              networking.useNetworkd = true;
               services.openssh.enable = true;
               users.users.root.openssh.authorizedKeys.keyFiles = [ ../lib/ssh/pubkey ];
               system.nixos.variant_id = "installer";
@@ -163,6 +165,7 @@
               system.extraDependencies = dependencies;
             };
           nodes.client = {
+            networking.useNetworkd = true;
             environment.systemPackages = [
               self.packages.${pkgs.system}.clan-cli
             ] ++ self.packages.${pkgs.system}.clan-cli.runtimeDependencies;

clanModules/user-password/roles/default.nix

@@ -25,27 +25,25 @@ in
   config = {
     users.mutableUsers = false;
     users.users.${cfg.user} = {
-      hashedPasswordFile = config.clan.core.facts.services.user-password.secret.user-password-hash.path;
+      hashedPasswordFile = config.clan.core.vars.generators.user-password.files.user-password-hash.path;
       isNormalUser = lib.mkDefault true;
     };
 
-    sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
+    clan.core.vars.generators.user-password = {
-      "${config.clan.core.settings.machine.name}-user-password-hash".neededForUsers = true;
+      files.user-password-hash.neededFor = "users";
-    };
 
-    clan.core.facts.services.user-password = {
+      prompts.user-password.type = "hidden";
-      secret.user-password = { };
+      prompts.user-password.persist = true;
-      secret.user-password-hash = { };
+      prompts.user-password.description = "You can autogenerate a password, if you leave this prompt blank.";
-      generator.prompt = (
+      files.user-password.deploy = false;
-        lib.mkIf config.clan.user-password.prompt "Set the password for your user '${config.clan.user-password.user}'.
+
-      You can autogenerate a password, if you leave this prompt blank."
+      migrateFact = "user-password";
-      );
+      runtimeInputs = [
-      generator.path = with pkgs; [
+        pkgs.coreutils
-        coreutils
+        pkgs.xkcdpass
-        xkcdpass
+        pkgs.mkpasswd
-        mkpasswd
       ];
-      generator.script = ''
+      script = ''
         if [[ -n ''${prompt_value-} ]]; then
           echo $prompt_value | tr -d "\n" > $secrets/user-password
         else

pkgs/clan-cli/tests/test_secrets_generate.py

@@ -81,9 +81,6 @@ def test_generate_secret(
         Machine(name="vm2", flake=Flake(str(test_flake_with_core.path)))
     )
 
-    # Should not exist clan facts generate
-    assert not store2.exists("", "password")
-    assert not store2.exists("", "password-hash")
     # clan vars generate
     # TODO: Test vars
     # varsStore = VarsSecretStore(
@@ -101,8 +98,6 @@ def test_generate_secret(
     # set_prompts(str(test_flake_with_core.path), "vm2", [password_update])
     # assert varsStore.exists(generator, "root-password")
 
-    assert store2.exists("", "user-password")
-    assert store2.exists("", "user-password-hash")
     assert store2.exists("", "age.key")
     assert store2.exists("", "zerotier-identity-secret")
 
@@ -113,11 +108,3 @@ def test_generate_secret(
     age_secret = store2.get("", "age.key").decode()
     assert age_secret.isprintable()
     assert is_valid_age_key(age_secret)
-
-    # Assert that user-password is valid
-    pwd_secret = store2.get("", "user-password").decode()
-    assert pwd_secret.isprintable()
-    assert pwd_secret.isascii()
-    pwd_hash = store2.get("", "user-password-hash").decode()
-    assert pwd_hash.isprintable()
-    assert pwd_hash.isascii()

pkgs/clan-cli/tests/test_secrets_password_store.py

@@ -85,18 +85,4 @@ def test_upload_secret(
     assert zerotier_identity_secret.exists()
     assert store.exists("", "zerotier-identity-secret")
 
-    assert store.exists("", "user-password")
-    assert store.exists("", "user-password-hash")
     assert store.exists("", "zerotier-identity-secret")
-
-    # Since root-password uses Vars they should not be uploaded / generated by the facts
-    assert not store.exists("", "password")
-    assert not store.exists("", "password-hash")
-
-    # Assert that user-password is valid
-    pwd_secret = store.get("", "user-password").decode()
-    assert pwd_secret.isprintable()
-    assert pwd_secret.isascii()
-    pwd_hash = store.get("", "user-password-hash").decode()
-    assert pwd_hash.isprintable()
-    assert pwd_hash.isascii()