yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request 'Migrate clanModule root-password to vars' (#2701) from hsjobeki/clan-core:vars/root-password into main

Browse Source 
Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/2701
This commit is contained in:
hsjobeki
2025-01-14 16:42:29 +00:00
parent a240bbcf04 57c4e8e929
commit 968f427404
3 changed files with 44 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
clanModules/root-password/default.nix
View File

@@ -1,29 +1,34 @@
{ {
pkgs, pkgs,
config, config,
lib,
... ...
}: }:
{ {
users.mutableUsers = false; users.mutableUsers = false;
users.users.root.hashedPasswordFile = users.users.root.hashedPasswordFile =
config.clan.core.facts.services.root-password.secret.password-hash.path; config.clan.core.vars.generators.root-password.files.password-hash.path;
sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") { clan.core.vars.generators.root-password = {
"${config.clan.core.settings.machine.name}-password-hash".neededForUsers = true; files.password-hash = {
neededFor = "users";
}; };
migrateFact = "root-password";
clan.core.facts.services.root-password = { runtimeInputs = [
secret.password = { }; pkgs.coreutils
secret.password-hash = { }; pkgs.mkpasswd
generator.path = with pkgs; [ pkgs.xkcdpass
coreutils
xkcdpass
mkpasswd
]; ];
generator.script = '' prompts.password.type = "hidden";
xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $secrets/password prompts.password.description = "You can autogenerate a password, if you leave this prompt blank.";
cat $secrets/password | mkpasswd -s -m sha-512 | tr -d "\n" > $secrets/password-hash
script = ''
prompt_value=$(cat $prompts/password)
if [[ -n ''${prompt_value-} ]]; then
echo $prompt_value | tr -d "\n" > $out/password
else
xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $out/password
fi
mkpasswd -s -m sha-512 < $out/password | tr -d "\n" > $out/password-hash
''; '';
}; };
} }

30
pkgs/clan-cli/tests/test_secrets_generate.py
View File

@@ -81,8 +81,26 @@ def test_generate_secret(
Machine(name="vm2", flake=FlakeId(str(test_flake_with_core.path))) Machine(name="vm2", flake=FlakeId(str(test_flake_with_core.path)))
) )
assert store2.exists("", "password") # Should not exist clan facts generate
assert store2.exists("", "password-hash") assert not store2.exists("", "password")
assert not store2.exists("", "password-hash")
# clan vars generate
# TODO: Test vars
# varsStore = VarsSecretStore(
# machine=Machine(name="vm2", flake=FlakeId(str(test_flake_with_core.path)))
# )
# generators = get_generators(str(test_flake_with_core.path), "vm2")
# generator = next((gen for gen in generators if gen.name == "root-password"), None)
# if not generator:
# raise Exception("Generator not found")
# password_update = GeneratorUpdate(
# generator=generator.name, prompt_values={"password": "1234"}
# )
# set_prompts(str(test_flake_with_core.path), "vm2", [password_update])
# assert varsStore.exists(generator, "root-password")
assert store2.exists("", "user-password") assert store2.exists("", "user-password")
assert store2.exists("", "user-password-hash") assert store2.exists("", "user-password-hash")
assert store2.exists("", "age.key") assert store2.exists("", "age.key")
@@ -96,14 +114,6 @@ def test_generate_secret(
assert age_secret.isprintable() assert age_secret.isprintable()
assert is_valid_age_key(age_secret) assert is_valid_age_key(age_secret)
# Assert that root-password is valid
pwd_secret = store2.get("", "password").decode()
assert pwd_secret.isprintable()
assert pwd_secret.isascii()
pwd_hash = store2.get("", "password-hash").decode()
assert pwd_hash.isprintable()
assert pwd_hash.isascii()
# Assert that user-password is valid # Assert that user-password is valid
pwd_secret = store2.get("", "user-password").decode() pwd_secret = store2.get("", "user-password").decode()
assert pwd_secret.isprintable() assert pwd_secret.isprintable()

12
pkgs/clan-cli/tests/test_secrets_password_store.py
View File

@@ -85,19 +85,13 @@ def test_upload_secret(
assert zerotier_identity_secret.exists() assert zerotier_identity_secret.exists()
assert store.exists("", "zerotier-identity-secret") assert store.exists("", "zerotier-identity-secret")
assert store.exists("", "password")
assert store.exists("", "password-hash")
assert store.exists("", "user-password") assert store.exists("", "user-password")
assert store.exists("", "user-password-hash") assert store.exists("", "user-password-hash")
assert store.exists("", "zerotier-identity-secret") assert store.exists("", "zerotier-identity-secret")
# Assert that root-password is valid # Since root-password uses Vars they should not be uploaded / generated by the facts
pwd_secret = store.get("", "password").decode() assert not store.exists("", "password")
assert pwd_secret.isprintable() assert not store.exists("", "password-hash")
assert pwd_secret.isascii()
pwd_hash = store.get("", "password-hash").decode()
assert pwd_hash.isprintable()
assert pwd_hash.isascii()
# Assert that user-password is valid # Assert that user-password is valid
pwd_secret = store.get("", "user-password").decode() pwd_secret = store.get("", "user-password").decode()