Merge pull request 'Migrate clanModule root-password to vars' (#2701) from hsjobeki/clan-core:vars/root-password into main

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/2701
2025-01-14 16:42:29 +00:00
parent a240bbcf04 57c4e8e929
commit 968f427404
3 changed files with 44 additions and 35 deletions
--- a/clanModules/root-password/default.nix
+++ b/clanModules/root-password/default.nix
@@ -1,29 +1,34 @@
 {
  pkgs,
  config,
-  lib,
  ...
 }:
 {
  users.mutableUsers = false;
  users.users.root.hashedPasswordFile =
-    config.clan.core.facts.services.root-password.secret.password-hash.path;
+    config.clan.core.vars.generators.root-password.files.password-hash.path;

-  sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
-    "${config.clan.core.settings.machine.name}-password-hash".neededForUsers = true;
-  };
-
-  clan.core.facts.services.root-password = {
-    secret.password = { };
-    secret.password-hash = { };
-    generator.path = with pkgs; [
-      coreutils
-      xkcdpass
-      mkpasswd
+  clan.core.vars.generators.root-password = {
+    files.password-hash = {
+      neededFor = "users";
+    };
+    migrateFact = "root-password";
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.mkpasswd
+      pkgs.xkcdpass
    ];
-    generator.script = ''
-      xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $secrets/password
-      cat $secrets/password | mkpasswd -s -m sha-512 | tr -d "\n" > $secrets/password-hash
+    prompts.password.type = "hidden";
+    prompts.password.description = "You can autogenerate a password, if you leave this prompt blank.";
+
+    script = ''
+      prompt_value=$(cat $prompts/password)
+      if [[ -n ''${prompt_value-} ]]; then
+        echo $prompt_value | tr -d "\n" > $out/password
+      else
+        xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $out/password
+      fi
+      mkpasswd -s -m sha-512 < $out/password | tr -d "\n" > $out/password-hash
    '';
  };
 }
--- a/pkgs/clan-cli/tests/test_secrets_generate.py
+++ b/pkgs/clan-cli/tests/test_secrets_generate.py
@@ -81,8 +81,26 @@ def test_generate_secret(
        Machine(name="vm2", flake=FlakeId(str(test_flake_with_core.path)))
    )

-    assert store2.exists("", "password")
-    assert store2.exists("", "password-hash")
+    # Should not exist clan facts generate
+    assert not store2.exists("", "password")
+    assert not store2.exists("", "password-hash")
+    # clan vars generate
+    # TODO: Test vars
+    # varsStore = VarsSecretStore(
+    #     machine=Machine(name="vm2", flake=FlakeId(str(test_flake_with_core.path)))
+    # )
+    # generators = get_generators(str(test_flake_with_core.path), "vm2")
+    # generator = next((gen for gen in generators if gen.name == "root-password"), None)
+
+    # if not generator:
+    #     raise Exception("Generator not found")
+
+    # password_update = GeneratorUpdate(
+    #     generator=generator.name, prompt_values={"password": "1234"}
+    # )
+    # set_prompts(str(test_flake_with_core.path), "vm2", [password_update])
+    # assert varsStore.exists(generator, "root-password")
+
    assert store2.exists("", "user-password")
    assert store2.exists("", "user-password-hash")
    assert store2.exists("", "age.key")
@@ -96,14 +114,6 @@ def test_generate_secret(
    assert age_secret.isprintable()
    assert is_valid_age_key(age_secret)

-    # Assert that root-password is valid
-    pwd_secret = store2.get("", "password").decode()
-    assert pwd_secret.isprintable()
-    assert pwd_secret.isascii()
-    pwd_hash = store2.get("", "password-hash").decode()
-    assert pwd_hash.isprintable()
-    assert pwd_hash.isascii()
-
    # Assert that user-password is valid
    pwd_secret = store2.get("", "user-password").decode()
    assert pwd_secret.isprintable()
--- a/pkgs/clan-cli/tests/test_secrets_password_store.py
+++ b/pkgs/clan-cli/tests/test_secrets_password_store.py
@@ -85,19 +85,13 @@ def test_upload_secret(
    assert zerotier_identity_secret.exists()
    assert store.exists("", "zerotier-identity-secret")

-    assert store.exists("", "password")
-    assert store.exists("", "password-hash")
    assert store.exists("", "user-password")
    assert store.exists("", "user-password-hash")
    assert store.exists("", "zerotier-identity-secret")

-    # Assert that root-password is valid
-    pwd_secret = store.get("", "password").decode()
-    assert pwd_secret.isprintable()
-    assert pwd_secret.isascii()
-    pwd_hash = store.get("", "password-hash").decode()
-    assert pwd_hash.isprintable()
-    assert pwd_hash.isascii()
+    # Since root-password uses Vars they should not be uploaded / generated by the facts
+    assert not store.exists("", "password")
+    assert not store.exists("", "password-hash")

    # Assert that user-password is valid
    pwd_secret = store.get("", "user-password").decode()