From f24df0e33bfced2047b17f4058326ca89e4705a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 8 Apr 2025 08:45:51 +0200 Subject: [PATCH] user-password: migrate to vars --- clanModules/user-password/roles/default.nix | 30 +++++++++---------- pkgs/clan-cli/tests/test_secrets_generate.py | 13 -------- .../tests/test_secrets_password_store.py | 14 --------- 3 files changed, 14 insertions(+), 43 deletions(-) diff --git a/clanModules/user-password/roles/default.nix b/clanModules/user-password/roles/default.nix index 296dbb733..b67c95a00 100644 --- a/clanModules/user-password/roles/default.nix +++ b/clanModules/user-password/roles/default.nix @@ -25,27 +25,25 @@ in config = { users.mutableUsers = false; users.users.${cfg.user} = { - hashedPasswordFile = config.clan.core.facts.services.user-password.secret.user-password-hash.path; + hashedPasswordFile = config.clan.core.vars.generators.user-password.files.user-password-hash.path; isNormalUser = lib.mkDefault true; }; - sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") { - "${config.clan.core.settings.machine.name}-user-password-hash".neededForUsers = true; - }; + clan.core.vars.generators.user-password = { + files.user-password-hash.neededFor = "users"; - clan.core.facts.services.user-password = { - secret.user-password = { }; - secret.user-password-hash = { }; - generator.prompt = ( - lib.mkIf config.clan.user-password.prompt "Set the password for your user '${config.clan.user-password.user}'. - You can autogenerate a password, if you leave this prompt blank." - ); - generator.path = with pkgs; [ - coreutils - xkcdpass - mkpasswd + prompts.user-password.type = "hidden"; + prompts.user-password.persist = true; + prompts.user-password.description = "You can autogenerate a password, if you leave this prompt blank."; + files.user-password.deploy = false; + + migrateFact = "user-password"; + runtimeInputs = [ + pkgs.coreutils + pkgs.xkcdpass + pkgs.mkpasswd ]; - generator.script = '' + script = '' if [[ -n ''${prompt_value-} ]]; then echo $prompt_value | tr -d "\n" > $secrets/user-password else diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py index bfd3f95a5..e6556f25d 100644 --- a/pkgs/clan-cli/tests/test_secrets_generate.py +++ b/pkgs/clan-cli/tests/test_secrets_generate.py @@ -81,9 +81,6 @@ def test_generate_secret( Machine(name="vm2", flake=Flake(str(test_flake_with_core.path))) ) - # Should not exist clan facts generate - assert not store2.exists("", "password") - assert not store2.exists("", "password-hash") # clan vars generate # TODO: Test vars # varsStore = VarsSecretStore( @@ -101,8 +98,6 @@ def test_generate_secret( # set_prompts(str(test_flake_with_core.path), "vm2", [password_update]) # assert varsStore.exists(generator, "root-password") - assert store2.exists("", "user-password") - assert store2.exists("", "user-password-hash") assert store2.exists("", "age.key") assert store2.exists("", "zerotier-identity-secret") @@ -113,11 +108,3 @@ def test_generate_secret( age_secret = store2.get("", "age.key").decode() assert age_secret.isprintable() assert is_valid_age_key(age_secret) - - # Assert that user-password is valid - pwd_secret = store2.get("", "user-password").decode() - assert pwd_secret.isprintable() - assert pwd_secret.isascii() - pwd_hash = store2.get("", "user-password-hash").decode() - assert pwd_hash.isprintable() - assert pwd_hash.isascii() diff --git a/pkgs/clan-cli/tests/test_secrets_password_store.py b/pkgs/clan-cli/tests/test_secrets_password_store.py index 2103e9000..76642fc53 100644 --- a/pkgs/clan-cli/tests/test_secrets_password_store.py +++ b/pkgs/clan-cli/tests/test_secrets_password_store.py @@ -85,18 +85,4 @@ def test_upload_secret( assert zerotier_identity_secret.exists() assert store.exists("", "zerotier-identity-secret") - assert store.exists("", "user-password") - assert store.exists("", "user-password-hash") assert store.exists("", "zerotier-identity-secret") - - # Since root-password uses Vars they should not be uploaded / generated by the facts - assert not store.exists("", "password") - assert not store.exists("", "password-hash") - - # Assert that user-password is valid - pwd_secret = store.get("", "user-password").decode() - assert pwd_secret.isprintable() - assert pwd_secret.isascii() - pwd_hash = store.get("", "user-password-hash").decode() - assert pwd_hash.isprintable() - assert pwd_hash.isascii()