user-password: migrate to vars

clanModules/user-password/roles/default.nix

@@ -25,27 +25,25 @@ in
   config = {
     users.mutableUsers = false;
     users.users.${cfg.user} = {
-      hashedPasswordFile = config.clan.core.facts.services.user-password.secret.user-password-hash.path;
+      hashedPasswordFile = config.clan.core.vars.generators.user-password.files.user-password-hash.path;
       isNormalUser = lib.mkDefault true;
     };
 
-    sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
-      "${config.clan.core.settings.machine.name}-user-password-hash".neededForUsers = true;
-    };
+    clan.core.vars.generators.user-password = {
+      files.user-password-hash.neededFor = "users";
 
-    clan.core.facts.services.user-password = {
-      secret.user-password = { };
-      secret.user-password-hash = { };
-      generator.prompt = (
-        lib.mkIf config.clan.user-password.prompt "Set the password for your user '${config.clan.user-password.user}'.
-      You can autogenerate a password, if you leave this prompt blank."
-      );
-      generator.path = with pkgs; [
-        coreutils
-        xkcdpass
-        mkpasswd
+      prompts.user-password.type = "hidden";
+      prompts.user-password.persist = true;
+      prompts.user-password.description = "You can autogenerate a password, if you leave this prompt blank.";
+      files.user-password.deploy = false;
+
+      migrateFact = "user-password";
+      runtimeInputs = [
+        pkgs.coreutils
+        pkgs.xkcdpass
+        pkgs.mkpasswd
       ];
-      generator.script = ''
+      script = ''
         if [[ -n ''${prompt_value-} ]]; then
           echo $prompt_value | tr -d "\n" > $secrets/user-password
         else

pkgs/clan-cli/tests/test_secrets_generate.py

@@ -81,9 +81,6 @@ def test_generate_secret(
         Machine(name="vm2", flake=Flake(str(test_flake_with_core.path)))
     )
 
-    # Should not exist clan facts generate
-    assert not store2.exists("", "password")
-    assert not store2.exists("", "password-hash")
     # clan vars generate
     # TODO: Test vars
     # varsStore = VarsSecretStore(
@@ -101,8 +98,6 @@ def test_generate_secret(
     # set_prompts(str(test_flake_with_core.path), "vm2", [password_update])
     # assert varsStore.exists(generator, "root-password")
 
-    assert store2.exists("", "user-password")
-    assert store2.exists("", "user-password-hash")
     assert store2.exists("", "age.key")
     assert store2.exists("", "zerotier-identity-secret")
 
@@ -113,11 +108,3 @@ def test_generate_secret(
     age_secret = store2.get("", "age.key").decode()
     assert age_secret.isprintable()
     assert is_valid_age_key(age_secret)
-
-    # Assert that user-password is valid
-    pwd_secret = store2.get("", "user-password").decode()
-    assert pwd_secret.isprintable()
-    assert pwd_secret.isascii()
-    pwd_hash = store2.get("", "user-password-hash").decode()
-    assert pwd_hash.isprintable()
-    assert pwd_hash.isascii()

pkgs/clan-cli/tests/test_secrets_password_store.py

@@ -85,18 +85,4 @@ def test_upload_secret(
     assert zerotier_identity_secret.exists()
     assert store.exists("", "zerotier-identity-secret")
 
-    assert store.exists("", "user-password")
-    assert store.exists("", "user-password-hash")
     assert store.exists("", "zerotier-identity-secret")
-
-    # Since root-password uses Vars they should not be uploaded / generated by the facts
-    assert not store.exists("", "password")
-    assert not store.exists("", "password-hash")
-
-    # Assert that user-password is valid
-    pwd_secret = store.get("", "user-password").decode()
-    assert pwd_secret.isprintable()
-    assert pwd_secret.isascii()
-    pwd_hash = store.get("", "user-password-hash").decode()
-    assert pwd_hash.isprintable()
-    assert pwd_hash.isascii()