yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Files
9fb7f12ee32c948b48c87a07e2e3d402fb4b5cb7
clan-core/clanServices/emergency-access/default.nix
a-kenji 4db52a2bc0 emergency-access: Don't deploy plaintext passwords 
Don't deploy the plaintext emergency password to the target machine.
It doesn't seem to be used anywhere.
2025-06-13 13:30:59 +02:00

32 lines
926 B
Nix
Raw Blame History

{ ... }:
{
_class = "clan.service";
manifest.name = "clan-core/emergency-access";
manifest.description = "Set recovery password for emergency access to machine";
manifest.categories = [ "System" ];
roles.default.perInstance = {
nixosModule =
{ config, pkgs, ... }:
{
boot.initrd.systemd.emergencyAccess =
config.clan.core.vars.generators.emergency-access.files.password-hash.value;
clan.core.vars.generators.emergency-access = {
runtimeInputs = [
pkgs.coreutils
pkgs.mkpasswd
pkgs.xkcdpass
];
files.password.deploy = false;
files.password-hash.secret = false;
script = ''
xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > $out/password
mkpasswd -s -m sha-512 < $out/password | tr -d "\n" > $out/password-hash
'';
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink