From 4660406120ec166ce7aa88a2c4031dea9d0b1477 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Sat, 28 May 2022 19:02:13 +0100
Subject: [PATCH] nixos/user: Load password from secret

---
 nixos/boxes/colony/default.nix |   1 -
 nixos/modules/user.nix         | 123 ++++++++++++++++++---------------
 nixos/vms/estuary/default.nix  |   1 +
 secrets/test.txt.age           |   9 ---
 secrets/user-passwd.txt.age    |  15 ++++
 secrets/vaultwarden.env.age    | Bin 501 -> 506 bytes
 6 files changed, 82 insertions(+), 67 deletions(-)
 delete mode 100644 secrets/test.txt.age
 create mode 100644 secrets/user-passwd.txt.age

diff --git a/nixos/boxes/colony/default.nix b/nixos/boxes/colony/default.nix
index 3519b21..4f9cd59 100644
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@@ -135,7 +135,6 @@
           #deploy.generate.system.mode = "boot";
           secrets = {
             key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp5WDdDr/1NS3SJIDOKwcCNZDFOxqPAD7cbZWAP7EkX";
-            files."test.txt" = {};
           };
 
           server.enable = true;
diff --git a/nixos/modules/user.nix b/nixos/modules/user.nix
index 48ebdba..353b152 100644
--- a/nixos/modules/user.nix
+++ b/nixos/modules/user.nix
@@ -1,7 +1,7 @@
 { lib, options, config, ... }:
 let
-  inherit (lib) mkIf mkDefault mkOption mkAliasDefinitions;
-  inherit (lib.my) mkBoolOpt' mkDefault';
+  inherit (lib) mkIf mkDefault mkOption mkMerge mkAliasDefinitions;
+  inherit (lib.my) mkBoolOpt' mkOpt' mkDefault';
 
   cfg = config.my.user;
   user' = cfg.config;
@@ -10,6 +10,7 @@ in
 {
   options.my.user = with lib.types; {
     enable = mkBoolOpt' true "Whether to create a primary user.";
+    passwordSecret = mkOpt' (nullOr str) "user-passwd.txt" "Name of user password secret.";
     config = mkOption {
       type = options.users.users.type.nestedTypes.elemType;
       default = { };
@@ -24,65 +25,73 @@ in
     };
   };
 
-  config = mkIf cfg.enable {
-    my = {
-      user = {
-        config = {
-          name = mkDefault' "dev";
-          isNormalUser = true;
-          uid = mkDefault 1000;
-          extraGroups = mkDefault [ "wheel" "kvm" ];
-          password = mkDefault "hunter2"; # TODO: secrets...
-          shell =
-            let shell = cfg.homeConfig.my.shell;
-            in mkIf (shell != null) (mkDefault' shell);
-          openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ];
-        };
-        homeConfig = {
-          # In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the
-          # parent attr name) to be the users name, aka `home-manager.users.<name>`
-          _module.args.name = lib.mkForce user'.name;
-        };
-      };
-      tmproot = {
-        unsaved.ignore = [
-          # Auto-generated (on activation?)
-          "/home/${user'.name}/.nix-profile"
-          "/home/${user'.name}/.nix-defexpr"
-
-          "/home/${user'.name}/.config/fish/fish_variables"
-        ];
-        persistence.config =
-        let
-          perms = {
-            mode = "0700";
-            user = user.name;
-            group = user.group;
+  config = mkIf cfg.enable (mkMerge [
+    {
+      my = {
+        user = {
+          config = {
+            name = mkDefault' "dev";
+            isNormalUser = true;
+            uid = mkDefault 1000;
+            extraGroups = mkDefault [ "wheel" "kvm" ];
+            password = mkIf (cfg.passwordSecret == null) (mkDefault "hunter2");
+            shell =
+              let shell = cfg.homeConfig.my.shell;
+              in mkIf (shell != null) (mkDefault' shell);
+            openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ];
           };
-        in
-        {
-          files = map (file: {
-            inherit file;
-            parentDirectory = perms;
-          }) [
-            "/home/${user'.name}/.bash_history"
-          ];
-          directories = map (directory: {
-            inherit directory;
-          } // perms) [
-            # Persist all of fish; it's not easy to persist just the history fish won't let you move it to a different
-            # directory. Also it does some funny stuff and can't really be a symlink it seems.
-            "/home/${user'.name}/.local/share/fish"
+          homeConfig = {
+            # In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the
+            # parent attr name) to be the users name, aka `home-manager.users.<name>`
+            _module.args.name = lib.mkForce user'.name;
+          };
+        };
+        tmproot = {
+          unsaved.ignore = [
+            # Auto-generated (on activation?)
+            "/home/${user'.name}/.nix-profile"
+            "/home/${user'.name}/.nix-defexpr"
+
+            "/home/${user'.name}/.config/fish/fish_variables"
           ];
+          persistence.config =
+          let
+            perms = {
+              mode = "0700";
+              user = user.name;
+              group = user.group;
+            };
+          in
+          {
+            files = map (file: {
+              inherit file;
+              parentDirectory = perms;
+            }) [
+              "/home/${user'.name}/.bash_history"
+            ];
+            directories = map (directory: {
+              inherit directory;
+            } // perms) [
+              # Persist all of fish; it's not easy to persist just the history fish won't let you move it to a different
+              # directory. Also it does some funny stuff and can't really be a symlink it seems.
+              "/home/${user'.name}/.local/share/fish"
+            ];
+          };
         };
       };
-    };
 
-    # mkAliasDefinitions will copy the unmerged defintions to allow the upstream submodule to deal with
-    users.users.${user'.name} = mkAliasDefinitions options.my.user.config;
+      # mkAliasDefinitions will copy the unmerged defintions to allow the upstream submodule to deal with
+      users.users.${user'.name} = mkAliasDefinitions options.my.user.config;
 
-    # NOTE: As the "outermost" module is still being evaluated in NixOS land, special params (e.g. pkgs) won't be
-    # passed to it
-    home-manager.users.${user'.name} = mkAliasDefinitions options.my.user.homeConfig;
-  };
+      # NOTE: As the "outermost" module is still being evaluated in NixOS land, special params (e.g. pkgs) won't be
+      # passed to it
+      home-manager.users.${user'.name} = mkAliasDefinitions options.my.user.homeConfig;
+    }
+    (mkIf (cfg.passwordSecret != null) {
+      my = {
+        secrets.files."${cfg.passwordSecret}" = {};
+        user.config.passwordFile = config.age.secrets."${cfg.passwordSecret}".path;
+      };
+    })
+  ]);
 }
diff --git a/nixos/vms/estuary/default.nix b/nixos/vms/estuary/default.nix
index 2824079..3b0523e 100644
--- a/nixos/vms/estuary/default.nix
+++ b/nixos/vms/estuary/default.nix
@@ -101,6 +101,7 @@
             };
 
             my = {
+              secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhxM5mnguExkcLue47QKk1vA72OoPc3HOqqoHqHHfa1";
               server.enable = true;
 
               firewall = {
diff --git a/secrets/test.txt.age b/secrets/test.txt.age
deleted file mode 100644
index 588ff65..0000000
--- a/secrets/test.txt.age
+++ /dev/null
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 SKXJUw cyFB+C3RIGQcLOO6MoKdM9B8lBBVdl9nYBlrF4XweGs
-CkmEZ6DzOW1TIWQxuKptpLTCGg8gzCp6UcHqhlXiuMY
--> X25519 Lbfpry55oE82Gb32mSypv/YIjIAZCazwbRpj2v2Htxs
-s0TfMT6DBevMaJlKk+hMBXgGh0B+2aGh7R8wx/lbjg0
--> @Q0Gc/-grease FQp^m
-O0cs1bBnmRtufx9GLavdRMh/hPPCDQ
---- 3hPsolp60qbM3svyL66dGoiAyW2ODOtFeBomBA5vLZc
-�wZQy�$8�W��,R%���\��E�e�`��&�0�4����YKV��L�y{�o2�
\ No newline at end of file
diff --git a/secrets/user-passwd.txt.age b/secrets/user-passwd.txt.age
new file mode 100644
index 0000000..8f1dfc7
--- /dev/null
+++ b/secrets/user-passwd.txt.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 SKXJUw HNKr/VHMm2Tm3zXJy/hiWFT/HwMrs5dzi+JSdfe/3wE
+NH/28Nkeij6o3h63Fu/h2dgI8b6spZ0dMKp/yUfTCq4
+-> ssh-ed25519 B9K/XQ it45NurDEjYL5dAVJsJmi+MlIHKSpP2Lj7Fij5/ziUs
+1vKMO+h6aMAWDQDWwKrT0PwDhw90mk7x7uf27CCz27s
+-> ssh-ed25519 LLxJog aAmssC1kqweHP1TEtkVurusq1AqIc8t7HZ7A7hjRtAw
+lDbexbeib25DPuFiObs+1PQgu1WPG8a/P01QD6tO1f8
+-> X25519 lcKREBQdELTzOpxRXMJa5J9stI9u3tZJdAHGW2LC8W4
+7c+kF11czGa7DEq3+ZJW+iSLcU/XKn+YJlciQzLwP64
+-> y251}dI-grease
+zIIT0zZ1oHhvxwQtUM6JsvhIqbQ0fRz5YFJMrxkwk8FDwgIyoKHQhVWNYmFDWhEs
+K0QD0scV1HUGGAJdMoePqHw
+--- a2PYkwWrS0NFhoL/0IgmuvKRjkORQrotG+RKXVtXeiI
+t�6��!�,ޟo.�n�7J��K`��a�i.�c�>$�W��>"8��<r4Y'{���O"B���yg
+P&�
d|����e�"��T�=���e�û��I(\��lj��<SA�+즬-ʴ���F^��
\ No newline at end of file
diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden.env.age
index 97aa29d0e49a775c08fea471be7e46536acaada7..35d8f5d1f99fa303ceae61a8318ece82de3607fd 100644
GIT binary patch
delta 472
zcmV;}0Vn?T1NsAyEPrKFQfO^PWlVE7W=A({P+BxJSYb_fF={zDaW7CgOi^?%HBDu0
za&Id|RSH@)R9ARQV_H^ON@z_sOE+V9N>(d+RcdQlX-Hx=Y%*|6cq@5BSyeJGI0`L3
zAXqXrH8D9LSxa|sGf`tTWp+tUVq|7ocWG;CL0B+&STS@~ZGU=XV@OLxGgC4)bv9Q;
z3Sn?>W=u6}Xk<ZpNmx=ZI7LxtVoysrcX?7TSVK8@Qfg3QG(;<Tc200r3N1b$dwgyw
zYhZjmEoX9NVRK~)IaN+%c1So_VO3^LOJ#U%R!>t*K}K;{GiY*7c4KZgHg{}UG&w~z
zQbjT}H!EjNQh!NKQ&V&{X-08xLs3jdX$p08NMbo-HBxJEI59JEY))-)N>)QyGFfFg
zR!mGyX*61Q3N0-yAT&x>WLk7gO;>MLI6+KVSyV4qPC{o|Xlhh%cxhruR##eRS435A
zIa+FW3Ih_KtN}9M&c7&RSEhwxr}Vb4%PIx91p@h@t5NT<@V<SU#E?{mHl){@X&1p)
z?AlYwQuea+c4B0`Om}EAy@Y8Lm&A4m6;?mkwPVvG_nWH>a~}d?OYeUua8e>3Nf7_8
O1+`@TyNpFStF=wx3aeQF

delta 467
zcmV;^0WALd1N8%tEPp~)c~C)YVPi%|Q8hv@Z%Jr%Hd;AQZ*nhCOIdVPVrWZia8_tp
zc`|KoZwf+mZBt`QcTRS5Ls?Q;D@{c-bY)6Lb#qc>VQp_>P;WVLcwuZcVNgYAO$seO
zAXqXrH8D9LPi0O@F?n=WF+pQ9crbNpacW3*L`!x|cz94yZGUTVG-G#dXIN@MNMb@k
z3T<pJaaK7?S5|0nNHcg#NntN^LQOeAGjn%ob2DmCH%wPEaCcEhGG{My3N1b$IxS~%
zWnpt=3TSLiWLalST6i=oN^MRyOKd?wM{{;?FL6n8cWyXFSaN1>Xhn5aHF9@Ka!F-Q
zFh)2sD@$=wMSpczb53$JcUTHqNmFTUWoj{ccTYEIQcp2KL1=kSOE+3@RzfmUYe9N*
zQffyEEiEk|PjzTUIcQBVcSc1*L~>CtbXRpvF)=tuZB|Y&QfhcoY&c0{GEQ?&SW0UO
zY|WbdQ;m`p;%CR#XE3?~P|`3!rDtlSrQSSS#n^pi-b{cSLJ0~uX7jm(pcMV3SPo)z
z_hT#M4nW4~8lyamwl_fcws%H`G^PX%25(?8088iwip-<;qr=?spt7-BBEUs`a8WyE
J{#~imxvWv4tQ!CT