nixos/user: Load password from secret

2022-05-28 19:02:13 +01:00
parent c841b37f19
commit 4660406120
6 changed files with 82 additions and 67 deletions
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@@ -135,7 +135,6 @@
          #deploy.generate.system.mode = "boot";
          secrets = {
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp5WDdDr/1NS3SJIDOKwcCNZDFOxqPAD7cbZWAP7EkX";
-            files."test.txt" = {};
          };

          server.enable = true;
--- a/nixos/modules/user.nix
+++ b/nixos/modules/user.nix
@@ -1,7 +1,7 @@
 { lib, options, config, ... }:
 let
-  inherit (lib) mkIf mkDefault mkOption mkAliasDefinitions;
-  inherit (lib.my) mkBoolOpt' mkDefault';
+  inherit (lib) mkIf mkDefault mkOption mkMerge mkAliasDefinitions;
+  inherit (lib.my) mkBoolOpt' mkOpt' mkDefault';

  cfg = config.my.user;
  user' = cfg.config;
@@ -10,6 +10,7 @@ in
 {
  options.my.user = with lib.types; {
    enable = mkBoolOpt' true "Whether to create a primary user.";
+    passwordSecret = mkOpt' (nullOr str) "user-passwd.txt" "Name of user password secret.";
    config = mkOption {
      type = options.users.users.type.nestedTypes.elemType;
      default = { };
@@ -24,65 +25,73 @@ in
    };
  };

-  config = mkIf cfg.enable {
-    my = {
-      user = {
-        config = {
-          name = mkDefault' "dev";
-          isNormalUser = true;
-          uid = mkDefault 1000;
-          extraGroups = mkDefault [ "wheel" "kvm" ];
-          password = mkDefault "hunter2"; # TODO: secrets...
-          shell =
-            let shell = cfg.homeConfig.my.shell;
-            in mkIf (shell != null) (mkDefault' shell);
-          openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ];
-        };
-        homeConfig = {
-          # In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the
-          # parent attr name) to be the users name, aka `home-manager.users.<name>`
-          _module.args.name = lib.mkForce user'.name;
-        };
-      };
-      tmproot = {
-        unsaved.ignore = [
-          # Auto-generated (on activation?)
-          "/home/${user'.name}/.nix-profile"
-          "/home/${user'.name}/.nix-defexpr"
-
-          "/home/${user'.name}/.config/fish/fish_variables"
-        ];
-        persistence.config =
-        let
-          perms = {
-            mode = "0700";
-            user = user.name;
-            group = user.group;
+  config = mkIf cfg.enable (mkMerge [
+    {
+      my = {
+        user = {
+          config = {
+            name = mkDefault' "dev";
+            isNormalUser = true;
+            uid = mkDefault 1000;
+            extraGroups = mkDefault [ "wheel" "kvm" ];
+            password = mkIf (cfg.passwordSecret == null) (mkDefault "hunter2");
+            shell =
+              let shell = cfg.homeConfig.my.shell;
+              in mkIf (shell != null) (mkDefault' shell);
+            openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ];
          };
-        in
-        {
-          files = map (file: {
-            inherit file;
-            parentDirectory = perms;
-          }) [
-            "/home/${user'.name}/.bash_history"
-          ];
-          directories = map (directory: {
-            inherit directory;
-          } // perms) [
-            # Persist all of fish; it's not easy to persist just the history fish won't let you move it to a different
-            # directory. Also it does some funny stuff and can't really be a symlink it seems.
-            "/home/${user'.name}/.local/share/fish"
+          homeConfig = {
+            # In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the
+            # parent attr name) to be the users name, aka `home-manager.users.<name>`
+            _module.args.name = lib.mkForce user'.name;
+          };
+        };
+        tmproot = {
+          unsaved.ignore = [
+            # Auto-generated (on activation?)
+            "/home/${user'.name}/.nix-profile"
+            "/home/${user'.name}/.nix-defexpr"
+
+            "/home/${user'.name}/.config/fish/fish_variables"
          ];
+          persistence.config =
+          let
+            perms = {
+              mode = "0700";
+              user = user.name;
+              group = user.group;
+            };
+          in
+          {
+            files = map (file: {
+              inherit file;
+              parentDirectory = perms;
+            }) [
+              "/home/${user'.name}/.bash_history"
+            ];
+            directories = map (directory: {
+              inherit directory;
+            } // perms) [
+              # Persist all of fish; it's not easy to persist just the history fish won't let you move it to a different
+              # directory. Also it does some funny stuff and can't really be a symlink it seems.
+              "/home/${user'.name}/.local/share/fish"
+            ];
+          };
        };
      };
-    };

-    # mkAliasDefinitions will copy the unmerged defintions to allow the upstream submodule to deal with
-    users.users.${user'.name} = mkAliasDefinitions options.my.user.config;
+      # mkAliasDefinitions will copy the unmerged defintions to allow the upstream submodule to deal with
+      users.users.${user'.name} = mkAliasDefinitions options.my.user.config;

-    # NOTE: As the "outermost" module is still being evaluated in NixOS land, special params (e.g. pkgs) won't be
-    # passed to it
-    home-manager.users.${user'.name} = mkAliasDefinitions options.my.user.homeConfig;
-  };
+      # NOTE: As the "outermost" module is still being evaluated in NixOS land, special params (e.g. pkgs) won't be
+      # passed to it
+      home-manager.users.${user'.name} = mkAliasDefinitions options.my.user.homeConfig;
+    }
+    (mkIf (cfg.passwordSecret != null) {
+      my = {
+        secrets.files."${cfg.passwordSecret}" = {};
+        user.config.passwordFile = config.age.secrets."${cfg.passwordSecret}".path;
+      };
+    })
+  ]);
 }
--- a/nixos/vms/estuary/default.nix
+++ b/nixos/vms/estuary/default.nix
@@ -101,6 +101,7 @@
            };

            my = {
+              secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhxM5mnguExkcLue47QKk1vA72OoPc3HOqqoHqHHfa1";
              server.enable = true;

              firewall = {
--- a/secrets/test.txt.age
+++ b/secrets/test.txt.age
@@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 SKXJUw cyFB+C3RIGQcLOO6MoKdM9B8lBBVdl9nYBlrF4XweGs
-CkmEZ6DzOW1TIWQxuKptpLTCGg8gzCp6UcHqhlXiuMY
-> X25519 Lbfpry55oE82Gb32mSypv/YIjIAZCazwbRpj2v2Htxs
-s0TfMT6DBevMaJlKk+hMBXgGh0B+2aGh7R8wx/lbjg0
-> @Q0Gc/-grease FQp^m
-O0cs1bBnmRtufx9GLavdRMh/hPPCDQ
--- 3hPsolp60qbM3svyL66dGoiAyW2ODOtFeBomBA5vLZc
-<EFBFBD>wZQy<51>$8<>W<><57>,R%<0B><><EFBFBD>\<5C><1E>E<EFBFBD>e<EFBFBD>`<60><>&<26>0<>4<1D><><EFBFBD><EFBFBD>YKV<1E><>L<EFBFBD>y{<7B>o2<6F>
--- a/secrets/user-passwd.txt.age
+++ b/secrets/user-passwd.txt.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 SKXJUw HNKr/VHMm2Tm3zXJy/hiWFT/HwMrs5dzi+JSdfe/3wE
+NH/28Nkeij6o3h63Fu/h2dgI8b6spZ0dMKp/yUfTCq4
+-> ssh-ed25519 B9K/XQ it45NurDEjYL5dAVJsJmi+MlIHKSpP2Lj7Fij5/ziUs
+1vKMO+h6aMAWDQDWwKrT0PwDhw90mk7x7uf27CCz27s
+-> ssh-ed25519 LLxJog aAmssC1kqweHP1TEtkVurusq1AqIc8t7HZ7A7hjRtAw
+lDbexbeib25DPuFiObs+1PQgu1WPG8a/P01QD6tO1f8
+-> X25519 lcKREBQdELTzOpxRXMJa5J9stI9u3tZJdAHGW2LC8W4
+7c+kF11czGa7DEq3+ZJW+iSLcU/XKn+YJlciQzLwP64
+-> y251}dI-grease
+zIIT0zZ1oHhvxwQtUM6JsvhIqbQ0fRz5YFJMrxkwk8FDwgIyoKHQhVWNYmFDWhEs
+K0QD0scV1HUGGAJdMoePqHw
+--- a2PYkwWrS0NFhoL/0IgmuvKRjkORQrotG+RKXVtXeiI
+t<>6<EFBFBD><36>!<21>,ޟo.<2E>n<EFBFBD>7J<02><>K`<60><1D>a<EFBFBD>i.<05><>c<EFBFBD>>$<>W<EFBFBD><57>>"8<03><><r4Y'{<7B><><EFBFBD>O"B<><42><EFBFBD><06>yg
+P&<26>
--- a/secrets/vaultwarden.env.age
+++ b/secrets/vaultwarden.env.age