Merge pull request 'secrets-improvements' (#948) from secrets-improvements into main

2024-03-13 10:23:27 +00:00 · 2024-03-13 10:23:27 +00:00 · be1bd8f252
commit be1bd8f252
parent 5b02dda003 a9fc8de2d0
4 changed files with 36 additions and 1 deletions
--- a/clanModules/flake-module.nix
+++ b/clanModules/flake-module.nix
@ -11,6 +11,7 @@
    moonlight = ./moonlight.nix;
    sunshine = ./sunshine.nix;
    syncthing = ./syncthing.nix;
+    sshd = ./sshd.nix;
    vm-user = ./vm-user.nix;
    graphical = ./graphical.nix;
    xfce = ./xfce.nix;
--- a/clanModules/sshd.nix
+++ b/clanModules/sshd.nix
@ -0,0 +1,18 @@
+{ config, pkgs, ... }: {
+  services.openssh.enable = true;
+
+  services.openssh.hostKeys = [{
+    path = config.clanCore.secrets.borgbackup.secrets."ssh.id_ed25519".path;
+    type = "ed25519";
+  }];
+
+  clanCore.secrets.openssh = {
+    secrets."ssh.id_ed25519" = { };
+    facts."ssh.id_ed25519.pub" = { };
+    generator.path = [ pkgs.coreutils pkgs.openssh ];
+    generator.script = ''
+      ssh-keygen -t ed25519 -N "" -f $secrets/ssh.id_ed25519
+      mv $secrets/ssh.id_ed25519.pub $facts/ssh.id_ed25519.pub
+    '';
+  };
+}
--- a/nixosModules/clanCore/secrets/default.nix
+++ b/nixosModules/clanCore/secrets/default.nix
@ -100,6 +100,7 @@
              config' = config;
            in
            lib.mkOption {
+              default = { };
              type = lib.types.attrsOf (lib.types.submodule ({ config, name, ... }: {
                options = {
                  name = lib.mkOption {
--- a/pkgs/clan-cli/clan_cli/secrets/generate.py
+++ b/pkgs/clan-cli/clan_cli/secrets/generate.py
@ -2,6 +2,7 @@ import argparse
 import importlib
 import logging
 import os
+import subprocess
 from collections.abc import Callable
 from pathlib import Path
 from tempfile import TemporaryDirectory
@ -19,6 +20,15 @@ from .modules import SecretStoreBase
 log = logging.getLogger(__name__)


+def read_multiline_input(prompt: str = "Finish with Ctrl-D") -> str:
+    """
+    Read multi-line input from stdin.
+    """
+    print(prompt, flush=True)
+    proc = subprocess.run(["cat"], stdout=subprocess.PIPE, text=True)
+    return proc.stdout
+
+
 def generate_service_secrets(
    machine: Machine,
    service: str,
@ -128,7 +138,12 @@ def generate_secrets(
    fact_store = facts_module.FactStore(machine=machine)

    if prompt is None:
-        prompt = lambda text: input(f"{text}: ")
+
+        def prompt_func(text: str) -> str:
+            print(f"{text}: ")
+            return read_multiline_input()
+
+        prompt = prompt_func

    with TemporaryDirectory() as tmp:
        tmpdir = Path(tmp)