modules: init user-password

Init a user-password module, that allows setting the password for a single user. fixes #1351
2024-05-14 10:39:31 +02:00 · 2024-05-14 10:39:31 +02:00 · cd0b360b49
commit cd0b360b49
parent 8c0fb90c1a
4 changed files with 67 additions and 2 deletions
--- a/clanModules/flake-module.nix
+++ b/clanModules/flake-module.nix
@ -5,17 +5,18 @@
      imports = [ ./disk-layouts ];
    };
    borgbackup = ./borgbackup;
-    ergochat = ./ergochat;
    deltachat = ./deltachat;
+    ergochat = ./ergochat;
    localbackup = ./localbackup;
    localsend = ./localsend;
    matrix-synapse = ./matrix-synapse;
    moonlight = ./moonlight;
+    root-password = ./root-password;
    sshd = ./sshd;
    sunshine = ./sunshine;
    syncthing = ./syncthing;
-    root-password = ./root-password;
    thelounge = ./thelounge;
+    user-password = ./root-password;
    xfce = ./xfce;
    zt-tcp-relay = ./zt-tcp-relay;
  };
--- a/clanModules/user-password/README.md
+++ b/clanModules/user-password/README.md
@ -0,0 +1,14 @@
+Automatically generates and configures a password for the specified user account.
+---
+
+If setting the option prompt to true, the user will be prompted to type in their desired password.
+
+After the system was installed/deployed the following command can be used to display the user-password:
+
+```bash
+clan secrets get {machine_name}-user-password
+```
+
+See also: [Facts / Secrets](../../getting-started/secrets.md)
+
+To regenerate the password, delete the password files in the clan directory and redeploy the machine.
--- a/clanModules/user-password/default.nix
+++ b/clanModules/user-password/default.nix
@ -0,0 +1,49 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  options.clan.user-password = {
+    user = lib.mkOption {
+      type = lib.types.str;
+      example = "alice";
+      description = "The user the password should be generated for.";
+    };
+    prompt = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether the user should be prompted.";
+    };
+  };
+
+  config = {
+    users.mutableUsers = false;
+    users.users.${config.clan.user-password.user}.hashedPasswordFile =
+      config.clanCore.facts.services.user-password.secret.user-password-hash.path;
+    sops.secrets."${config.clanCore.machineName}-user-password-hash".neededForUsers = true;
+    clanCore.facts.services.user-password = {
+      secret.user-password = { };
+      secret.user-password-hash = { };
+      generator.prompt = (
+        lib.mkIf config.clan.user-password.prompt "Set the password for your $user: ${config.clan.user-password.user}.
+      You can autogenerate a password, if you leave this prompt blank."
+      );
+      generator.path = with pkgs; [
+        coreutils
+        xkcdpass
+        mkpasswd
+      ];
+      generator.script = ''
+        if [[ -n $prompt_value ]]; then
+          echo $prompt_value > $secrets/user-password
+        else
+          xkcdpass --numwords 3 --delimiter - --count 1 > $secrets/user-password
+        fi
+        cat $secrets/user-password | mkpasswd -s -m sha-512 > $secrets/user-password-hash
+      '';
+    };
+  };
+}
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@ -75,6 +75,7 @@ nav:
          - reference/clanModules/sunshine.md
          - reference/clanModules/syncthing.md
          - reference/clanModules/thelounge.md
+          - reference/clanModules/user-password.md
          - reference/clanModules/xfce.md
          - reference/clanModules/zt-tcp-relay.md
      - Clan Core: