diff --git a/.gitignore b/.gitignore index c067f854..edc3e7ce 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ out.log .coverage.* **/qubeclan +pkgs/repro-hook **/testdir democlan example_clan @@ -35,4 +36,4 @@ repo # node node_modules dist -.webui \ No newline at end of file +.webui diff --git a/clanModules/user-password/default.nix b/clanModules/user-password/default.nix index 74c5bdf5..6fd650ff 100644 --- a/clanModules/user-password/default.nix +++ b/clanModules/user-password/default.nix @@ -38,9 +38,9 @@ ]; generator.script = '' if [[ -n $prompt_value ]]; then - echo $prompt_value > $secrets/user-password + echo $prompt_value | tr -d '\n' > $secrets/user-password else - xkcdpass --numwords 3 --delimiter - --count 1 > $secrets/user-password + xkcdpass --numwords 3 --delimiter - --count 1 | tr -d '\n' > $secrets/user-password fi cat $secrets/user-password | mkpasswd -s -m sha-512 > $secrets/user-password-hash ''; diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 864caa18..38dabaec 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -44,6 +44,14 @@ Let's get your development environment up and running: ```bash git remote add upstream gitea@git.clan.lol:clan/clan-core.git ``` +5. **Create an access token**: + - Log in to Gitea. + - Go to your account settings. + - Navigate to the Applications section. + - Click Generate New Token. + - Name your token and select all available scopes. + - Generate the token and copy it for later use. + - Your access token is now ready to use with all permissions. 5. **Register Your Gitea Account Locally**: @@ -54,9 +62,8 @@ Let's get your development environment up and running: - Fill out the prompt as follows: - URL of Gitea instance: `https://git.clan.lol` - Name of new Login [git.clan.lol]: - - Do you have an access token? No - - Username: YourUsername - - Password: YourPassword + - Do you have an access token? Yes + - Token: - Set Optional settings: No diff --git a/pkgs/clan-cli/tests/test_flake_with_core/flake.nix b/pkgs/clan-cli/tests/test_flake_with_core/flake.nix index 5d2e6ec1..cafe8978 100644 --- a/pkgs/clan-cli/tests/test_flake_with_core/flake.nix +++ b/pkgs/clan-cli/tests/test_flake_with_core/flake.nix @@ -38,6 +38,10 @@ vm2 = { lib, ... }: { + imports = [ + clan-core.clanModules.sshd + clan-core.clanModules.root-password + ]; clan.networking.targetHost = "__CLAN_TARGET_ADDRESS__"; system.stateVersion = lib.version; sops.age.keyFile = "__CLAN_SOPS_KEY_PATH__"; diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py index 50dccfeb..326a9bb1 100644 --- a/pkgs/clan-cli/tests/test_secrets_generate.py +++ b/pkgs/clan-cli/tests/test_secrets_generate.py @@ -1,4 +1,6 @@ import ipaddress +import subprocess +import tempfile from typing import TYPE_CHECKING import pytest @@ -14,6 +16,26 @@ if TYPE_CHECKING: from age_keys import KeyPair +def is_valid_ssh_key(secret_key: str, ssh_pub: str) -> bool: + # create tempfile and write secret_key to it + with tempfile.NamedTemporaryFile() as temp: + temp.write(secret_key.encode("utf-8")) + temp.flush() + # Run the ssh-keygen command with the -y flag to check the key format + result = subprocess.run( + ["ssh-keygen", "-y", "-f", temp.name], capture_output=True, text=True + ) + + if result.returncode == 0: + if result.stdout != ssh_pub: + raise ValueError( + f"Expected '{ssh_pub}' got '{result.stdout}' for ssh key: {secret_key}" + ) + return True + else: + raise ValueError(f"Invalid ssh key: {secret_key}") + + @pytest.mark.impure def test_generate_secret( monkeypatch: pytest.MonkeyPatch, @@ -47,9 +69,8 @@ def test_generate_secret( ) cmd = ["facts", "generate", "--flake", str(test_flake_with_core.path), "vm1"] cli.run(cmd) - has_secret(test_flake_with_core.path, "vm1-age.key") - has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret") - has_secret(test_flake_with_core.path, "vm1-zerotier-subnet") + assert has_secret(test_flake_with_core.path, "vm1-age.key") + assert has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret") network_id = machine_get_fact( test_flake_with_core.path, "vm1", "zerotier-network-id" ) @@ -61,8 +82,13 @@ def test_generate_secret( secret1_mtime = identity_secret.lstat().st_mtime_ns # Assert that the age key is valid - age_secert = decrypt_secret(test_flake_with_core.path, "vm1-age.key") - assert is_valid_age_key(age_secert) + age_secret = decrypt_secret(test_flake_with_core.path, "vm1-age.key") + assert is_valid_age_key(age_secret) + + # # Assert that the ssh key is valid + # ssh_secret = decrypt_secret(test_flake_with_core.path, "vm1-ssh.id_ed25519") + # ssh_pub = machine_get_fact(test_flake_with_core.path, "vm1", "ssh.id_ed25519.pub") + # assert is_valid_ssh_key(ssh_secret, ssh_pub) # test idempotency for vm1 and also generate for vm2 cli.run(["facts", "generate", "--flake", str(test_flake_with_core.path)]) @@ -73,11 +99,25 @@ def test_generate_secret( secrets_folder / "vm1-zerotier-identity-secret" / "machines" / "vm1" ).exists() + assert has_secret(test_flake_with_core.path, "vm2-password") + assert has_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519") assert has_secret(test_flake_with_core.path, "vm2-age.key") assert has_secret(test_flake_with_core.path, "vm2-zerotier-identity-secret") + ip = machine_get_fact(test_flake_with_core.path, "vm1", "zerotier-ip") assert ipaddress.IPv6Address(ip).is_private # Assert that the age key is valid - age_secert = decrypt_secret(test_flake_with_core.path, "vm2-age.key") - assert is_valid_age_key(age_secert) + age_secret = decrypt_secret(test_flake_with_core.path, "vm2-age.key") + assert is_valid_age_key(age_secret) + + # Assert that the ssh key is valid + ssh_secret = decrypt_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519") + ssh_pub = machine_get_fact(test_flake_with_core.path, "vm2", "ssh.id_ed25519.pub") + assert is_valid_ssh_key(ssh_secret, ssh_pub) + + pwd_secret = decrypt_secret(test_flake_with_core.path, "vm2-password") + # remove last newline + pwd_secret = pwd_secret[:-1] + assert pwd_secret.isprintable() + assert pwd_secret.isascii()