.gitignore

@@ -3,6 +3,7 @@
 out.log
 .coverage.*
 **/qubeclan
+pkgs/repro-hook
 **/testdir
 democlan
 example_clan
@@ -35,4 +36,4 @@ repo
 # node
 node_modules
 dist
-.webui
+.webui

clanModules/user-password/default.nix

@@ -38,9 +38,9 @@
       ];
       generator.script = ''
         if [[ -n $prompt_value ]]; then
-          echo $prompt_value > $secrets/user-password
+          echo $prompt_value | tr -d '\n' > $secrets/user-password
         else
-          xkcdpass --numwords 3 --delimiter - --count 1 > $secrets/user-password
+          xkcdpass --numwords 3 --delimiter - --count 1 | tr -d '\n' > $secrets/user-password
         fi
         cat $secrets/user-password | mkpasswd -s -m sha-512 > $secrets/user-password-hash
       '';

docs/CONTRIBUTING.md

@@ -44,6 +44,14 @@ Let's get your development environment up and running:
          ```bash
          git remote add upstream gitea@git.clan.lol:clan/clan-core.git
          ```
+5. **Create an access token**:
+      - Log in to Gitea.
+      - Go to your account settings.
+      - Navigate to the Applications section.
+      - Click Generate New Token.
+      - Name your token and select all available scopes.
+      - Generate the token and copy it for later use.
+      - Your access token is now ready to use with all permissions.
 
 5. **Register Your Gitea Account Locally**:
 
@@ -54,9 +62,8 @@ Let's get your development environment up and running:
       - Fill out the prompt as follows:
         - URL of Gitea instance: `https://git.clan.lol`
         - Name of new Login [git.clan.lol]:
-        - Do you have an access token? No
-        - Username: YourUsername
-        - Password: YourPassword
+        - Do you have an access token? Yes
+        - Token: <yourtoken>
         - Set Optional settings: No
 
 

pkgs/clan-cli/tests/test_flake_with_core/flake.nix

@@ -38,6 +38,10 @@
           vm2 =
             { lib, ... }:
             {
+              imports = [
+                clan-core.clanModules.sshd
+                clan-core.clanModules.root-password
+              ];
               clan.networking.targetHost = "__CLAN_TARGET_ADDRESS__";
               system.stateVersion = lib.version;
               sops.age.keyFile = "__CLAN_SOPS_KEY_PATH__";

pkgs/clan-cli/tests/test_secrets_generate.py

@@ -1,4 +1,6 @@
 import ipaddress
+import subprocess
+import tempfile
 from typing import TYPE_CHECKING
 
 import pytest
@@ -14,6 +16,26 @@ if TYPE_CHECKING:
     from age_keys import KeyPair
 
 
+def is_valid_ssh_key(secret_key: str, ssh_pub: str) -> bool:
+    # create tempfile and write secret_key to it
+    with tempfile.NamedTemporaryFile() as temp:
+        temp.write(secret_key.encode("utf-8"))
+        temp.flush()
+        # Run the ssh-keygen command with the -y flag to check the key format
+        result = subprocess.run(
+            ["ssh-keygen", "-y", "-f", temp.name], capture_output=True, text=True
+        )
+
+        if result.returncode == 0:
+            if result.stdout != ssh_pub:
+                raise ValueError(
+                    f"Expected '{ssh_pub}' got '{result.stdout}' for ssh key: {secret_key}"
+                )
+            return True
+        else:
+            raise ValueError(f"Invalid ssh key: {secret_key}")
+
+
 @pytest.mark.impure
 def test_generate_secret(
     monkeypatch: pytest.MonkeyPatch,
@@ -47,9 +69,8 @@ def test_generate_secret(
     )
     cmd = ["facts", "generate", "--flake", str(test_flake_with_core.path), "vm1"]
     cli.run(cmd)
-    has_secret(test_flake_with_core.path, "vm1-age.key")
-    has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret")
-    has_secret(test_flake_with_core.path, "vm1-zerotier-subnet")
+    assert has_secret(test_flake_with_core.path, "vm1-age.key")
+    assert has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret")
     network_id = machine_get_fact(
         test_flake_with_core.path, "vm1", "zerotier-network-id"
     )
@@ -61,8 +82,13 @@ def test_generate_secret(
     secret1_mtime = identity_secret.lstat().st_mtime_ns
 
     # Assert that the age key is valid
-    age_secert = decrypt_secret(test_flake_with_core.path, "vm1-age.key")
-    assert is_valid_age_key(age_secert)
+    age_secret = decrypt_secret(test_flake_with_core.path, "vm1-age.key")
+    assert is_valid_age_key(age_secret)
+
+    # # Assert that the ssh key is valid
+    # ssh_secret = decrypt_secret(test_flake_with_core.path, "vm1-ssh.id_ed25519")
+    # ssh_pub = machine_get_fact(test_flake_with_core.path, "vm1", "ssh.id_ed25519.pub")
+    # assert is_valid_ssh_key(ssh_secret, ssh_pub)
 
     # test idempotency for vm1 and also generate for vm2
     cli.run(["facts", "generate", "--flake", str(test_flake_with_core.path)])
@@ -73,11 +99,25 @@ def test_generate_secret(
         secrets_folder / "vm1-zerotier-identity-secret" / "machines" / "vm1"
     ).exists()
 
+    assert has_secret(test_flake_with_core.path, "vm2-password")
+    assert has_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519")
     assert has_secret(test_flake_with_core.path, "vm2-age.key")
     assert has_secret(test_flake_with_core.path, "vm2-zerotier-identity-secret")
+
     ip = machine_get_fact(test_flake_with_core.path, "vm1", "zerotier-ip")
     assert ipaddress.IPv6Address(ip).is_private
 
     # Assert that the age key is valid
-    age_secert = decrypt_secret(test_flake_with_core.path, "vm2-age.key")
-    assert is_valid_age_key(age_secert)
+    age_secret = decrypt_secret(test_flake_with_core.path, "vm2-age.key")
+    assert is_valid_age_key(age_secret)
+
+    # Assert that the ssh key is valid
+    ssh_secret = decrypt_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519")
+    ssh_pub = machine_get_fact(test_flake_with_core.path, "vm2", "ssh.id_ed25519.pub")
+    assert is_valid_ssh_key(ssh_secret, ssh_pub)
+
+    pwd_secret = decrypt_secret(test_flake_with_core.path, "vm2-password")
+    # remove last newline
+    pwd_secret = pwd_secret[:-1]
+    assert pwd_secret.isprintable()
+    assert pwd_secret.isascii()