49 lines
876 B
Plaintext
49 lines
876 B
Plaintext
# Machines/Services can define secret generators
|
|
|
|
```
|
|
clan secrets list defaultVM
|
|
```
|
|
|
|
```
|
|
nvim default-vm/machines.nix
|
|
```
|
|
|
|
```nix
|
|
clanCore.secrets.root-password = {
|
|
secrets.root-password = { };
|
|
facts.root-password-hash = { };
|
|
generator.path = with pkgs; [
|
|
coreutils
|
|
xkcdpass
|
|
mkpasswd
|
|
];
|
|
generator.script = ''
|
|
xkcdpass -n 3 -d - > $secrets/root-password
|
|
cat $secrets/root-password | mkpasswd -s -m sha-512 > $facts/root-password-hash
|
|
'';
|
|
};
|
|
```
|
|
|
|
# When a machine is started, they are automatically generated and store
|
|
|
|
```
|
|
clan facts generate defaultVM
|
|
```
|
|
|
|
```
|
|
clan secrets list defaultVM
|
|
```
|
|
|
|
```
|
|
clan secrets get defaultVM-root-password
|
|
```
|
|
|
|
```
|
|
clan vms run defaultVM
|
|
```
|
|
|
|
```
|
|
[root@nixos:~]# cat /run/secrets/defaultVM-root-password
|
|
iodize-unmixable-spool
|
|
```
|