From 567098b4a46e86f54027e0fdd5b982242503233e Mon Sep 17 00:00:00 2001
From: Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>
Date: Sat, 19 Jul 2025 22:34:06 +0200
Subject: [PATCH] Fix bug and add utility to store unix password

---
 .../vault-server-approle/unix-user.nix        |  2 +-
 .../set-unix-user-password/default.nix        | 44 +++++++++++++++++++
 2 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 nix/packages/set-unix-user-password/default.nix

diff --git a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
index e713edb..58df738 100644
--- a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
+++ b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
@@ -5,7 +5,7 @@
   ...
 }:
 let
-  cfg = config.khscodes.infrastructure.vault-server-approle.enable;
+  cfg = config.khscodes.infrastructure.vault-server-approle;
   userExists = username: (builtins.hasAttr username config.users.users) && config.users.users.enable;
   setKhsPassword = pkgs.writeShellApplication {
     name = "set-khs-password";
diff --git a/nix/packages/set-unix-user-password/default.nix b/nix/packages/set-unix-user-password/default.nix
new file mode 100644
index 0000000..959e7bb
--- /dev/null
+++ b/nix/packages/set-unix-user-password/default.nix
@@ -0,0 +1,44 @@
+{ pkgs, ... }:
+pkgs.writeShellApplication {
+  name = "set-unix-user-password";
+  runtimeInputs = [
+    pkgs.openssl
+    pkgs.openbao
+  ];
+  text = ''
+    function askpass() {
+      stty -echo
+      >&2 printf "%s: " "''${1:-Password}"
+      read -r PASSWORD
+      stty echo
+      >&2 printf "\n"
+      echo "$PASSWORD"
+    }
+    user="''${1:-}"
+    if [[ "$user" == "" ]]; then
+      >&2 echo "Usage: set-unix-user-password <username>"
+      exit 1
+    fi
+    case "$user" in
+      khs)
+      ;;
+      *)
+        >&2 echo "Unknown user $user"
+        exit 1
+      ;;
+    esac
+
+    >&2 echo "Enter password for $user:"
+    >&2 echo ""
+    password="$(askpass "Password")"
+    repeat_password="$(askpass "Repeat Password")"
+
+    if [[ "$password" != "$repeat_password" ]]; then
+      >&2 echo "Passwords don't match"
+      exit 1
+    fi
+    hashed_password="$(openssl passwd -6 "$password")"
+    echo -n "$hashed_password" | bao kv put -mount=unix-users "$user/password" hashedPassword=-
+    >&2 echo "Password stored in vault"
+  '';
+}