Fix bug and add utility to store unix password

2025-07-19 22:34:06 +02:00 · 2025-07-19 22:34:06 +02:00 · 567098b4a4
commit 567098b4a4
parent 9c828ea0e4
2 changed files with 45 additions and 1 deletions
--- a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
+++ b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
@ -5,7 +5,7 @@
  ...
 }:
 let
-  cfg = config.khscodes.infrastructure.vault-server-approle.enable;
+  cfg = config.khscodes.infrastructure.vault-server-approle;
  userExists = username: (builtins.hasAttr username config.users.users) && config.users.users.enable;
  setKhsPassword = pkgs.writeShellApplication {
    name = "set-khs-password";
--- a/nix/packages/set-unix-user-password/default.nix
+++ b/nix/packages/set-unix-user-password/default.nix
@ -0,0 +1,44 @@
 { pkgs, ... }:
 pkgs.writeShellApplication {
  name = "set-unix-user-password";
  runtimeInputs = [
    pkgs.openssl
    pkgs.openbao
  ];
  text = ''
    function askpass() {
      stty -echo
      >&2 printf "%s: " "''${1:-Password}"
      read -r PASSWORD
      stty echo
      >&2 printf "\n"
      echo "$PASSWORD"
    }
    user="''${1:-}"
    if [[ "$user" == "" ]]; then
      >&2 echo "Usage: set-unix-user-password <username>"
      exit 1
    fi
    case "$user" in
      khs)
      ;;
      *)
        >&2 echo "Unknown user $user"
        exit 1
      ;;
    esac
    >&2 echo "Enter password for $user:"
    >&2 echo ""
    password="$(askpass "Password")"
    repeat_password="$(askpass "Repeat Password")"
    if [[ "$password" != "$repeat_password" ]]; then
      >&2 echo "Passwords don't match"
      exit 1
    fi
    hashed_password="$(openssl passwd -6 "$password")"
    echo -n "$hashed_password" | bao kv put -mount=unix-users "$user/password" hashedPassword=-
    >&2 echo "Password stored in vault"
  '';
 }