Fix bug and add utility to store unix password

2025-07-19 22:34:06 +02:00 · 2025-07-19 22:34:06 +02:00 · 567098b4a4
commit 567098b4a4
parent 9c828ea0e4
2 changed files with 45 additions and 1 deletions
--- a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
+++ b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
@ -5,7 +5,7 @@
  ...
 }:
 let
-  cfg = config.khscodes.infrastructure.vault-server-approle.enable;
+  cfg = config.khscodes.infrastructure.vault-server-approle;
  userExists = username: (builtins.hasAttr username config.users.users) && config.users.users.enable;
  setKhsPassword = pkgs.writeShellApplication {
    name = "set-khs-password";
--- a/nix/packages/set-unix-user-password/default.nix
+++ b/nix/packages/set-unix-user-password/default.nix
@ -0,0 +1,44 @@
+{ pkgs, ... }:
+pkgs.writeShellApplication {
+  name = "set-unix-user-password";
+  runtimeInputs = [
+    pkgs.openssl
+    pkgs.openbao
+  ];
+  text = ''
+    function askpass() {
+      stty -echo
+      >&2 printf "%s: " "''${1:-Password}"
+      read -r PASSWORD
+      stty echo
+      >&2 printf "\n"
+      echo "$PASSWORD"
+    }
+    user="''${1:-}"
+    if [[ "$user" == "" ]]; then
+      >&2 echo "Usage: set-unix-user-password <username>"
+      exit 1
+    fi
+    case "$user" in
+      khs)
+      ;;
+      *)
+        >&2 echo "Unknown user $user"
+        exit 1
+      ;;
+    esac
+
+    >&2 echo "Enter password for $user:"
+    >&2 echo ""
+    password="$(askpass "Password")"
+    repeat_password="$(askpass "Repeat Password")"
+
+    if [[ "$password" != "$repeat_password" ]]; then
+      >&2 echo "Passwords don't match"
+      exit 1
+    fi
+    hashed_password="$(openssl passwd -6 "$password")"
+    echo -n "$hashed_password" | bao kv put -mount=unix-users "$user/password" hashedPassword=-
+    >&2 echo "Password stored in vault"
+  '';
+}