Support setting khs unix user password from vault

nix/modules/nixos/infrastructure/vault-server-approle/default.nix

@@ -57,6 +57,8 @@ in
     };
   };
 
+  imports = [ ./unix-user.nix ];
+
   config = lib.mkIf cfg.enable {
     khscodes.services.read-vault-auth-from-userdata.enable = cfg.stage == "pre";
     khscodes.services.vault-agent.enable = true;

nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix

@@ -0,0 +1,44 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.khscodes.infrastructure.vault-server-approle.enable;
+  userExists = username: builtins.hasAttr username config.users.users && config.users.users.enable;
+  setKhsPassword = pkgs.writeShellApplication {
+    name = "set-khs-password";
+    runtimeInputs = [
+      pkgs.su
+      pkgs.uutils-coreutils-noprefix
+    ];
+    text = ''
+      hashed_passwd="$(cat /run/unix-users/khs)"
+      usermod --password "$hashed_password" khs
+    '';
+  };
+in
+{
+  config = lib.mkIf cfg.enable {
+    khscodes.infrastructure.vault-server-approle.policy = lib.mkIf (userExists "khs") {
+      "unix-users/data/khs/password" = {
+        capabilities = [ "read" ];
+      };
+    };
+    khscodes.services.vault-agent.templates = [
+      {
+        contents = ''
+          {{- with secret "unix-users/data/khs/password" -}}
+          {{ .Data.data.hashedPassword }}
+          {{- end -}}
+        '';
+        destination = "/run/unix-users/khs";
+        perms = "0600";
+        owner = "root";
+        group = "root";
+        exec = lib.getExe setKhsPassword;
+      }
+    ];
+  };
+}

nix/modules/nixos/users/khs/default.nix

@@ -8,10 +8,8 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    snowfallorg.users.khs.admin = true;
+    snowfallorg.users.khs.admin = lib.mkDefault true;
     users.users.khs = {
-      # TODO: What should I do wrt. ensuring the passwords are consistent?
-      #       Maybe set them through OpenBAO and some service?
       initialPassword = "changeme";
       openssh.authorizedKeys.keys = [
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="

nix/profiles/nixos/khs-base.nix

@@ -1,19 +1,11 @@
 {
   pkgs,
   config,
-  lib,
   ...
 }:
 {
   imports = [ ./nix-base.nix ];
-  snowfallorg.users.khs.admin = lib.mkDefault true;
+  khscodes.users.khs.enable = true;
-  users.users.khs = {
-    # TODO: Figure out how to provision password changes to servers from VAULT
-    initialPassword = "changeme";
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="
-    ];
-  };
   time.timeZone = "Europe/Copenhagen";
   environment = {
     systemPackages = [ pkgs.openbao ];

nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix

@@ -31,12 +31,6 @@ in
     khscodes.infrastructure.provisioning.post.secretsSource = "bitwarden";
     khscodes.infrastructure.vault-server-approle.stage = "post";
     khscodes.networking.fqdn = "security.kaareskovgaard.net";
-    users.users.khs = {
-      initialPassword = "changeme";
-      openssh.authorizedKeys.keys = [
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="
-      ];
-    };
     khscodes.infrastructure.openbao.domain = "secrets.kaareskovgaard.net";
     system.stateVersion = "25.05";
   };

nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/default.nix

@@ -4,6 +4,7 @@
     ./ssh-host.nix
     ./loki-mtls.nix
     ./prometheus-mtls.nix
+    ./unix-users.nix
   ];
   khscodes.infrastructure.vault-server-approle.path = "\${ vault_auth_backend.approle.path }";
   khscodes.infrastructure.provisioning.post.modules = [

nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/unix-users.nix

@@ -0,0 +1,14 @@
+{
+  khscodes.infrastructure.provisioning.post.modules = [
+    {
+      khscodes.vault.mount.unix-users = {
+        type = "kv";
+        path = "unix-users";
+        options = {
+          version = "2";
+        };
+        description = "Secrets used for forgejo";
+      };
+    }
+  ];
+}

nix/systems/x86_64-linux/desktop.kaareskovgaard.net/default.nix

@@ -10,11 +10,6 @@
     device = "/dev/sda";
     diskName = "nixos";
   };
-  users.users.khs = {
+  khscodes.users.khs.enable = true;
-    initialPassword = "changeme";
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="
-    ];
-  };
   system.stateVersion = "25.05";
 }

nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix

@@ -213,13 +213,6 @@ in
       };
     };
   };
-  snowfallorg.users.khs.admin = true;
-  users.users.khs = {
-    initialPassword = "changeme";
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="
-    ];
-  };
   khscodes.networking.fqdn = "monitoring.kaareskovgaard.net";
   system.stateVersion = "25.05";
 }