another take on basic contracts

- adds "secret" consumer `nixosModules.userSecret`
- binds secret provider `testing.hardcodedSecret.rootPassword` with
  secret consumer `users.users.root.passwordSecret`

1 files changed, 20 insertions, 0 deletions

diff --git a/modules/userSecret.nix b/modules/userSecret.nix
new file mode 100644
index 0000000..af1e978
--- /dev/null
+++ b/modules/userSecret.nix
@@ -0,0 +1,20 @@
+# "secret" consumer
+{ config, lib, ... }:
+{
+  options.users.users = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.submodule {
+      options.passwordSecret = lib.mkOption {
+        type = lib.types.nullOr config.contracts.secret.consumer;
+      };
+    });
+  };
+  config = {
+    # TODO other users than root
+    users.users.root.passwordFile = lib.mkIf (config.users.users.root.passwordSecret != null) config.users.users.root.passwordSecret.output.path;
+   users.users.root.passwordSecret.input = lib.mkIf (config.users.users.root.passwordSecret != null) {
+       owner = "root";
+       group = "root";
+       mode = "0400";
+   };
+  };
+}