From a485724fdc452fa19b337c2364a105243635acb3 Mon Sep 17 00:00:00 2001 From: Alexander Foremny Date: Mon, 8 Sep 2025 00:10:35 +0200 Subject: extend userSecret implementation to all users (not only root) requires a patch of nixpkgs: ```diff --- a/nixos/modules/contracts/default.nix 2025-09-07 16:15:41.381243855 +0200 +++ b/nixos/modules/contracts/default.nix 2025-09-08 00:05:58.218489096 +0200 @@ -87,7 +87,8 @@ in default = submodule (consumer: { options = { provider = mkOption { - type = interface.config.provider; + type = lib.types.nullOr interface.config.provider; + default = null; }; input = mkOption { type = submodule interface.config.input;` --- modules/userSecret.nix | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/modules/userSecret.nix b/modules/userSecret.nix index b47cc95..02502a2 100644 --- a/modules/userSecret.nix +++ b/modules/userSecret.nix @@ -1,24 +1,26 @@ # "secret" consumer { config, lib, ... }: +let + topConfig = config; +in { options.users.users = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule { + type = lib.types.attrsOf (lib.types.submodule ({config, ...}: { options.passwordSecret = lib.mkOption { - type = lib.types.nullOr config.contracts.secret.consumer; + type = lib.types.nullOr topConfig.contracts.secret.consumer; }; - }); - }; - config = { - # TODO other users than root - users.users.root.passwordFile = - lib.mkIf (config.users.users.root.passwordSecret != null) - config.users.users.root.passwordSecret.output.path; + config = { + hashedPasswordFile = + lib.mkIf (config.passwordSecret.provider != null) + config.passwordSecret.output.path; - users.users.root.passwordSecret.input = - lib.mkIf (config.users.users.root.passwordSecret != null) { - owner = "root"; - group = "root"; - mode = "0400"; + passwordSecret.input = + lib.mkIf (config.passwordSecret.provider != null) { + owner = "root"; + group = "root"; + mode = "0400"; + }; }; + })); }; } -- cgit v1.2.3