From 7132c52c038de995eb291070a4cda3eaf975635b Mon Sep 17 00:00:00 2001
From: Alexander Foremny <aforemny@posteo.de>
Date: Fri, 5 Sep 2025 23:52:28 +0200
Subject: another take on basic contracts

- adds "secret" consumer `nixosModules.userSecret`
- binds secret provider `testing.hardcodedSecret.rootPassword` with
  secret consumer `users.users.root.passwordSecret`
---
 modules/userSecret.nix | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 modules/userSecret.nix

(limited to 'modules/userSecret.nix')

diff --git a/modules/userSecret.nix b/modules/userSecret.nix
new file mode 100644
index 0000000..af1e978
--- /dev/null
+++ b/modules/userSecret.nix
@@ -0,0 +1,20 @@
+# "secret" consumer
+{ config, lib, ... }:
+{
+  options.users.users = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.submodule {
+      options.passwordSecret = lib.mkOption {
+        type = lib.types.nullOr config.contracts.secret.consumer;
+      };
+    });
+  };
+  config = {
+    # TODO other users than root
+    users.users.root.passwordFile = lib.mkIf (config.users.users.root.passwordSecret != null) config.users.users.root.passwordSecret.output.path;
+   users.users.root.passwordSecret.input = lib.mkIf (config.users.users.root.passwordSecret != null) {
+       owner = "root";
+       group = "root";
+       mode = "0400";
+   };
+  };
+}
-- 
cgit v1.2.3