Fix password hash file generation behavior

- Move the "create password hash file from hashed password" behavior to a separate variable, since having it in the default field of config would always cause the warning to trigger - Change type of hashedPassword to `nullOr str`
2020-03-06 17:27:47 +00:00 · 2020-03-06 17:27:47 +00:00 · 6563abc1c4
commit 6563abc1c4
parent 7bda4c4f11
5 changed files with 95 additions and 23 deletions
--- a/default.nix
+++ b/default.nix
@ -56,10 +56,27 @@ in
          };

          hashedPassword = mkOption {
-            type = types.str;
+            type = with types; nullOr str;
+            default = null;
            example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
            description = ''
-              Hashed password. Use `mkpasswd` as follows
+              The user's hashed password. Use `mkpasswd` as follows
+
+              ```
+              mkpasswd -m sha-512 "super secret password"
+              ```
+
+              Warning: this is stored in plaintext in the Nix store!
+              Use `hashedPasswordFile` instead.
+            '';
+          };
+
+          hashedPasswordFile = mkOption {
+            type = with types; nullOr path;
+            default = null;
+            example = "/run/keys/user1-passwordhash";
+            description = ''
+              A file containing the user's hashed password. Use `mkpasswd` as follows

              ```
              mkpasswd -m sha-512 "super secret password"