Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updated security

Browse Source
This commit is contained in:
naturallaw77
2026-04-02 15:14:15 -05:00
parent bb2c66a4dc
commit 987d62ce4d
1 changed files with 57 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
modules/credentials-pdf.nix
View File

@@ -8,12 +8,26 @@ let
set -euo pipefail set -euo pipefail
SECRET_FILE="/var/lib/secrets/free-password" SECRET_FILE="/var/lib/secrets/free-password"
if [ -z "''${1:-}" ]; then if [ "$(id -u)" -ne 0 ]; then
echo "Error: must be run as root (use sudo)." >&2
exit 1
fi
echo -n "New password for free: " echo -n "New password for free: "
read -rs NEW_PASS read -rs NEW_PASS
echo echo
else echo -n "Confirm password: "
NEW_PASS="$1" read -rs CONFIRM
echo
if [ "$NEW_PASS" != "$CONFIRM" ]; then
echo "Passwords do not match." >&2
exit 1
fi
if [ -z "$NEW_PASS" ]; then
echo "Password cannot be empty." >&2
exit 1
fi fi
echo "free:$NEW_PASS" | ${pkgs.shadow}/bin/chpasswd echo "free:$NEW_PASS" | ${pkgs.shadow}/bin/chpasswd
@@ -22,33 +36,45 @@ let
chmod 600 "$SECRET_FILE" chmod 600 "$SECRET_FILE"
echo "Password for 'free' updated and saved." echo "Password for 'free' updated and saved."
''; '';
in
{
# ── Make helper available system-wide ───────────────────────
environment.systemPackages = [ change-free-password ];
# ── Wrapper: intercept 'passwd free' ─────────────────────── # ── Shell aliases: intercept 'passwd free' ─────────────────
passwd-wrapper = pkgs.writeShellScriptBin "passwd" '' programs.bash.interactiveShellInit = ''
# If the target user is 'free', redirect to the proper tool passwd() {
TARGET="''${1:-}" if [ "$1" = "free" ]; then
if [ "$TARGET" = "free" ]; then
echo "" echo ""
echo "" echo ""
echo " Use 'change-free-password' instead of 'passwd' " echo " Use 'sudo change-free-password' instead. "
echo " " echo " "
echo " 'passwd free' only updates /etc/shadow. " echo " 'passwd free' only updates /etc/shadow. "
echo " The Hub and Magic Keys PDF will NOT be updated. " echo " The Hub and Magic Keys PDF will NOT be updated. "
echo " "
echo " Redirecting to change-free-password now... "
echo "" echo ""
echo "" echo ""
exec ${change-free-password}/bin/change-free-password return 1
fi fi
command passwd "$@"
# For all other users, pass through to the real passwd }
exec ${pkgs.shadow}/bin/passwd "$@" '';
programs.fish.interactiveShellInit = ''
function passwd --wraps passwd
if test "$argv[1]" = "free"
echo ""
echo ""
echo " Use 'sudo change-free-password' instead. "
echo " "
echo " 'passwd free' only updates /etc/shadow. "
echo " The Hub and Magic Keys PDF will NOT be updated. "
echo "<EFBFBD><EFBFBD>"
echo ""
return 1
end
command passwd $argv
end
''; '';
in
{
# ── Make helpers available system-wide ──────────────────────
environment.systemPackages = [ change-free-password passwd-wrapper ];
# ── 1. Auto-Generate Root Password (Runs once) ───────────── # ── 1. Auto-Generate Root Password (Runs once) ─────────────
systemd.services.root-password-setup = { systemd.services.root-password-setup = {