From ed13c22b643d802b75c50ce8a7d97ae1e5e9b000 Mon Sep 17 00:00:00 2001
From: Sveske-Juice <carl.benjamin.dreyer@gmail.com>
Date: Sat, 5 Apr 2025 23:49:09 +0200
Subject: [PATCH] Expose genhash program as output package

---
 flake.nix                 |  4 ++++
 modules/options/users.nix | 24 +++++++++++++++++++++++-
 modules/pbkdf2-sha512.nix |  4 ++--
 3 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/flake.nix b/flake.nix
index 6aada58..e805cc3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -43,6 +43,10 @@
       default = declarative-jellyfin;
     };
 
+    packages = forAllSystems (system: let
+      pkgs = import nixpkgs {inherit system;};
+    in {genhash = import ./modules/pbkdf2-sha512.nix {inherit pkgs;};});
+
     # Run all tests for all systems
     hydraJobs = forAllSystems tests;
     checks = forAllSystems tests;
diff --git a/modules/options/users.nix b/modules/options/users.nix
index 9714dd7..4dafb18 100644
--- a/modules/options/users.nix
+++ b/modules/options/users.nix
@@ -89,7 +89,29 @@ with lib; {
         };
         Password = mkOption {
           type = types.str;
-          # TODO: implement
+        };
+        HashedPasswordFile = mkOption {
+          type = types.path;
+          description = ''
+            A path to a pbkdf2-sha512 hash
+            in this format [PHC string](https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md).
+            You can use the packaged 'genhash' tool in this flake.nix to generate a hash
+            ```
+            # default values:
+            nix run gitlab:SpoodyTheOne/declarative-jellyfin#genhash -- \\
+              -k <password> \\
+              -i 210000 \\
+              -l 128 \\
+              -u
+            # Usage:
+            nix run gitlab:SpoodyTheOne/declarative-jellyfin#genhash -h
+
+            ```
+          '';
+          example = ''
+            # the format is: $<id>[$<param>=<value>(,<param>=<value>)*][$<salt>[$<hash>]]
+            $PBKDF2-SHA512$iterations=210000$D12C02D1DD15949D867BCA9971BE9987$67E75CDCD14E7F6FDDF96BAACBE9E84E5197FB9FE454FB039F5CD773D7DF558B57DC81DB42B6F7CF0E6B8207A771E5C0EE0DBFD91CE5BAF804FE53F70E61CD2E
+          '';
         };
         PasswordResetProviderId = mkOption {
           type = types.str;
diff --git a/modules/pbkdf2-sha512.nix b/modules/pbkdf2-sha512.nix
index b825342..a723d8c 100644
--- a/modules/pbkdf2-sha512.nix
+++ b/modules/pbkdf2-sha512.nix
@@ -11,8 +11,8 @@ pkgs.stdenv.mkDerivation rec {
   phases = ["buildPhase"];
 
   buildPhase = ''
-    mkdir -p $out
-    gcc $src -o $out/${name} -lnettle
+    mkdir -p $out/bin
+    gcc $src -o $out/bin/${name} -lnettle
     echo $out
   '';