liminix/modules/secrets/default.nix

## Secrets

## various ways to manage secrets without writing them to the
## nix store

{
  lib,
  pkgs,
  config,
  ...
}:
let
  inherit (lib) mkOption types;
  inherit (pkgs) liminix;
  inherit (pkgs.liminix.services) longrun;
in
{
  options.system.service.secrets = {
    outboard = mkOption {
      description = "fetch secrets from external vault with https";
      type = liminix.lib.types.serviceDefn;
    };
    tang = mkOption {
      description = "fetch secrets from encrypted local pathname, using tang";
      type = liminix.lib.types.serviceDefn;
    };
    subscriber = mkOption {
      description = "wrapper around a service that needs notifying (e.g. restarting) when secrets change";
      type = liminix.lib.types.serviceDefn;
    };

  };
  config.system.service.secrets = {
    outboard = config.system.callService ./outboard.nix {
      url = mkOption {
        description = "source url";
        type = types.strMatching "https?://.*";
      };
      username = mkOption {
        description = "username for HTTP basic auth";
        type = types.nullOr types.str;
      };
      password = mkOption {
        description = "password for HTTP basic auth";
        type = types.nullOr types.str;
      };
      name = mkOption {
        description = "service name";
        type = types.str;
      };
      interval = mkOption {
        type = types.int;
        default = 30;
        description = "how often to check the source, in minutes";
      };
    };
    tang = config.system.callService ./tang.nix {
      path = mkOption {
        description = "encrypted source pathname";
        type = types.path;
      };
      name = mkOption {
        description = "service name";
        type = types.str;
      };
      interval = mkOption {
        type = types.int;
        default = 30;
        description = "how often to check the source, in minutes";
      };
    };
    subscriber = config.system.callService ./subscriber.nix {
      watch = mkOption {
        description = "secrets paths to subscribe to";
        type = types.listOf (types.functionTo types.anything);
      };
      service = mkOption {
        description = "subscribing service that will receive notification";
        type = liminix.lib.types.service;
      };
      action = mkOption {
        description = "how do we notify the service to regenerate its config";
        default = "restart-all";
        type = types.enum [
          "restart"
          "restart-all"
          "hup"
          "int"
          "quit"
          "kill"
          "term"
          "winch"
          "usr1"
          "usr2"
        ];
      };
    };
  };
}
first pass at outboard secrets - a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up 2024-08-12 21:57:21 +00:00			`## Secrets`

			`## various ways to manage secrets without writing them to the`
			`## nix store`

nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`{`
			`lib,`
			`pkgs,`
			`config,`
			`...`
			`}:`
first pass at outboard secrets - a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up 2024-08-12 21:57:21 +00:00			`let`
			`inherit (lib) mkOption types;`
			`inherit (pkgs) liminix;`
			`inherit (pkgs.liminix.services) longrun;`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`in`
			`{`
first pass at outboard secrets - a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up 2024-08-12 21:57:21 +00:00			`options.system.service.secrets = {`
			`outboard = mkOption {`
			`description = "fetch secrets from external vault with https";`
			`type = liminix.lib.types.serviceDefn;`
			`};`
(untested) template service for tang encrypted secrets 2024-08-28 21:32:26 +00:00			`tang = mkOption {`
			`description = "fetch secrets from encrypted local pathname, using tang";`
			`type = liminix.lib.types.serviceDefn;`
			`};`
add secrets-subscriber service, make hostapd use it 2024-08-15 22:00:41 +00:00			`subscriber = mkOption {`
			`description = "wrapper around a service that needs notifying (e.g. restarting) when secrets change";`
			`type = liminix.lib.types.serviceDefn;`
			`};`
first pass at outboard secrets - a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up 2024-08-12 21:57:21 +00:00
			`};`
			`config.system.service.secrets = {`
			`outboard = config.system.callService ./outboard.nix {`
			`url = mkOption {`
			`description = "source url";`
			`type = types.strMatching "https?://.*";`
			`};`
(untested) http basic auth for outboard secrets 2024-08-28 19:53:59 +00:00			`username = mkOption {`
			`description = "username for HTTP basic auth";`
			`type = types.nullOr types.str;`
			`};`
			`password = mkOption {`
			`description = "password for HTTP basic auth";`
			`type = types.nullOr types.str;`
			`};`
(untested) template service for tang encrypted secrets 2024-08-28 21:32:26 +00:00			`name = mkOption {`
			`description = "service name";`
			`type = types.str;`
			`};`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`interval = mkOption {`
(untested) template service for tang encrypted secrets 2024-08-28 21:32:26 +00:00			`type = types.int;`
			`default = 30;`
			`description = "how often to check the source, in minutes";`
			`};`
			`};`
			`tang = config.system.callService ./tang.nix {`
			`path = mkOption {`
			`description = "encrypted source pathname";`
			`type = types.path;`
			`};`
first pass at outboard secrets - a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up 2024-08-12 21:57:21 +00:00			`name = mkOption {`
			`description = "service name";`
			`type = types.str;`
			`};`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`interval = mkOption {`
first pass at outboard secrets - a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up 2024-08-12 21:57:21 +00:00			`type = types.int;`
			`default = 30;`
			`description = "how often to check the source, in minutes";`
			`};`
			`};`
add secrets-subscriber service, make hostapd use it 2024-08-15 22:00:41 +00:00			`subscriber = config.system.callService ./subscriber.nix {`
move some secret-watching stuff from hostapd to secrets 2024-08-20 20:49:11 +00:00			`watch = mkOption {`
			`description = "secrets paths to subscribe to";`
finish converting outputRef to lambda 2024-08-30 19:46:48 +00:00			`type = types.listOf (types.functionTo types.anything);`
add secrets-subscriber service, make hostapd use it 2024-08-15 22:00:41 +00:00			`};`
			`service = mkOption {`
			`description = "subscribing service that will receive notification";`
			`type = liminix.lib.types.service;`
			`};`
			`action = mkOption {`
			`description = "how do we notify the service to regenerate its config";`
			`default = "restart-all";`
			`type = types.enum [`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`"restart"`
			`"restart-all"`
			`"hup"`
			`"int"`
			`"quit"`
			`"kill"`
			`"term"`
			`"winch"`
			`"usr1"`
			`"usr2"`
add secrets-subscriber service, make hostapd use it 2024-08-15 22:00:41 +00:00			`];`
			`};`
			`};`
first pass at outboard secrets - a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up 2024-08-12 21:57:21 +00:00			`};`
			`}`