add secrets-subscriber service, make hostapd use it

2024-08-15 23:00:41 +01:00 · 2024-08-15 23:00:41 +01:00 · e2c883356c
commit e2c883356c
parent d79a941504
6 changed files with 76 additions and 22 deletions
--- a/examples/router-with-l2tp.nix
+++ b/examples/router-with-l2tp.nix
@ -177,16 +177,6 @@ in rec {
    };
  };
  services.restart-on-change = longrun {
    name = "wlan0-restart-on-change";
    run = ''
      ${pkgs.watch-outputs}/bin/watch-outputs -r wlan0.link.hostapd ${config.services.secrets} wpa_passphrase
    '';
    dependencies = [
      config.services.hostap-liminix
      config.services.hostap-liminix5
    ];
  };
  services.bootstrap-dhcpc = svc.network.dhcp.client.build {
    interface = config.services.wwan;
--- a/modules/hostapd/default.nix
+++ b/modules/hostapd/default.nix
@ -16,6 +16,7 @@ let
  inherit (lib) mkOption types;
  inherit (pkgs) liminix;
 in {
  imports = [ ../secrets ];
  options = {
    system.service.hostapd = mkOption {
      type = liminix.lib.types.serviceDefn;
--- a/modules/hostapd/service.nix
+++ b/modules/hostapd/service.nix
@ -1,5 +1,6 @@
 {
  liminix
 , svc
 , hostapd
 , output-template
 , writeText
@ -39,13 +40,21 @@ let
        (mapAttrsToList
          format_value
          attrs)) + "\n"));
-in longrun {
+  service = longrun {
-  inherit name;
+    inherit name;
-  dependencies = [ interface ];
+    dependencies = [ interface ];
-  run = ''
+    run = ''
-    mkdir -p /run/${name}
+      mkdir -p /run/${name}
-    chmod 0700 /run/${name}
+      chmod 0700 /run/${name}
-    ${output-template}/bin/output-template '{{' '}}'  < ${conf}  > /run/${name}/hostapd.conf
+      ${output-template}/bin/output-template '{{' '}}'  < ${conf}  > /run/${name}/hostapd.conf
-    exec ${hostapd}/bin/hostapd -i $(output ${interface} ifname)  -P /run/${name}/hostapd.pid -S /run/${name}/hostapd.conf
+      exec ${hostapd}/bin/hostapd -i $(output ${interface} ifname)  -P /run/${name}/hostapd.pid -S /run/${name}/hostapd.conf
-  '';
+    '';
  };
 in svc.secrets.subscriber.build {
  watch = {
    service = attrs.wpa_passphrase.service;
    paths = ["wpa_passphrase"];
  };
  inherit service;
  action = "restart-all";
 }
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@ -14,6 +14,10 @@ in {
      description = "fetch secrets from external vault with https";
      type = liminix.lib.types.serviceDefn;
    };
    subscriber = mkOption {
      description = "wrapper around a service that needs notifying (e.g. restarting) when secrets change";
      type = liminix.lib.types.serviceDefn;
    };
  };
  config.system.service.secrets = {
@ -32,5 +36,31 @@ in {
        description = "how often to check the source, in minutes";
      };
    };
    subscriber = config.system.callService ./subscriber.nix {
      watch = {
        service = mkOption {
          description = "secrets service to subscribe to";
          type = liminix.lib.types.service;
        };
        paths = mkOption {
          description = "list of output paths we are interested in";
          example = ["wan/l2tp" "wifi/wlan5"];
          type = types.listOf types.str;
        };
      };
      service = mkOption {
        description = "subscribing service that will receive notification";
        type = liminix.lib.types.service;
      };
      action = mkOption {
        description = "how do we notify the service to regenerate its config";
        default = "restart-all";
        type = types.enum [
          "restart" "restart-all"
          "hup" "int" "quit" "kill" "term"
          "winch" "usr1" "usr2"
        ];
      };
    };
  };
 }
--- a/modules/secrets/subscriber.nix
+++ b/modules/secrets/subscriber.nix
@ -0,0 +1,23 @@
 {
  liminix, lib, lim, s6, s6-rc, watch-outputs
 }:
 { watch, service, action } :
 let
  inherit (liminix.services) oneshot longrun;
  inherit (builtins) toString;
  inherit (service) name;
  watcher = let name' = "check-${name}"; in longrun {
    name = name';
    run = ''
      dir=/run/service/${name}
      echo waiting for $dir
      if test -e $dir/notification-fd; then flag="-U"; else flag="-u"; fi
      ${s6}/bin/s6-svwait $flag /run/service/${name} || exit
      PATH=${s6-rc}/bin:${s6}/bin:$PATH
      ${watch-outputs}/bin/watch-outputs -r ${name} ${watch.service} ${lib.concatStringsSep " " watch.paths}
    '';
  };
 in service.overrideAttrs(o: {
  buildInputs =  (lim.orEmpty o.buildInputs) ++ [ watcher ];
  dependencies = (lim.orEmpty o.dependencies) ++ [ watcher ];
 })
--- a/pkgs/watch-outputs/watch-outputs.fnl
+++ b/pkgs/watch-outputs/watch-outputs.fnl
@ -33,12 +33,13 @@
               _ path (ipairs paths)]
    (or changed? (not (table= (dig old-tree path) (dig new-tree path))))))
 (fn %% [fmt ...] (string.format fmt ...))
 (fn do-action [action service]
  (case action
-    :restart (system "s6-svc -r /run/service/%s" service)
+    :restart (system (%% "s6-svc -r /run/service/%s" service))
-    :restart-all (system "s6-rc -b -d %q; s6-rc-up-tree %q" service service)
+    :restart-all (system (%% "s6-rc -b -d %q; s6-rc-up-tree %q" service service))
-    [:signal n] (system "s6-svc -s %d /run/service/%s" n service)))
+    [:signal n] (system (%% "s6-svc -s %d /run/service/%s" n service))))
 (fn run []
  (let [{