tangc: stop printing unexpected blank lines

instead of letting it read stdin, which I think may have been read
by a subprocess already sometimes?

modules/hostapd/service.nix

@@ -50,9 +50,8 @@ let
       exec ${hostapd}/bin/hostapd -i $(output ${interface} ifname) -P /run/${name}/hostapd.pid -S /run/${name}/hostapd.conf
     '';
   };
-  watch = filter (f: typeOf f == "set") (attrValues attrs);
+  watch = filter (f: typeOf f == "lambda") (attrValues attrs);
 in svc.secrets.subscriber.build {
-  inherit watch;
+  inherit service watch;
-  inherit service;
   action = "restart-all";
 }

modules/ppp/l2tp.nix

@@ -1,6 +1,7 @@
 {
   liminix
 , lib
+, svc
 , output-template
 , writeAshScript
 , writeText
@@ -78,16 +79,19 @@ let
     max redials = 2 # this gives 1 actual retry, as xl2tpd can't count
   '';
   control = "/run/${name}/control";
-in
+  service = longrun {
-longrun {
+    inherit name;
-  inherit name;
+    run = ''
-  run = ''
+      mkdir -p /run/${name}
-    mkdir -p /run/${name}
+      chmod 0700 /run/${name}
-    chmod 0700 /run/${name}
+      touch ${control}
-    touch ${control}
+      in_outputs ${name}
-    in_outputs ${name}
+      echo ${escapeShellArgs ppp-options'} | ${output-template}/bin/output-template '{{' '}}' > /run/${name}/ppp-options
-    echo ${escapeShellArgs ppp-options'} | ${output-template}/bin/output-template '{{' '}}' > /run/${name}/ppp-options
+      exec ${xl2tpd}/bin/xl2tpd -D -p /run/${name}/${name}.pid -c ${conf} -C ${control} 
-    exec ${xl2tpd}/bin/xl2tpd -D -p /run/${name}/${name}.pid -c ${conf} -C ${control} 
+    '';
-  '';
+    notification-fd = 10;
-  notification-fd = 10;
+  };
+in svc.secrets.subscriber.build {
+  watch = [ username password ];
+  inherit service;
 }

modules/ppp/pppoe.nix

@@ -1,5 +1,6 @@
 {
   liminix
+, svc
 , lib
 , output-template
 , ppp
@@ -66,19 +67,23 @@ let
         "logfd" "2"
        ];
   timeoutOpt = if lcpEcho.interval != null then "-T ${builtins.toString (4 * lcpEcho.interval)}" else "";
-in
+  service = longrun {
-longrun {
+    inherit name;
-  inherit name;
+    run = ''
-  run = ''
+      mkdir -p /run/${name}
-    mkdir -p /run/${name}
+      chmod 0700 /run/${name}
-    chmod 0700 /run/${name}
+      in_outputs ${name}
-    in_outputs ${name}
+      echo ${escapeShellArgs ppp-options'} | ${output-template}/bin/output-template '{{' '}}' > /run/${name}/ppp-options
-    echo ${escapeShellArgs ppp-options'} | ${output-template}/bin/output-template '{{' '}}' > /run/${name}/ppp-options
+      exec ${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt}  -I $(output ${interface} ifname)" file /run/${name}/ppp-options
-    exec ${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt}  -I $(output ${interface} ifname)" file /run/${name}/ppp-options
+    '';
-  '';
+    notification-fd = 10;
-  notification-fd = 10;
+    timeout-up = if lcpEcho.failure != null
-  timeout-up = if lcpEcho.failure != null
+                 then (10 + lcpEcho.failure * lcpEcho.interval) * 1000
-               then (10 + lcpEcho.failure * lcpEcho.interval) * 1000
+                 else 60 * 1000;
-               else 60 * 1000;
+    dependencies = [ interface ];
-  dependencies = [ interface ];
+  };
+in svc.secrets.subscriber.build {
+  watch = [ username password ];
+  inherit service;
+  action = "restart-all";
 }

modules/secrets/default.nix

@@ -66,7 +66,7 @@ in {
     subscriber = config.system.callService ./subscriber.nix {
       watch = mkOption {
         description = "secrets paths to subscribe to";
-        type = types.listOf types.attrs;
+        type = types.listOf (types.functionTo types.anything);
       };
       service = mkOption {
         description = "subscribing service that will receive notification";

modules/secrets/subscriber.nix

@@ -8,8 +8,8 @@ let
   inherit (lib) unique optional;
   inherit (service) name;
 
-  watched-services = unique (map (f: f.service) watch);
+  watched-services = unique (map (f: f "service") watch);
-  paths = unique (map (f: f.path) watch);
+  paths = unique (map (f: f "path") watch);
 
   restart-flag = {
     restart = "-r";

pkgs/default.nix

@@ -127,5 +127,4 @@ in {
   writeAshScript = callPackage ./write-ash-script { };
   writeAshScriptBin = callPackage ./write-ash-script/bin.nix { };
   writeFennel = callPackage ./write-fennel { };
-  writeFennelScript = callPackage ./write-fennel-script { };
 }

pkgs/ifwait/default.nix

@@ -1,15 +1,14 @@
 {
   netlink-lua,
-  writeFennelScript,
+  writeFennel,
   runCommand,
   anoia,
 }:
 runCommand "ifwait" { } ''
   mkdir -p $out/bin
   cp -p ${
-    writeFennelScript "ifwait" [
+    writeFennel "ifwait" {
-      anoia
+      packages = [ anoia netlink-lua ];
-      netlink-lua
+    } ./ifwait.fnl
-    ] ./ifwait.fnl
   } $out/bin/ifwait
 ''

pkgs/odhcp-script/default.nix

@@ -1,6 +1,8 @@
 {
-  writeFennelScript,
+  writeFennel,
   anoia,
   lualinux,
 }:
-writeFennelScript  "odhcpc-script" [anoia lualinux] ./odhcp6-script.fnl
+writeFennel  "odhcpc-script" {
+  packages = [anoia lualinux];
+} ./odhcp6-script.fnl

pkgs/systemconfig/default.nix

@@ -6,7 +6,7 @@
 
 {
   writeText,
-  writeFennelScript,
+  writeFennel,
   lib,
   s6-init-bin,
   closureInfo,
@@ -81,7 +81,7 @@ in attrset:
       cp $closure/store-paths $out/etc/nix-store-paths
       $STRIP --remove-section=.note  --remove-section=.comment --strip-all makedevs -o $out/bin/activate
       ln -s ${s6-init-bin}/bin/init $out/bin/init
-      cp -p ${writeFennelScript "restart-services" [] ./restart-services.fnl} $out/bin/restart-services
+      cp -p ${writeFennel "restart-services" {} ./restart-services.fnl} $out/bin/restart-services
       cat > $out/bin/install <<EOF
       #!/bin/sh -e
       prefix=\''${1-/}

pkgs/tangc/tangc.fnl

@@ -90,11 +90,20 @@
    }))
 
 (fn http-post [url body]
-  (json.decode
+  (match
    (http.request "POST" url
                  "" 0
                  "application/x-www-form-urlencoded"
-                 body)))
+                 body)
+   s (json.decode s)
+   (nil err) (error err)))
+
+
+(fn http-get [url body]
+  (match
+   (http.fetch url)
+   s (json.decode s)
+   (nil code msg) (error (.. "Error: " code ": " msg))))
 
 (fn decrypt []
   (let [b64 (base64 :url)
@@ -112,7 +121,7 @@
           jwk (jwk-exc-noi rep tmp)]
       (print (jwe-dec jwk ph undigested)))))
 
-(fn perform-encryption [jwks url]
+(fn perform-encryption [jwks url input]
   (let [enc (jose! [:jwk :use "-i-" "-r" "-u" "deriveKey" "-o-"]
                    (json.encode jwks))
         ;; adding a -s to jwk use will "Always output a JWKSet" which
@@ -131,8 +140,7 @@
                            :clevis {:pin "tang"
                                     :tang {:url url :adv jwks }}}}]
       (josep! [:jwe :enc "-i-" "-k-" "-I-" "-c"]
-              (.. (json.encode jwe) (json.encode jwk)
+              (.. (json.encode jwe) (json.encode jwk) input)))))
-                  (: (io.input) :read "*a"))))))
 
 (fn usage []
   (print "tangc\n=====\n")
@@ -141,23 +149,30 @@
              (json.encode {:url "http://tang.local"})))
   (print (%% "tangc encrypt %q < plaintext > filename.enc # encrypt"
              (json.encode {:thp "idGFpbiBhIHByZWJ1aWx0IGRhdGFiYXNlIGZyb20gaH"
-                           :url "http://tang.local"}))))
+                           :url "http://tang.local"})))
+  (os.exit 1))
 
 
 (fn encrypt [cfg]
   (let [{ : url : thp : adv } cfg
+        _  (or url (usage))
+        raw-input (: (io.input) :read "*a")
         b64 (base64 :url)
-        adv (or adv (json.decode (http.fetch (.. url "/adv/" (or thp "")))))]
+        adv (or adv (http-get (.. url "/adv/" (or thp ""))))]
     (assert adv.payload  "advertisement is malformed")
     (let [jwks (json.decode (b64:decode adv.payload))
           ver (jose! [:jwk :use "-i-" "-r" "-u" "verify" "-o-"]
                      (json.encode jwks))]
-      (print (josep! [:jws :ver "-i" (json.encode adv) "-k-" "-a"]
+      (match
-                     (json.encode ver)))
+          (josep! [:jws :ver "-i" (json.encode adv) "-k-" "-a"] (json.encode ver))
+        "" nil
+        str (error "jws verify of advertised keys failed: " str))
 
       (if (and thp (search-key ver thp))
-          (print (perform-encryption jwks url))
+          (: (io.output) :write (perform-encryption jwks url raw-input))
-          (print (.. "Thumbrints of advertised keys are listed below. Set the thp attribute to preferred key\n"
+          ;; the command line options are currently the same as clevis
+          ;; but unless I can greatly improve this wording, that's gonna change
+          (print (.. "\ntangc: Thumbprints of advertised keys are listed below. Rerun this command\nproviding the thp attribute to specify the preferred key\n\n"
                      (josep! [:jwk :thp "-i-" "-a" (. thumbprint-algs 1)] (json.encode ver))))))))
 
 
@@ -165,6 +180,6 @@
   (case arg
     ["decrypt"] (decrypt)
     ["encrypt" cfg] (encrypt (json.decode cfg))
-    _ (error "usage: tangc [decrypt] | [encrypt cfg]")))
+    _ (usage)))
 
 { : run }

tests/fennel/test.nix

@@ -5,10 +5,10 @@
 let
   overlay = import "${liminix}/overlay.nix";
   pkgs = import <nixpkgs> { overlays = [overlay]; };
-  script = pkgs.writeFennelScript "foo" [] ./hello.fnl;
+  script = pkgs.writeFennel "foo" {} ./hello.fnl;
   inherit (pkgs.lua.pkgs) fifo;
   netlink = pkgs.netlink-lua;
-  script2 = pkgs.writeFennelScript "foo2" [fifo netlink] ./hello.fnl;
+  script2 = pkgs.writeFennel "foo2" { packages = [fifo netlink];} ./hello.fnl;
 in pkgs.runCommand "check" {
   } ''
 set -e