Daniel Barlow
7e2b0068e6
There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging
100 lines
2.6 KiB
Nix
100 lines
2.6 KiB
Nix
## Secrets
|
|
|
|
## various ways to manage secrets without writing them to the
|
|
## nix store
|
|
|
|
{
|
|
lib,
|
|
pkgs,
|
|
config,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib) mkOption types;
|
|
inherit (pkgs) liminix;
|
|
inherit (pkgs.liminix.services) longrun;
|
|
in
|
|
{
|
|
options.system.service.secrets = {
|
|
outboard = mkOption {
|
|
description = "fetch secrets from external vault with https";
|
|
type = liminix.lib.types.serviceDefn;
|
|
};
|
|
tang = mkOption {
|
|
description = "fetch secrets from encrypted local pathname, using tang";
|
|
type = liminix.lib.types.serviceDefn;
|
|
};
|
|
subscriber = mkOption {
|
|
description = "wrapper around a service that needs notifying (e.g. restarting) when secrets change";
|
|
type = liminix.lib.types.serviceDefn;
|
|
};
|
|
|
|
};
|
|
config.system.service.secrets = {
|
|
outboard = config.system.callService ./outboard.nix {
|
|
url = mkOption {
|
|
description = "source url";
|
|
type = types.strMatching "https?://.*";
|
|
};
|
|
username = mkOption {
|
|
description = "username for HTTP basic auth";
|
|
type = types.nullOr types.str;
|
|
};
|
|
password = mkOption {
|
|
description = "password for HTTP basic auth";
|
|
type = types.nullOr types.str;
|
|
};
|
|
name = mkOption {
|
|
description = "service name";
|
|
type = types.str;
|
|
};
|
|
interval = mkOption {
|
|
type = types.int;
|
|
default = 30;
|
|
description = "how often to check the source, in minutes";
|
|
};
|
|
};
|
|
tang = config.system.callService ./tang.nix {
|
|
path = mkOption {
|
|
description = "encrypted source pathname";
|
|
type = types.path;
|
|
};
|
|
name = mkOption {
|
|
description = "service name";
|
|
type = types.str;
|
|
};
|
|
interval = mkOption {
|
|
type = types.int;
|
|
default = 30;
|
|
description = "how often to check the source, in minutes";
|
|
};
|
|
};
|
|
subscriber = config.system.callService ./subscriber.nix {
|
|
watch = mkOption {
|
|
description = "secrets paths to subscribe to";
|
|
type = types.listOf (types.functionTo types.anything);
|
|
};
|
|
service = mkOption {
|
|
description = "subscribing service that will receive notification";
|
|
type = liminix.lib.types.service;
|
|
};
|
|
action = mkOption {
|
|
description = "how do we notify the service to regenerate its config";
|
|
default = "restart-all";
|
|
type = types.enum [
|
|
"restart"
|
|
"restart-all"
|
|
"hup"
|
|
"int"
|
|
"quit"
|
|
"kill"
|
|
"term"
|
|
"winch"
|
|
"usr1"
|
|
"usr2"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|