first pass at outboard secrets

- a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up
2024-08-12 22:57:21 +01:00
parent ff3a1905a5
commit 4fb8253e57
4 changed files with 103 additions and 10 deletions
--- a/examples/router-with-l2tp.nix
+++ b/examples/router-with-l2tp.nix
@@ -54,10 +54,23 @@ in rec {
    ../modules/ppp
    ../modules/round-robin
    ../modules/health-check
+    ../modules/secrets
    ../modules/profiles/gateway.nix
  ];
  hostname = "thing";

+  services.wan-address-for-secrets = svc.network.address.build {
+    interface = config.hardware.networkInterfaces.wan;
+    family = "inet"; address ="10.0.0.10"; prefixLength = 24;
+  };
+
+  services.secrets = svc.secrets.outboard.build {
+    name = "secret-service";
+    url = "http://10.0.0.1/liminix/examples/secrets.json";
+    interval = 5;
+    dependencies = [ services.wan-address-for-secrets ];
+  };
+
  services.wwan = svc.wwan.huawei-e3372.build {
    apn = "data.uk";
    username = "user";
@@ -139,7 +152,13 @@ in rec {
        hw_mode = "g";
        channel = "6";
        ieee80211n = 1;
-      } // wirelessConfig;
+      } // wirelessConfig //{
+        wpa_passphrase = {
+          service = config.services.secrets;
+          path = "wpa_passphrase";
+        };
+      };
+
      "${rsecrets.ssid}5" = rec {
        interface = config.hardware.networkInterfaces.wlan5;
        hw_mode = "a";
@@ -149,7 +168,12 @@ in rec {
        vht_oper_centr_freq_seg0_idx = channel + 6;
        ieee80211n = 1;
        ieee80211ac = 1;
-      } // wirelessConfig;
+      } // wirelessConfig // {
+        wpa_passphrase = {
+          service = config.services.secrets;
+          path = "wpa_passphrase";
+        };
+      };
    };
  };