first pass at outboard secrets

- a module to fetch them with http(s)
- a service using templating to consume them
- update an example to use it

needs service restarts
needs other services to use the template mechanism
needs tidying up

modules/secrets/default.nix

@@ -0,0 +1,36 @@
+## Secrets
+
+## various ways to manage secrets without writing them to the
+## nix store
+
+{ lib, pkgs, config, ...}:
+let
+  inherit (lib) mkOption types;
+  inherit (pkgs) liminix;
+  inherit (pkgs.liminix.services) longrun;
+in {
+  options.system.service.secrets = {
+    outboard = mkOption {
+      description = "fetch secrets from external vault with https";
+      type = liminix.lib.types.serviceDefn;
+    };
+
+  };
+  config.system.service.secrets = {
+    outboard = config.system.callService ./outboard.nix {
+      url = mkOption {
+        description = "source url";
+        type = types.strMatching "https?://.*";
+      };
+      name = mkOption {
+        description = "service name";
+        type = types.str;
+      };
+      interval =  mkOption {
+        type = types.int;
+        default = 30;
+        description = "how often to check the source, in minutes";
+      };
+    };
+  };
+}

modules/secrets/outboard.nix

@@ -0,0 +1,19 @@
+{
+  liminix, lib, http-fstree, serviceFns
+}:
+{ name, url, interval } :
+let
+  inherit (liminix.services) oneshot longrun;
+in longrun {
+  inherit name;
+  buildInputs = [ http-fstree ];
+  # this script runs once and expects the service superviser
+  # to restart it
+  run = ''
+    . ${serviceFns}
+    ( in_outputs ${name}
+      ${http-fstree}/bin/http-fstree ${url} .
+      sleep ${builtins.toString (interval * 60)}
+    )
+  '';
+}