first pass at outboard secrets

- a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up
2024-08-12 22:57:21 +01:00
parent ff3a1905a5
commit 4fb8253e57
4 changed files with 103 additions and 10 deletions
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -0,0 +1,36 @@
+## Secrets
+
+## various ways to manage secrets without writing them to the
+## nix store
+
+{ lib, pkgs, config, ...}:
+let
+  inherit (lib) mkOption types;
+  inherit (pkgs) liminix;
+  inherit (pkgs.liminix.services) longrun;
+in {
+  options.system.service.secrets = {
+    outboard = mkOption {
+      description = "fetch secrets from external vault with https";
+      type = liminix.lib.types.serviceDefn;
+    };
+
+  };
+  config.system.service.secrets = {
+    outboard = config.system.callService ./outboard.nix {
+      url = mkOption {
+        description = "source url";
+        type = types.strMatching "https?://.*";
+      };
+      name = mkOption {
+        description = "service name";
+        type = types.str;
+      };
+      interval =  mkOption {
+        type = types.int;
+        default = 30;
+        description = "how often to check the source, in minutes";
+      };
+    };
+  };
+}