add secrets-subscriber service, make hostapd use it

2024-08-15 23:00:41 +01:00
parent d79a941504
commit e2c883356c
6 changed files with 76 additions and 22 deletions
--- a/modules/hostapd/default.nix
+++ b/modules/hostapd/default.nix
@@ -16,6 +16,7 @@ let
  inherit (lib) mkOption types;
  inherit (pkgs) liminix;
 in {
+  imports = [ ../secrets ];
  options = {
    system.service.hostapd = mkOption {
      type = liminix.lib.types.serviceDefn;
--- a/modules/hostapd/service.nix
+++ b/modules/hostapd/service.nix
@@ -1,5 +1,6 @@
 {
  liminix
+, svc
 , hostapd
 , output-template
 , writeText
@@ -39,13 +40,21 @@ let
        (mapAttrsToList
          format_value
          attrs)) + "\n"));
-in longrun {
-  inherit name;
-  dependencies = [ interface ];
-  run = ''
-    mkdir -p /run/${name}
-    chmod 0700 /run/${name}
-    ${output-template}/bin/output-template '{{' '}}'  < ${conf}  > /run/${name}/hostapd.conf
-    exec ${hostapd}/bin/hostapd -i $(output ${interface} ifname)  -P /run/${name}/hostapd.pid -S /run/${name}/hostapd.conf
-  '';
+  service = longrun {
+    inherit name;
+    dependencies = [ interface ];
+    run = ''
+      mkdir -p /run/${name}
+      chmod 0700 /run/${name}
+      ${output-template}/bin/output-template '{{' '}}'  < ${conf}  > /run/${name}/hostapd.conf
+      exec ${hostapd}/bin/hostapd -i $(output ${interface} ifname)  -P /run/${name}/hostapd.pid -S /run/${name}/hostapd.conf
+    '';
+  };
+in svc.secrets.subscriber.build {
+  watch = {
+    service = attrs.wpa_passphrase.service;
+    paths = ["wpa_passphrase"];
+  };
+  inherit service;
+  action = "restart-all";
 }
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -14,6 +14,10 @@ in {
      description = "fetch secrets from external vault with https";
      type = liminix.lib.types.serviceDefn;
    };
+    subscriber = mkOption {
+      description = "wrapper around a service that needs notifying (e.g. restarting) when secrets change";
+      type = liminix.lib.types.serviceDefn;
+    };

  };
  config.system.service.secrets = {
@@ -32,5 +36,31 @@ in {
        description = "how often to check the source, in minutes";
      };
    };
+    subscriber = config.system.callService ./subscriber.nix {
+      watch = {
+        service = mkOption {
+          description = "secrets service to subscribe to";
+          type = liminix.lib.types.service;
+        };
+        paths = mkOption {
+          description = "list of output paths we are interested in";
+          example = ["wan/l2tp" "wifi/wlan5"];
+          type = types.listOf types.str;
+        };
+      };
+      service = mkOption {
+        description = "subscribing service that will receive notification";
+        type = liminix.lib.types.service;
+      };
+      action = mkOption {
+        description = "how do we notify the service to regenerate its config";
+        default = "restart-all";
+        type = types.enum [
+          "restart" "restart-all"
+          "hup" "int" "quit" "kill" "term"
+          "winch" "usr1" "usr2"
+        ];
+      };
+    };
  };
 }
--- a/modules/secrets/subscriber.nix
+++ b/modules/secrets/subscriber.nix
@@ -0,0 +1,23 @@
+{
+  liminix, lib, lim, s6, s6-rc, watch-outputs
+}:
+{ watch, service, action } :
+let
+  inherit (liminix.services) oneshot longrun;
+  inherit (builtins) toString;
+  inherit (service) name;
+  watcher = let name' = "check-${name}"; in longrun {
+    name = name';
+    run = ''
+      dir=/run/service/${name}
+      echo waiting for $dir
+      if test -e $dir/notification-fd; then flag="-U"; else flag="-u"; fi
+      ${s6}/bin/s6-svwait $flag /run/service/${name} || exit
+      PATH=${s6-rc}/bin:${s6}/bin:$PATH
+      ${watch-outputs}/bin/watch-outputs -r ${name} ${watch.service} ${lib.concatStringsSep " " watch.paths}
+    '';
+  };
+in service.overrideAttrs(o: {
+  buildInputs =  (lim.orEmpty o.buildInputs) ++ [ watcher ];
+  dependencies = (lim.orEmpty o.dependencies) ++ [ watcher ];
+})