add secrets-subscriber service, make hostapd use it

2024-08-15 23:00:41 +01:00
parent d79a941504
commit e2c883356c
6 changed files with 76 additions and 22 deletions
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -14,6 +14,10 @@ in {
      description = "fetch secrets from external vault with https";
      type = liminix.lib.types.serviceDefn;
    };
+    subscriber = mkOption {
+      description = "wrapper around a service that needs notifying (e.g. restarting) when secrets change";
+      type = liminix.lib.types.serviceDefn;
+    };

  };
  config.system.service.secrets = {
@@ -32,5 +36,31 @@ in {
        description = "how often to check the source, in minutes";
      };
    };
+    subscriber = config.system.callService ./subscriber.nix {
+      watch = {
+        service = mkOption {
+          description = "secrets service to subscribe to";
+          type = liminix.lib.types.service;
+        };
+        paths = mkOption {
+          description = "list of output paths we are interested in";
+          example = ["wan/l2tp" "wifi/wlan5"];
+          type = types.listOf types.str;
+        };
+      };
+      service = mkOption {
+        description = "subscribing service that will receive notification";
+        type = liminix.lib.types.service;
+      };
+      action = mkOption {
+        description = "how do we notify the service to regenerate its config";
+        default = "restart-all";
+        type = types.enum [
+          "restart" "restart-all"
+          "hup" "int" "quit" "kill" "term"
+          "winch" "usr1" "usr2"
+        ];
+      };
+    };
  };
 }
--- a/modules/secrets/subscriber.nix
+++ b/modules/secrets/subscriber.nix
@@ -0,0 +1,23 @@
+{
+  liminix, lib, lim, s6, s6-rc, watch-outputs
+}:
+{ watch, service, action } :
+let
+  inherit (liminix.services) oneshot longrun;
+  inherit (builtins) toString;
+  inherit (service) name;
+  watcher = let name' = "check-${name}"; in longrun {
+    name = name';
+    run = ''
+      dir=/run/service/${name}
+      echo waiting for $dir
+      if test -e $dir/notification-fd; then flag="-U"; else flag="-u"; fi
+      ${s6}/bin/s6-svwait $flag /run/service/${name} || exit
+      PATH=${s6-rc}/bin:${s6}/bin:$PATH
+      ${watch-outputs}/bin/watch-outputs -r ${name} ${watch.service} ${lib.concatStringsSep " " watch.paths}
+    '';
+  };
+in service.overrideAttrs(o: {
+  buildInputs =  (lim.orEmpty o.buildInputs) ++ [ watcher ];
+  dependencies = (lim.orEmpty o.dependencies) ++ [ watcher ];
+})