···
8
+
cfg = config.networking.networkmanager;
9
+
toml = pkgs.formats.toml { };
11
+
enabled = (lib.length cfg.ensureProfiles.secrets.entries) > 0;
13
+
nmFileSecretAgentConfig = {
14
+
entry = builtins.map (
20
+
// lib.optionalAttrs (i.matchId != null) { match_id = i.matchId; }
21
+
// lib.optionalAttrs (i.matchUuid != null) { match_uuid = i.matchUuid; }
22
+
// lib.optionalAttrs (i.matchType != null) { match_type = i.matchType; }
23
+
// lib.optionalAttrs (i.matchIface != null) { match_iface = i.matchIface; }
24
+
// lib.optionalAttrs (i.matchSetting != null) {
25
+
match_setting = i.matchSetting;
27
+
) cfg.ensureProfiles.secrets.entries;
29
+
nmFileSecretAgentConfigFile = toml.generate "config.toml" nmFileSecretAgentConfig;
33
+
maintainers = [ lib.maintainers.lilioid ];
38
+
networking.networkmanager.ensureProfiles.secrets = {
39
+
package = lib.mkPackageOption pkgs "nm-file-secret-agent" { };
40
+
entries = lib.mkOption {
42
+
A list of secrets to provide to NetworkManager by reading their values from configured files.
44
+
Note that NetworkManager should be configured to read secrets from a secret agent.
45
+
This can be done for example through the `networking.networkmanager.ensureProfiles.profiles` options.
50
+
matchId = "My WireGuard VPN";
51
+
matchType = "wireguard";
52
+
matchSetting = "wireguard";
53
+
key = "private-key";
54
+
file = "/root/wireguard_key";
57
+
type = lib.types.listOf (
58
+
lib.types.submodule {
60
+
matchId = lib.mkOption {
62
+
connection id used by NetworkManager. Often displayed as name in GUIs.
64
+
NetworkManager describes this as a human readable unique identifier for the connection, like "Work Wi-Fi" or "T-Mobile 3G".
66
+
type = lib.types.nullOr lib.types.str;
70
+
matchUuid = lib.mkOption {
72
+
UUID of the connection profile
74
+
UUIDs are assigned once on connection creation and should never change as long as the connection still applies to the same network.
76
+
type = lib.types.nullOr lib.types.str;
78
+
example = "669ea4c9-4cb3-4901-ab52-f9606590976e";
80
+
matchType = lib.mkOption {
82
+
NetworkManager connection type
84
+
The NetworkManager configuration settings reference roughly corresponds to connection types.
85
+
More might be available on your system depending on the installed plugins.
87
+
https://networkmanager.dev/docs/api/latest/ch01.html
89
+
type = lib.types.nullOr lib.types.str;
91
+
example = "wireguard";
93
+
matchIface = lib.mkOption {
94
+
description = "interface name of the NetworkManager connection";
95
+
type = lib.types.nullOr lib.types.str;
98
+
matchSetting = lib.mkOption {
99
+
description = "name of the setting section for which secrets are requested";
100
+
type = lib.types.nullOr lib.types.str;
103
+
key = lib.mkOption {
104
+
description = "key in the setting section for which this entry provides a value";
105
+
type = lib.types.str;
107
+
file = lib.mkOption {
108
+
description = "file from which the secret value is read";
109
+
type = lib.types.str;
118
+
####### implementation
119
+
config = lib.mkIf enabled {
120
+
# start nm-file-secret-agent if required
121
+
systemd.services."nm-file-secret-agent" = {
122
+
description = "NetworkManager secret agent that responds with the content of preconfigured files";
123
+
documentation = [ "https://github.com/lilioid/nm-file-secret-agent/" ];
124
+
requires = [ "NetworkManager.service" ];
125
+
after = [ "NetworkManager.service" ];
126
+
wantedBy = [ "multi-user.target" ];
127
+
restartTriggers = [ nmFileSecretAgentConfigFile ];
128
+
script = "${lib.getExe cfg.ensureProfiles.secrets.package} --conf ${nmFileSecretAgentConfigFile}";
pyrox.dev