nixos/networkmanager: add nm-file-secret-agent options

nm-file-secret agent is a small agent that can supply secrets of connection profiles to NetworkManager by reading the contents of preconfigured files. These files could be supplied e.g. by nixos-sops or any other mechanism.
2025-06-14 05:29:20 +03:00 · 2024-11-01 19:12:59 +01:00 · 2024-11-01 19:12:59 +01:00 · 24e0db1ba9
commit 24e0db1ba9
parent 904ffed79e
2 changed files with 132 additions and 0 deletions
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1146,6 +1146,7 @@
  ./services/networking/nixops-dns.nix
  ./services/networking/nncp.nix
  ./services/networking/nntp-proxy.nix
+  ./services/networking/nm-file-secret-agent.nix
  ./services/networking/nomad.nix
  ./services/networking/nsd.nix
  ./services/networking/ntopng.nix
--- a/nixos/modules/services/networking/nm-file-secret-agent.nix
+++ b/nixos/modules/services/networking/nm-file-secret-agent.nix
@ -0,0 +1,131 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.networking.networkmanager;
+  toml = pkgs.formats.toml { };
+
+  enabled = (lib.length cfg.ensureProfiles.secrets.entries) > 0;
+
+  nmFileSecretAgentConfig = {
+    entry = builtins.map (
+      i:
+      {
+        key = i.key;
+        file = i.file;
+      }
+      // lib.optionalAttrs (i.matchId != null) { match_id = i.matchId; }
+      // lib.optionalAttrs (i.matchUuid != null) { match_uuid = i.matchUuid; }
+      // lib.optionalAttrs (i.matchType != null) { match_type = i.matchType; }
+      // lib.optionalAttrs (i.matchIface != null) { match_iface = i.matchIface; }
+      // lib.optionalAttrs (i.matchSetting != null) {
+        match_setting = i.matchSetting;
+      }
+    ) cfg.ensureProfiles.secrets.entries;
+  };
+  nmFileSecretAgentConfigFile = toml.generate "config.toml" nmFileSecretAgentConfig;
+in
+{
+  meta = {
+    maintainers = [ lib.maintainers.lilioid ];
+  };
+
+  ####### interface
+  options = {
+    networking.networkmanager.ensureProfiles.secrets = {
+      package = lib.mkPackageOption pkgs "nm-file-secret-agent" { };
+      entries = lib.mkOption {
+        description = ''
+          A list of secrets to provide to NetworkManager by reading their values from configured files.
+
+          Note that NetworkManager should be configured to read secrets from a secret agent.
+          This can be done for example through the `networking.networkmanager.ensureProfiles.profiles` options.
+        '';
+        default = [ ];
+        example = [
+          {
+            matchId = "My WireGuard VPN";
+            matchType = "wireguard";
+            matchSetting = "wireguard";
+            key = "private-key";
+            file = "/root/wireguard_key";
+          }
+        ];
+        type = lib.types.listOf (
+          lib.types.submodule {
+            options = {
+              matchId = lib.mkOption {
+                description = ''
+                  connection id used by NetworkManager. Often displayed as name in GUIs.
+
+                  NetworkManager describes this as a human readable unique identifier for the connection, like "Work Wi-Fi" or "T-Mobile 3G".
+                '';
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+                example = "wifi1";
+              };
+              matchUuid = lib.mkOption {
+                description = ''
+                  UUID of the connection profile
+
+                  UUIDs are assigned once on connection creation and should never change as long as the connection still applies to the same network.
+                '';
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+                example = "669ea4c9-4cb3-4901-ab52-f9606590976e";
+              };
+              matchType = lib.mkOption {
+                description = ''
+                  NetworkManager connection type
+
+                  The NetworkManager configuration settings reference roughly corresponds to connection types.
+                  More might be available on your system depending on the installed plugins.
+
+                  https://networkmanager.dev/docs/api/latest/ch01.html
+                '';
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+                example = "wireguard";
+              };
+              matchIface = lib.mkOption {
+                description = "interface name of the NetworkManager connection";
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+              };
+              matchSetting = lib.mkOption {
+                description = "name of the setting section for which secrets are requested";
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+              };
+              key = lib.mkOption {
+                description = "key in the setting section for which this entry provides a value";
+                type = lib.types.str;
+              };
+              file = lib.mkOption {
+                description = "file from which the secret value is read";
+                type = lib.types.str;
+              };
+            };
+          }
+        );
+      };
+    };
+  };
+
+  ####### implementation
+  config = lib.mkIf enabled {
+    # start nm-file-secret-agent if required
+    systemd.services."nm-file-secret-agent" = {
+      description = "NetworkManager secret agent that responds with the content of preconfigured files";
+      documentation = [ "https://github.com/lilioid/nm-file-secret-agent/" ];
+      requires = [ "NetworkManager.service" ];
+      after = [ "NetworkManager.service" ];
+      wantedBy = [ "multi-user.target" ];
+      restartTriggers = [ nmFileSecretAgentConfigFile ];
+      script = "${lib.getExe cfg.ensureProfiles.secrets.package} --conf ${nmFileSecretAgentConfigFile}";
+    };
+  };
+}