Load wireless credentials

.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &macronova age1sy52xwldc7puckze2kcax7csc2nrg049y9nt2qd0ltvghckms5nq2d25ra
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+    - age:
+      - *macronova

Cargo.lock

@@ -826,6 +826,12 @@ dependencies = [
  "either",
 ]
 
+[[package]]
+name = "itoa"
+version = "1.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b"
+
 [[package]]
 name = "lalrpop"
 version = "0.19.12"
@@ -1025,6 +1031,8 @@ dependencies = [
  "log",
  "panic-halt",
  "portable-atomic",
+ "serde",
+ "serde_yaml",
  "static_cell",
 ]
 
@@ -1241,6 +1249,12 @@ version = "1.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "955d28af4278de8121b7ebeb796b6a45735dc01436d898801014aced2773a3d6"
 
+[[package]]
+name = "ryu"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
+
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
@@ -1288,6 +1302,19 @@ dependencies = [
  "syn 2.0.79",
 ]
 
+[[package]]
+name = "serde_yaml"
+version = "0.9.34+deprecated"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
+dependencies = [
+ "indexmap",
+ "itoa",
+ "ryu",
+ "serde",
+ "unsafe-libyaml",
+]
+
 [[package]]
 name = "siphasher"
 version = "0.3.11"
@@ -1448,6 +1475,12 @@ version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
 
+[[package]]
+name = "unsafe-libyaml"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+
 [[package]]
 name = "usb-device"
 version = "0.3.2"

Cargo.toml

@@ -4,6 +4,10 @@ version = "0.1.0"
 edition = "2021"
 license = "MIT"
 
+[build-dependencies]
+serde = { version = "*", features = ["derive"] }
+serde_yaml = "*"
+
 [dependencies]
 cortex-m-rt = "*"
 cyw43 = "*"

build.rs

@@ -1,33 +1,58 @@
-//! This build script copies the `memory.x` file from the crate root into
+use std::collections::HashMap;
-//! a directory where the linker can always find it at build time.
-//! For many projects this is optional, as the linker always searches the
-//! project root directory -- wherever `Cargo.toml` is. However, if you
-//! are using a workspace or have a more complicated build setup, this
-//! build script becomes required. Additionally, by requesting that
-//! Cargo re-run the build script whenever `memory.x` is changed,
-//! updating `memory.x` ensures a rebuild of the application with the
-//! new memory settings.
-
 use std::env;
 use std::fs::File;
 use std::io::Write;
 use std::path::PathBuf;
+use std::process::Command;
+
+use serde::Deserialize;
+
+#[derive(Default, Deserialize)]
+struct WirelessCredentials {
+    wireless_credentials: HashMap<String, String>,
+}
+
+fn load_wireless_credentials() -> Option<WirelessCredentials> {
+    let yaml_string = String::from_utf8(
+        Command::new("sops")
+            .arg("-d")
+            .arg("secrets.yaml")
+            .output()
+            .ok()?
+            .stdout,
+    )
+    .ok()?;
+
+    serde_yaml::from_str(&yaml_string).ok()
+}
 
 fn main() {
-    // Put `memory.x` in our output directory and ensure it's
-    // on the linker search path.
     let out = &PathBuf::from(env::var_os("OUT_DIR").unwrap());
+
     File::create(out.join("memory.x"))
         .unwrap()
         .write_all(include_bytes!("memory.x"))
         .unwrap();
     println!("cargo:rustc-link-search={}", out.display());
 
-    // By default, Cargo will re-run a build script whenever
+    let credentials = load_wireless_credentials()
-    // any file in the project changes. By specifying `memory.x`
+        .unwrap_or_default()
-    // here, we ensure the build script is only re-run when
+        .wireless_credentials;
-    // `memory.x` is changed.
+
+    let credential_entries: Vec<String> = credentials
+        .into_iter()
+        .map(|(ssid, password)| format!("(\"{ssid}\", \"{password}\")"))
+        .collect();
+
+    let credential_slice_string = format!("[{}]", credential_entries.join(", "));
+
+    File::create(out.join("wireless-credentials.rs"))
+        .unwrap()
+        .write_all(credential_slice_string.as_bytes())
+        .unwrap();
+
     println!("cargo:rerun-if-changed=memory.x");
+    println!("cargo:rerun-if-changed=secrets.yaml");
 
     println!("cargo:rustc-link-arg-bins=--nmagic");
     println!("cargo:rustc-link-arg-bins=-Tlink.x");

flake.nix

@@ -26,6 +26,7 @@
         packages = with pkgs; [
           elf2uf2-rs
           fenixPkgs.rust-analyzer
+          sops
         ];
         RUST_SRC_PATH = "${fenixPkgs.complete.rust-src}/lib/rustlib/src/rust/library";
       };

secrets.yaml

@@ -0,0 +1,23 @@
+wireless_credentials:
+    telescope: ENC[AES256_GCM,data:gEzvqWC95+bjrg==,iv:iP2XBs9GC1mPIAdVQiyng/Lthm3kCH7EWmdSmOy+h4c=,tag:Xr264zlPYP6dqPp7rBAywQ==,type:str]
+    chroma: ENC[AES256_GCM,data:tpG8VPdXN506dg==,iv:rzZAb7Vge8UouBHYVl3UkAs6JqaoOEEBgw7xkxTuIdI=,tag:Pr0KbwoVXk4hsrPKt84wVA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1sy52xwldc7puckze2kcax7csc2nrg049y9nt2qd0ltvghckms5nq2d25ra
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcmZScFFhWVJhakJEQWZp
+            cTFWNzlIVm9xeXFMZXFSdk1UWndFbE1tRm5vCmNMc0FMQVdyMkZKYzJnTlora0Zy
+            Tmp1enZHMUpnbnRYM1pTenpNTEw4RWcKLS0tIDFEVitVbldhNWdkb29QVGJWa1Rk
+            YVZUZFZyNmJmRk5tQVNJMkk2S0p2UVkKx2i/QAo3c0IGS3sgeYyafm8zezQu50WT
+            VVaHxHfCVIvlrPV7eniofG3CF3R9vgcOLVMA/2I5p6RUttWSqlwnYg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-13T07:05:11Z"
+    mac: ENC[AES256_GCM,data:1ZVeiENo2l7ldHodx1j52CtNw0dpJD1Kz9GkvXpXsAxV4PunwIv8iDpzq20cHClXWZJjsY0HEwBcHwup9qgvCaFs9HDpMBV8Ps67uP2m+OAV2RKMf86xXj5D6DbsmwHLn2xQd+voHurn36FPAxlLT1HUUSwCbtRsEG72xS3wgq0=,iv:TLN1jr0ONuLcrRrx6H4VdCLunfAl4tqUil+YgjXyyhg=,tag:S41L3A3CwW+bBeJL/DnqFw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

src/main.rs

@@ -15,6 +15,9 @@ use embassy_time::Timer;
 use log::info;
 use static_cell::StaticCell;
 
+const WIFI_CREDENTIALS: &[(&str, &str)] =
+    &include!(concat!(env!("OUT_DIR"), "/wireless-credentials.rs"));
+
 // bind interrupt request to handler
 bind_interrupts!(struct Irqs {
     PIO0_IRQ_0 => pio::InterruptHandler<PIO0>;
@@ -89,8 +92,10 @@ async fn main(spawner: Spawner) {
     // time to blink
     let mut led = false;
     loop {
+        for (k, v) in WIFI_CREDENTIALS {
+            info!("{k}: {v}");
+        }
         led = !led;
-        info!("LED: {}", led);
         control.gpio_set(0, led).await;
         Timer::after_secs(1).await;
     }