nix-bitcoin/network/network.nix

{
  network.description = "Bitcoin Core node";

  bitcoin-node =
    { config, pkgs, lib, ... }: {
      imports = [ ../configuration.nix ];

      deployment.keys = builtins.mapAttrs (n: v: {
        keyFile = "${toString ../secrets}/${n}";
        destDir = config.nix-bitcoin.secretsDir;
        inherit (v) user group permissions;
      }) config.nix-bitcoin.secrets;

      # nixops makes the secrets directory accessible only for users with group 'key'.
      # For compatibility with other deployment methods besides nixops, we forego the
      # use of the 'key' group and make the secrets dir world-readable instead.
      # This is safe because all containing files have their specific private
      # permissions set.
      systemd.services.allowSecretsDirAccess = {
        requires = [ "keys.target" ];
        after = [ "keys.target" ];
        script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
        serviceConfig.Type = "oneshot";
      };

      systemd.targets.nix-bitcoin-secrets = {
        requires = [ "allowSecretsDirAccess.service" ];
        after = [ "allowSecretsDirAccess.service" ];
      };
    };
}
extract make-secrets.nix Needed by the next commit. 2019-11-27 05:04:26 -08:00			`{`
running bitcoin 2018-11-13 15:44:54 -08:00			`network.description = "Bitcoin Core node";`

Move deployment keys into network.nix 2018-12-06 03:33:13 -08:00			`bitcoin-node =`
add nix-bitcoin-secrets.target Remove use of nixops-specific 'keys' group and key services. Instead: - Add nix-bitcoin-secrets.target, which should be required by all units that depend on secrets. (To keep it simple, it's okay to meet the secrets dependency indirectly by e.g. depending on bitcoind.) Various secret deployment methods can use this target by setting up the secrets before activating the target. In case of nixops we just specify that nixops' keys.target comes before nix-bitcoin-secrets.target. If the target is left undefined in the case of manual secrets deployment, systemd will simply ignore unit dependencies on the target. - Allow all users to access the secrets dir. The access protection for the individual secret files is unchanged. This allows us to drop the unit dependency on the nixops 'keys' group. 2019-11-27 05:04:19 -08:00			`{ config, pkgs, lib, ... }: {`
network.nix: simplify import of main config 2019-11-27 05:04:18 -08:00			`imports = [ ../configuration.nix ];`

simplify secrets file format Each secret file to be deployed is now backed by one local file. This simplifies 'setup-secrets' and the secret definitions. Also, with the old format it was not possible to add new secrets to secrets.nix in a simple way. Old secrets are automatically converted to the new format when running nix-shell. Using the new option 'nix-bitcoin.secrets', secrets are now directly defined by the services that use them. 2020-01-12 11:52:38 -08:00			`deployment.keys = builtins.mapAttrs (n: v: {`
			`keyFile = "${toString ../secrets}/${n}";`
make secrets dir location configurable Users of the nix-bitcoin modules shouldn't be forced to add an extra dir under root. The secrets location is unchanged for the default node config. 2020-01-12 11:52:39 -08:00			`destDir = config.nix-bitcoin.secretsDir;`
simplify secrets file format Each secret file to be deployed is now backed by one local file. This simplifies 'setup-secrets' and the secret definitions. Also, with the old format it was not possible to add new secrets to secrets.nix in a simple way. Old secrets are automatically converted to the new format when running nix-shell. Using the new option 'nix-bitcoin.secrets', secrets are now directly defined by the services that use them. 2020-01-12 11:52:38 -08:00			`inherit (v) user group permissions;`
			`}) config.nix-bitcoin.secrets;`
add nix-bitcoin-secrets.target Remove use of nixops-specific 'keys' group and key services. Instead: - Add nix-bitcoin-secrets.target, which should be required by all units that depend on secrets. (To keep it simple, it's okay to meet the secrets dependency indirectly by e.g. depending on bitcoind.) Various secret deployment methods can use this target by setting up the secrets before activating the target. In case of nixops we just specify that nixops' keys.target comes before nix-bitcoin-secrets.target. If the target is left undefined in the case of manual secrets deployment, systemd will simply ignore unit dependencies on the target. - Allow all users to access the secrets dir. The access protection for the individual secret files is unchanged. This allows us to drop the unit dependency on the nixops 'keys' group. 2019-11-27 05:04:19 -08:00
			`# nixops makes the secrets directory accessible only for users with group 'key'.`
			`# For compatibility with other deployment methods besides nixops, we forego the`
			`# use of the 'key' group and make the secrets dir world-readable instead.`
			`# This is safe because all containing files have their specific private`
			`# permissions set.`
			`systemd.services.allowSecretsDirAccess = {`
			`requires = [ "keys.target" ];`
			`after = [ "keys.target" ];`
make secrets dir location configurable Users of the nix-bitcoin modules shouldn't be forced to add an extra dir under root. The secrets location is unchanged for the default node config. 2020-01-12 11:52:39 -08:00			`script = "chmod o+x ${config.nix-bitcoin.secretsDir}";`
add nix-bitcoin-secrets.target Remove use of nixops-specific 'keys' group and key services. Instead: - Add nix-bitcoin-secrets.target, which should be required by all units that depend on secrets. (To keep it simple, it's okay to meet the secrets dependency indirectly by e.g. depending on bitcoind.) Various secret deployment methods can use this target by setting up the secrets before activating the target. In case of nixops we just specify that nixops' keys.target comes before nix-bitcoin-secrets.target. If the target is left undefined in the case of manual secrets deployment, systemd will simply ignore unit dependencies on the target. - Allow all users to access the secrets dir. The access protection for the individual secret files is unchanged. This allows us to drop the unit dependency on the nixops 'keys' group. 2019-11-27 05:04:19 -08:00			`serviceConfig.Type = "oneshot";`
			`};`

			`systemd.targets.nix-bitcoin-secrets = {`
			`requires = [ "allowSecretsDirAccess.service" ];`
			`after = [ "allowSecretsDirAccess.service" ];`
			`};`
network.nix: simplify import of main config 2019-11-27 05:04:18 -08:00			`};`
running bitcoin 2018-11-13 15:44:54 -08:00			`}`