extract module 'deployment/nixops.nix', add option 'deployment.secretsDir'

2020-02-26 17:11:19 +01:00 · 2020-02-26 17:11:19 +01:00 · 0c0978c007
parent 87d0286498
commit 0c0978c007
3 changed files with 40 additions and 26 deletions
--- a/examples/nixops/node.nix
+++ b/examples/nixops/node.nix
@ -1,31 +1,13 @@
 {
  network.description = "Bitcoin Core node";

-  bitcoin-node =
-    { config, pkgs, lib, ... }: {
-      imports = [ ../configuration.nix <nix-bitcoin/modules/nix-bitcoin.nix> ];
+  bitcoin-node = { config, pkgs, lib, ... }: {
+    imports = [
+      ../configuration.nix
+      <nix-bitcoin/modules/nix-bitcoin.nix>
+      <nix-bitcoin/modules/deployment/nixops.nix>
+    ];

-      deployment.keys = builtins.mapAttrs (n: v: {
-        keyFile = "${toString ../secrets}/${n}";
-        destDir = config.nix-bitcoin.secretsDir;
-        inherit (v) user group permissions;
-      }) config.nix-bitcoin.secrets;
-
-      # nixops makes the secrets directory accessible only for users with group 'key'.
-      # For compatibility with other deployment methods besides nixops, we forego the
-      # use of the 'key' group and make the secrets dir world-readable instead.
-      # This is safe because all containing files have their specific private
-      # permissions set.
-      systemd.services.allowSecretsDirAccess = {
-        requires = [ "keys.target" ];
-        after = [ "keys.target" ];
-        script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
-        serviceConfig.Type = "oneshot";
-      };
-
-      systemd.targets.nix-bitcoin-secrets = {
-        requires = [ "allowSecretsDirAccess.service" ];
-        after = [ "allowSecretsDirAccess.service" ];
-      };
-    };
+    nix-bitcoin.deployment.secretsDir = toString ../secrets;
+  };
 }
--- a/modules/deployment/nixops.nix
+++ b/modules/deployment/nixops.nix
@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  deployment.keys = builtins.mapAttrs (n: v: {
+    keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
+    destDir = config.nix-bitcoin.secretsDir;
+    inherit (v) user group permissions;
+  }) config.nix-bitcoin.secrets;
+
+  # nixops makes the secrets directory accessible only for users with group 'key'.
+  # For compatibility with other deployment methods besides nixops, we forego the
+  # use of the 'key' group and make the secrets dir world-readable instead.
+  # This is safe because all containing files have their specific private
+  # permissions set.
+  systemd.services.allowSecretsDirAccess = {
+    requires = [ "keys.target" ];
+    after = [ "keys.target" ];
+    script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
+    serviceConfig.Type = "oneshot";
+  };
+
+  systemd.targets.nix-bitcoin-secrets = {
+    requires = [ "allowSecretsDirAccess.service" ];
+    after = [ "allowSecretsDirAccess.service" ];
+  };
+}
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -15,6 +15,13 @@ in
      description = "Directory to store secrets";
    };

+    deployment.secretsDir = mkOption {
+      type = types.path;
+      description = ''
+        Directory of local secrets that are transfered to the nix-bitcoin node on deployment
+      '';
+    };
+
    secrets = mkOption {
      default = {};
      type = with types; attrsOf (submodule (