diff --git a/examples/nixops/node.nix b/examples/nixops/node.nix index e183870..a29cbf0 100644 --- a/examples/nixops/node.nix +++ b/examples/nixops/node.nix @@ -1,31 +1,13 @@ { network.description = "Bitcoin Core node"; - bitcoin-node = - { config, pkgs, lib, ... }: { - imports = [ ../configuration.nix ]; + bitcoin-node = { config, pkgs, lib, ... }: { + imports = [ + ../configuration.nix + + + ]; - deployment.keys = builtins.mapAttrs (n: v: { - keyFile = "${toString ../secrets}/${n}"; - destDir = config.nix-bitcoin.secretsDir; - inherit (v) user group permissions; - }) config.nix-bitcoin.secrets; - - # nixops makes the secrets directory accessible only for users with group 'key'. - # For compatibility with other deployment methods besides nixops, we forego the - # use of the 'key' group and make the secrets dir world-readable instead. - # This is safe because all containing files have their specific private - # permissions set. - systemd.services.allowSecretsDirAccess = { - requires = [ "keys.target" ]; - after = [ "keys.target" ]; - script = "chmod o+x ${config.nix-bitcoin.secretsDir}"; - serviceConfig.Type = "oneshot"; - }; - - systemd.targets.nix-bitcoin-secrets = { - requires = [ "allowSecretsDirAccess.service" ]; - after = [ "allowSecretsDirAccess.service" ]; - }; - }; + nix-bitcoin.deployment.secretsDir = toString ../secrets; + }; } diff --git a/modules/deployment/nixops.nix b/modules/deployment/nixops.nix new file mode 100644 index 0000000..50f9468 --- /dev/null +++ b/modules/deployment/nixops.nix @@ -0,0 +1,25 @@ +{ config, ... }: +{ + deployment.keys = builtins.mapAttrs (n: v: { + keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}"; + destDir = config.nix-bitcoin.secretsDir; + inherit (v) user group permissions; + }) config.nix-bitcoin.secrets; + + # nixops makes the secrets directory accessible only for users with group 'key'. + # For compatibility with other deployment methods besides nixops, we forego the + # use of the 'key' group and make the secrets dir world-readable instead. + # This is safe because all containing files have their specific private + # permissions set. + systemd.services.allowSecretsDirAccess = { + requires = [ "keys.target" ]; + after = [ "keys.target" ]; + script = "chmod o+x ${config.nix-bitcoin.secretsDir}"; + serviceConfig.Type = "oneshot"; + }; + + systemd.targets.nix-bitcoin-secrets = { + requires = [ "allowSecretsDirAccess.service" ]; + after = [ "allowSecretsDirAccess.service" ]; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 0149289..36585c7 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -15,6 +15,13 @@ in description = "Directory to store secrets"; }; + deployment.secretsDir = mkOption { + type = types.path; + description = '' + Directory of local secrets that are transfered to the nix-bitcoin node on deployment + ''; + }; + secrets = mkOption { default = {}; type = with types; attrsOf (submodule (