add nix-bitcoin-secrets.target

Remove use of nixops-specific 'keys' group and key services. Instead: - Add nix-bitcoin-secrets.target, which should be required by all units that depend on secrets. (To keep it simple, it's okay to meet the secrets dependency indirectly by e.g. depending on bitcoind.) Various secret deployment methods can use this target by setting up the secrets before activating the target. In case of nixops we just specify that nixops' keys.target comes before nix-bitcoin-secrets.target. If the target is left undefined in the case of manual secrets deployment, systemd will simply ignore unit dependencies on the target. - Allow all users to access the secrets dir. The access protection for the individual secret files is unchanged. This allows us to drop the unit dependency on the nixops 'keys' group.
2019-11-27 14:04:19 +01:00 · 2019-11-27 14:04:19 +01:00 · 3b842e5fe7
parent bbf2bbc04a
commit 3b842e5fe7
7 changed files with 29 additions and 11 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -225,8 +225,8 @@ in {
    environment.systemPackages = [ cfg.package ];
    systemd.services.bitcoind = {
      description = "Bitcoin daemon";
-      requires = [ "bitcoin-rpcpassword-key.service" ];
-      after = [ "network.target" "bitcoin-rpcpassword-key.service" ];
+      requires = [ "nix-bitcoin-secrets.target" ];
+      after = [ "network.target" "nix-bitcoin-secrets.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        if ! test -e ${cfg.dataDir}; then
@ -296,7 +296,6 @@ in {

    users.users.${cfg.user} = {
      group = cfg.group;
-      extraGroups = [ "keys" ];
      description = "Bitcoin daemon user";
      home = cfg.dataDir;
    };
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@ -64,7 +64,7 @@ in {
    users.users.clightning = {
        description = "clightning User";
        group = "clightning";
-        extraGroups = [ "bitcoinrpc" "keys" ];
+        extraGroups = [ "bitcoinrpc" ];
        home = cfg.dataDir;
    };
    users.groups.clightning = {};
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -60,7 +60,7 @@ in {
    users.users.${cfg.user} = {
        description = "electrs User";
        group = cfg.group;
-        extraGroups = [ "bitcoinrpc" "keys" "bitcoin"];
+        extraGroups = [ "bitcoinrpc" "bitcoin"];
        home = cfg.dataDir;
    };
    users.groups.${cfg.group} = {};
@ -113,5 +113,9 @@ in {
        }
      '';
    };
+    systemd.services.nginx = {
+      requires = [ "nix-bitcoin-secrets.target" ];
+      after = [ "nix-bitcoin-secrets.target" ];
+    };
  };
 }
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@ -183,8 +183,8 @@ in {
    environment.systemPackages = [ pkgs.elementsd ];
    systemd.services.liquidd = {
      description = "Elements daemon providing access to the Liquid sidechain";
-      requires = [ "liquid-rpcpassword-key.service" ];
-      after = [ "network.target" "liquid-rpcpassword-key.service" ];
+      requires = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        if ! test -e ${cfg.dataDir}; then
@ -215,7 +215,6 @@ in {
    };
    users.users.${cfg.user} = {
      group = cfg.group;
-      extraGroups = [ "keys" ];
      description = "Liquid sidechain user";
      home = cfg.dataDir;
    };
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -95,7 +95,7 @@ in {
    users.users.lnd = {
        description = "LND User";
        group = "lnd";
-        extraGroups = [ "bitcoinrpc" "keys" ];
+        extraGroups = [ "bitcoinrpc" ];
        home = cfg.dataDir;
    };
    users.groups.lnd = {};
--- a/modules/nanopos.nix
+++ b/modules/nanopos.nix
@ -55,7 +55,6 @@ in {
    users.users.nanopos = {
        description = "nanopos User";
        group = "nanopos";
-        extraGroups = [ "keys" ];
    };
    users.groups.nanopos = {};

--- a/network/network.nix
+++ b/network/network.nix
@ -75,7 +75,7 @@ in {
  network.description = "Bitcoin Core node";

  bitcoin-node =
-    { config, pkgs, ... }: {
+    { config, pkgs, lib, ... }: {
      imports = [ ../configuration.nix ];

      deployment.keys = {
@ -87,5 +87,22 @@ in {
      // (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { })
      // (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { })
      // (if (config.services.electrs.enable) then { inherit nginx_key nginx_cert; } else { });
+
+      # nixops makes the secrets directory accessible only for users with group 'key'.
+      # For compatibility with other deployment methods besides nixops, we forego the
+      # use of the 'key' group and make the secrets dir world-readable instead.
+      # This is safe because all containing files have their specific private
+      # permissions set.
+      systemd.services.allowSecretsDirAccess = {
+        requires = [ "keys.target" ];
+        after = [ "keys.target" ];
+        script = "chmod o+x /secrets";
+        serviceConfig.Type = "oneshot";
+      };
+
+      systemd.targets.nix-bitcoin-secrets = {
+        requires = [ "allowSecretsDirAccess.service" ];
+        after = [ "allowSecretsDirAccess.service" ];
+      };
    };
 }