diff --git a/modules/secrets/make-secrets.nix b/modules/secrets/make-secrets.nix new file mode 100644 index 0000000..fa9a070 --- /dev/null +++ b/modules/secrets/make-secrets.nix @@ -0,0 +1,68 @@ +{ secretsFile ? null, config ? null }: +let + secrets = import secretsFile; + secretsDir = "/secrets/"; + secret = { text ? null, keyFile ? null, user, group ? user }: { + inherit text keyFile user group; + destDir = secretsDir; + permissions = "0440"; + }; +in rec { + allSecrets = { + bitcoin-rpcpassword = secret { + text = secrets.bitcoinrpcpassword; + user = "bitcoin"; + group = "bitcoinrpc"; + }; + lnd-wallet-password = secret { + text = secrets.lnd-wallet-password; + user = "lnd"; + }; + lightning-charge-api-token = secret { + text = "API_TOKEN=" + secrets.lightning-charge-api-token; + user = "clightning"; + }; + # variable is called CHARGE_TOKEN instead of API_TOKEN + lightning-charge-api-token-for-nanopos = secret { + text = "CHARGE_TOKEN=" + secrets.lightning-charge-api-token; + user = "nanopos"; + }; + liquid-rpcpassword = secret { + text = secrets.liquidrpcpassword; + user = "liquid"; + }; + spark-wallet-login = secret { + text = "login=" + "spark-wallet:" + secrets.spark-wallet-password; + user = "clightning"; + }; + nginx_key = secret { + keyFile = toString ../../secrets/nginx.key; + user = "nginx"; + group = "root"; + }; + nginx_cert = secret { + keyFile = toString ../../secrets/nginx.cert; + user = "nginx"; + group = "root"; + }; + lnd_key = secret { + keyFile = toString ../../secrets/lnd.key; + user = "lnd"; + }; + lnd_cert = secret { + keyFile = toString ../../secrets/lnd.cert; + user = "lnd"; + }; + }; + + activeSecrets = let + secretsFor = service: attrs: if service.enable then attrs else {}; + in with allSecrets; + (secretsFor config.services.bitcoind { inherit bitcoin-rpcpassword; }) + // (secretsFor config.services.lnd { inherit lnd-wallet-password lnd_key lnd_cert; }) + // (secretsFor config.services.lightning-charge { inherit lightning-charge-api-token; }) + // (secretsFor config.services.nanopos { inherit lightning-charge-api-token-for-nanopos; }) + // (secretsFor config.services.liquidd { inherit liquid-rpcpassword; }) + // (secretsFor config.services.spark-wallet { inherit spark-wallet-login; }) + // (secretsFor config.services.electrs { inherit nginx_key nginx_cert; }); +} diff --git a/network/network.nix b/network/network.nix index c73c3c8..269ed45 100644 --- a/network/network.nix +++ b/network/network.nix @@ -1,73 +1,14 @@ -let - secrets = import ../secrets/secrets.nix; - - secretsDir = "/secrets/"; - secret = { text ? null, keyFile ? null, user, group ? user }: { - inherit text user group; - destDir = secretsDir; - permissions = "0440"; - }; - - bitcoin-rpcpassword = secret { - text = secrets.bitcoinrpcpassword; - user = "bitcoin"; - group = "bitcoinrpc"; - }; - lnd-wallet-password = secret { - text = secrets.lnd-wallet-password; - user = "lnd"; - }; - lightning-charge-api-token = secret { - text = "API_TOKEN=" + secrets.lightning-charge-api-token; - user = "clightning"; - }; - # variable is called CHARGE_TOKEN instead of API_TOKEN - lightning-charge-api-token-for-nanopos = secret { - text = "CHARGE_TOKEN=" + secrets.lightning-charge-api-token; - user = "nanopos"; - }; - liquid-rpcpassword = secret { - text = secrets.liquidrpcpassword; - user = "liquid"; - }; - spark-wallet-login = secret { - text = "login=" + "spark-wallet:" + secrets.spark-wallet-password; - user = "clightning"; - }; - nginx_key = secret { - keyFile = toString ../../secrets/nginx.key; - user = "nginx"; - group = "root"; - }; - nginx_cert = secret { - keyFile = toString ../../secrets/nginx.cert; - user = "nginx"; - group = "root"; - }; - lnd_key = secret { - keyFile = toString ../../secrets/lnd.key; - user = "lnd"; - }; - lnd_cert = secret { - keyFile = toString ../../secrets/lnd.cert; - user = "lnd"; - }; -in { +{ network.description = "Bitcoin Core node"; bitcoin-node = { config, pkgs, lib, ... }: { imports = [ ../configuration.nix ]; - deployment.keys = { - inherit bitcoin-rpcpassword; - } - // (if (config.services.lnd.enable) then { inherit lnd-wallet-password lnd_key lnd_cert; } else { }) - // (if (config.services.lightning-charge.enable) then { inherit lightning-charge-api-token; } else { }) - // (if (config.services.nanopos.enable) then { inherit lightning-charge-api-token-for-nanopos; } else { }) - // (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { }) - // (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { }) - // (if (config.services.electrs.enable) then { inherit nginx_key nginx_cert; } else { }); + deployment.keys = (import ../modules/secrets/make-secrets.nix { + inherit config; + secretsFile = ../secrets/secrets.nix; + }).activeSecrets; # nixops makes the secrets directory accessible only for users with group 'key'. # For compatibility with other deployment methods besides nixops, we forego the