diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index a4c147e..b2a6bf3 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -238,7 +238,7 @@ in { cp '${cfg.configFileOption}' '${cfg.dataDir}/bitcoin.conf' chmod o-rw '${cfg.dataDir}/bitcoin.conf' chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}' - echo "rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf' + echo "rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf' chmod -R g+rX '${cfg.dataDir}/blocks' ''; # Wait until RPC port is open. This usually takes just a few ms. diff --git a/modules/clightning.nix b/modules/clightning.nix index f3de4a0..5b7b15b 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -93,7 +93,7 @@ in { chmod u=rw,g=r,o= ${cfg.dataDir}/config # The RPC socket has to be removed otherwise we might have stale sockets rm -f ${cfg.dataDir}/lightning-rpc - echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config' + echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config' ''; serviceConfig = { PermissionsStartOnly = "true"; diff --git a/modules/electrs.nix b/modules/electrs.nix index 7f98b97..dfeddc9 100644 --- a/modules/electrs.nix +++ b/modules/electrs.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.electrs; inherit (config) nix-bitcoin-services; + secretsDir = config.nix-bitcoin.secretsDir; index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}"; jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}"; in { @@ -74,7 +75,7 @@ in { preStart = '' mkdir -m 0770 -p ${cfg.dataDir} chown -R '${cfg.user}:${cfg.group}' ${cfg.dataDir} - echo "${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv ${index-batch-size} ${jsonrpc-import} --timestamp --db-dir ${cfg.dataDir} --daemon-dir /var/lib/bitcoind --cookie=${config.services.bitcoind.rpcuser}:$(cat /secrets/bitcoin-rpcpassword) --electrum-rpc-addr=127.0.0.1:${toString cfg.port}" > /run/electrs/startscript.sh + echo "${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv ${index-batch-size} ${jsonrpc-import} --timestamp --db-dir ${cfg.dataDir} --daemon-dir /var/lib/bitcoind --cookie=${config.services.bitcoind.rpcuser}:$(cat ${secretsDir}/bitcoin-rpcpassword) --electrum-rpc-addr=127.0.0.1:${toString cfg.port}" > /run/electrs/startscript.sh ''; serviceConfig = rec { RuntimeDirectory = "electrs"; @@ -103,8 +104,8 @@ in { listen ${toString config.services.electrs.nginxport} ssl; proxy_pass electrs; - ssl_certificate /secrets/nginx-cert; - ssl_certificate_key /secrets/nginx-key; + ssl_certificate ${secretsDir}/nginx-cert; + ssl_certificate_key ${secretsDir}/nginx-key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 4h; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; diff --git a/modules/lightning-charge.nix b/modules/lightning-charge.nix index 71140a8..5f43ed0 100644 --- a/modules/lightning-charge.nix +++ b/modules/lightning-charge.nix @@ -30,7 +30,7 @@ in { requires = [ "clightning.service" ]; after = [ "clightning.service" ]; serviceConfig = { - EnvironmentFile = "/secrets/lightning-charge-env"; + EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env"; ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir} -d ${config.services.clightning.dataDir}/lightning-charge.db"; # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket, # so this must run as the clightning user diff --git a/modules/liquid.nix b/modules/liquid.nix index 6a731b5..3dce19a 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.liquidd; inherit (config) nix-bitcoin-services; + secretsDir = config.nix-bitcoin.secretsDir; pidFile = "${cfg.dataDir}/liquidd.pid"; configFile = pkgs.writeText "elements.conf" '' chain=liquidv1 @@ -207,8 +208,8 @@ in { cp '${configFile}' '${cfg.dataDir}/elements.conf' chmod o-rw '${cfg.dataDir}/elements.conf' chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}' - echo "rpcpassword=$(cat /secrets/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf' - echo "mainchainrpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf' + echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf' + echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf' ''; serviceConfig = { Type = "simple"; diff --git a/modules/lnd.nix b/modules/lnd.nix index 75f9d84..651883f 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -5,12 +5,13 @@ with lib; let cfg = config.services.lnd; inherit (config) nix-bitcoin-services; + secretsDir = config.nix-bitcoin.secretsDir; configFile = pkgs.writeText "lnd.conf" '' datadir=${cfg.dataDir} logdir=${cfg.dataDir}/logs bitcoin.mainnet=1 - tlscertpath=/secrets/lnd-cert - tlskeypath=/secrets/lnd-key + tlscertpath=${secretsDir}/lnd-cert + tlskeypath=${secretsDir}/lnd-key rpclisten=localhost:${toString cfg.rpcPort} @@ -61,7 +62,7 @@ in { default = pkgs.writeScriptBin "lncli" # Switch user because lnd makes datadir contents readable by user only '' - exec sudo -u lnd ${pkgs.nix-bitcoin.lnd}/bin/lncli --tlscertpath /secrets/lnd-cert \ + exec sudo -u lnd ${pkgs.nix-bitcoin.lnd}/bin/lncli --tlscertpath ${secretsDir}/lnd-cert \ --macaroonpath '${cfg.dataDir}/chain/bitcoin/mainnet/admin.macaroon' "$@" ''; description = "Binary to connect with the lnd instance."; @@ -81,7 +82,7 @@ in { cp ${configFile} ${cfg.dataDir}/lnd.conf chown -R 'lnd:lnd' '${cfg.dataDir}' chmod u=rw,g=r,o= ${cfg.dataDir}/lnd.conf - echo "bitcoind.rpcpass=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf' + echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf' ''; serviceConfig = { PermissionsStartOnly = "true"; @@ -105,21 +106,21 @@ in { sleep 0.1 done - if [[ ! -f /secrets/lnd-seed-mnemonic ]]; then + if [[ ! -f ${secretsDir}/lnd-seed-mnemonic ]]; then echo Create lnd seed ${pkgs.curl}/bin/curl -s \ - --cacert /secrets/lnd-cert \ - -X GET https://127.0.0.1:8080/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > /secrets/lnd-seed-mnemonic + --cacert ${secretsDir}/lnd-cert \ + -X GET https://127.0.0.1:8080/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > ${secretsDir}/lnd-seed-mnemonic fi if [[ ! -f ${mainnetDir}/wallet.db ]]; then echo Create lnd wallet ${pkgs.curl}/bin/curl -s --output /dev/null --show-error \ - --cacert /secrets/lnd-cert \ - -X POST -d "{\"wallet_password\": \"$(cat /secrets/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \ - \"cipher_seed_mnemonic\": $(cat /secrets/lnd-seed-mnemonic | tr -d '\n')}" \ + --cacert ${secretsDir}/lnd-cert \ + -X POST -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \ + \"cipher_seed_mnemonic\": $(cat ${secretsDir}/lnd-seed-mnemonic | tr -d '\n')}" \ https://127.0.0.1:8080/v1/initwallet # Guarantees that RPC calls with cfg.cli succeed after the service is started @@ -132,9 +133,9 @@ in { ${pkgs.curl}/bin/curl -s \ -H "Grpc-Metadata-macaroon: $(${pkgs.xxd}/bin/xxd -ps -u -c 99999 '${mainnetDir}/admin.macaroon')" \ - --cacert /secrets/lnd-cert \ + --cacert ${secretsDir}/lnd-cert \ -X POST \ - -d "{\"wallet_password\": \"$(cat /secrets/lnd-wallet-password | tr -d '\n' | base64 -w0)\"}" \ + -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\"}" \ https://127.0.0.1:8080/v1/unlockwallet fi diff --git a/modules/nanopos.nix b/modules/nanopos.nix index ee5e04e..b34cf6d 100644 --- a/modules/nanopos.nix +++ b/modules/nanopos.nix @@ -58,7 +58,7 @@ in { requires = [ "lightning-charge.service" ]; after = [ "lightning-charge.service" ]; serviceConfig = { - EnvironmentFile = "/secrets/nanopos-env"; + EnvironmentFile = "${config.nix-bitcoin.secretsDir}/nanopos-env"; ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11"; User = "nanopos"; diff --git a/modules/nix-bitcoin.nix b/modules/nix-bitcoin.nix index 5cbab71..e8c7af2 100644 --- a/modules/nix-bitcoin.nix +++ b/modules/nix-bitcoin.nix @@ -28,6 +28,8 @@ in { }; config = mkIf cfg.enable { + nix-bitcoin.secretsDir = mkDefault "/secrets"; + networking.firewall.enable = true; # Tor diff --git a/modules/secrets/generate-secrets.nix b/modules/secrets/generate-secrets.nix index f7edc03..fa72110 100644 --- a/modules/secrets/generate-secrets.nix +++ b/modules/secrets/generate-secrets.nix @@ -5,9 +5,6 @@ # generated secrets. with lib; -let - secretsDir = "/secrets/"; # TODO: make this an option -in { nix-bitcoin.setup-secrets = true; @@ -19,8 +16,8 @@ in RemainAfterExit = true; } // config.nix-bitcoin-services.defaultHardening; script = '' - mkdir -p "${secretsDir}" - cd "${secretsDir}" + mkdir -p "${config.nix-bitcoin.secretsDir}" + cd "${config.nix-bitcoin.secretsDir}" chown root: . chmod 0700 . ${pkgs.nix-bitcoin.generate-secrets} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index d3a064d..163346d 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -3,14 +3,18 @@ with lib; let cfg = config.nix-bitcoin; - secretsDir = "/secrets/"; # TODO: make this an option - setupSecrets = concatStrings (mapAttrsToList (n: v: '' setupSecret ${n} ${v.user} ${v.group} ${v.permissions} } '') cfg.secrets); in { options.nix-bitcoin = { + secretsDir = mkOption { + type = types.path; + default = "/etc/nix-bitcoin-secrets"; + description = "Directory to store secrets"; + }; + secrets = mkOption { default = {}; type = with types; attrsOf (submodule ( @@ -68,7 +72,7 @@ in processedFiles+=("$file") } - dir="${secretsDir}" + dir="${cfg.secretsDir}" if [[ ! -e $dir ]]; then echo "Error: Secrets dir '$dir' is missing" exit 1 diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix index aa40974..bef8d45 100644 --- a/modules/spark-wallet.nix +++ b/modules/spark-wallet.nix @@ -8,7 +8,7 @@ let dataDir = "/var/lib/spark-wallet/"; onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []); run-spark-wallet = pkgs.writeScript "run-spark-wallet" '' - CMD="${pkgs.nix-bitcoin.spark-wallet}/bin/spark-wallet --ln-path ${cfg.ln-path} -Q -k -c /secrets/spark-wallet-login" + CMD="${pkgs.nix-bitcoin.spark-wallet}/bin/spark-wallet --ln-path ${cfg.ln-path} -Q -k -c ${config.nix-bitcoin.secretsDir}/spark-wallet-login" ${optionalString cfg.onion-service '' echo Getting onion hostname diff --git a/network/network.nix b/network/network.nix index 191355a..fa69939 100644 --- a/network/network.nix +++ b/network/network.nix @@ -7,7 +7,7 @@ deployment.keys = builtins.mapAttrs (n: v: { keyFile = "${toString ../secrets}/${n}"; - destDir = "/secrets/"; + destDir = config.nix-bitcoin.secretsDir; inherit (v) user group permissions; }) config.nix-bitcoin.secrets; @@ -19,7 +19,7 @@ systemd.services.allowSecretsDirAccess = { requires = [ "keys.target" ]; after = [ "keys.target" ]; - script = "chmod o+x /secrets"; + script = "chmod o+x ${config.nix-bitcoin.secretsDir}"; serviceConfig.Type = "oneshot"; };