From b90bf6691bf7f7bb53c1dd1ede188186bb141905 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 27 Nov 2019 14:04:32 +0100 Subject: [PATCH] add generate-secrets.service --- modules/secrets/generate-secrets.nix | 29 ++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 modules/secrets/generate-secrets.nix diff --git a/modules/secrets/generate-secrets.nix b/modules/secrets/generate-secrets.nix new file mode 100644 index 0000000..f7edc03 --- /dev/null +++ b/modules/secrets/generate-secrets.nix @@ -0,0 +1,29 @@ +{ config, pkgs, lib, ... }: + +# This is mainly for testing. +# When using this for regular deployments, make sure to create a backup of the +# generated secrets. + +with lib; +let + secretsDir = "/secrets/"; # TODO: make this an option +in +{ + nix-bitcoin.setup-secrets = true; + + systemd.services.generate-secrets = { + requiredBy = [ "setup-secrets.service" ]; + before = [ "setup-secrets.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + } // config.nix-bitcoin-services.defaultHardening; + script = '' + mkdir -p "${secretsDir}" + cd "${secretsDir}" + chown root: . + chmod 0700 . + ${pkgs.nix-bitcoin.generate-secrets} + ''; + }; +}