ad23b508e3
ProtectSystem=full disables writing to /etc which is the default
secrets location.
Besides that, hardening is pointless for {generate,setup}-secrets which
don't read external input and are fully under our control.
27 lines
627 B
Nix
27 lines
627 B
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
# This is mainly for testing.
|
|
# When using this for regular deployments, make sure to create a backup of the
|
|
# generated secrets.
|
|
|
|
with lib;
|
|
{
|
|
nix-bitcoin.setup-secrets = true;
|
|
|
|
systemd.services.generate-secrets = {
|
|
requiredBy = [ "setup-secrets.service" ];
|
|
before = [ "setup-secrets.service" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
};
|
|
script = ''
|
|
mkdir -p "${config.nix-bitcoin.secretsDir}"
|
|
cd "${config.nix-bitcoin.secretsDir}"
|
|
chown root: .
|
|
chmod 0700 .
|
|
${pkgs.nix-bitcoin.generate-secrets}
|
|
'';
|
|
};
|
|
}
|