nix-bitcoin/modules/deployment/nixops.nix
Erik Arvstedt 55d87490ec
secrets: make configuration more robust
- Fail at evaluation when secrets setup is not configured.
  Previously, bitcoind failed at runtime due to the missing secrets target.

- Fail at evaluation when conflicting secrets setup methods are used.
  This happens when `secretsSetupMethod` has more than one definition.
2021-03-15 12:42:52 +00:00

28 lines
994 B
Nix

{ config, ... }:
{
nix-bitcoin.secretsSetupMethod = "nixops";
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
destDir = config.nix-bitcoin.secretsDir;
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
}