90 lines
2.9 KiB
Nix
90 lines
2.9 KiB
Nix
let
|
|
secrets = import ../secrets/secrets.nix;
|
|
|
|
secretsDir = "/secrets/";
|
|
secret = { text ? null, keyFile ? null, user, group ? user }: {
|
|
inherit text user group;
|
|
destDir = secretsDir;
|
|
permissions = "0440";
|
|
};
|
|
|
|
bitcoin-rpcpassword = secret {
|
|
text = secrets.bitcoinrpcpassword;
|
|
user = "bitcoin";
|
|
group = "bitcoinrpc";
|
|
};
|
|
lnd-wallet-password = secret {
|
|
text = secrets.lnd-wallet-password;
|
|
user = "lnd";
|
|
};
|
|
lightning-charge-api-token = secret {
|
|
text = "API_TOKEN=" + secrets.lightning-charge-api-token;
|
|
user = "clightning";
|
|
};
|
|
# variable is called CHARGE_TOKEN instead of API_TOKEN
|
|
lightning-charge-api-token-for-nanopos = secret {
|
|
text = "CHARGE_TOKEN=" + secrets.lightning-charge-api-token;
|
|
user = "nanopos";
|
|
};
|
|
liquid-rpcpassword = secret {
|
|
text = secrets.liquidrpcpassword;
|
|
user = "liquid";
|
|
};
|
|
spark-wallet-login = secret {
|
|
text = "login=" + "spark-wallet:" + secrets.spark-wallet-password;
|
|
user = "clightning";
|
|
};
|
|
nginx_key = secret {
|
|
keyFile = toString ../../secrets/nginx.key;
|
|
user = "nginx";
|
|
group = "root";
|
|
};
|
|
nginx_cert = secret {
|
|
keyFile = toString ../../secrets/nginx.cert;
|
|
user = "nginx";
|
|
group = "root";
|
|
};
|
|
lnd_key = secret {
|
|
keyFile = toString ../../secrets/lnd.key;
|
|
user = "lnd";
|
|
};
|
|
lnd_cert = secret {
|
|
keyFile = toString ../../secrets/lnd.cert;
|
|
user = "lnd";
|
|
};
|
|
in {
|
|
network.description = "Bitcoin Core node";
|
|
|
|
bitcoin-node =
|
|
{ config, pkgs, lib, ... }: {
|
|
imports = [ ../configuration.nix ];
|
|
|
|
deployment.keys = {
|
|
inherit bitcoin-rpcpassword;
|
|
}
|
|
// (if (config.services.lnd.enable) then { inherit lnd-wallet-password lnd_key lnd_cert; } else { })
|
|
// (if (config.services.lightning-charge.enable) then { inherit lightning-charge-api-token; } else { })
|
|
// (if (config.services.nanopos.enable) then { inherit lightning-charge-api-token-for-nanopos; } else { })
|
|
// (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { })
|
|
// (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { })
|
|
// (if (config.services.electrs.enable) then { inherit nginx_key nginx_cert; } else { });
|
|
|
|
# nixops makes the secrets directory accessible only for users with group 'key'.
|
|
# For compatibility with other deployment methods besides nixops, we forego the
|
|
# use of the 'key' group and make the secrets dir world-readable instead.
|
|
# This is safe because all containing files have their specific private
|
|
# permissions set.
|
|
systemd.services.allowSecretsDirAccess = {
|
|
requires = [ "keys.target" ];
|
|
after = [ "keys.target" ];
|
|
script = "chmod o+x /secrets";
|
|
serviceConfig.Type = "oneshot";
|
|
};
|
|
|
|
systemd.targets.nix-bitcoin-secrets = {
|
|
requires = [ "allowSecretsDirAccess.service" ];
|
|
after = [ "allowSecretsDirAccess.service" ];
|
|
};
|
|
};
|
|
}
|