nix-bitcoin/modules/deployment/nixops.nix

{ config, ... }:
{
  nix-bitcoin.secretsSetupMethod = "nixops";

  deployment.keys = builtins.mapAttrs (n: v: {
    keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
    destDir = config.nix-bitcoin.secretsDir;
    inherit (v) user group permissions;
  }) config.nix-bitcoin.secrets;

  # nixops makes the secrets directory accessible only for users with group 'key'.
  # For compatibility with other deployment methods besides nixops, we forego the
  # use of the 'key' group and make the secrets dir world-readable instead.
  # This is safe because all containing files have their specific private
  # permissions set.
  systemd.services.allowSecretsDirAccess = {
    requires = [ "keys.target" ];
    after = [ "keys.target" ];
    script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
    serviceConfig.Type = "oneshot";
  };

  systemd.targets.nix-bitcoin-secrets = {
    requires = [ "allowSecretsDirAccess.service" ];
    after = [ "allowSecretsDirAccess.service" ];
  };
}
extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' 2020-02-26 08:11:19 -08:00			`{ config, ... }:`
			`{`
secrets: make configuration more robust - Fail at evaluation when secrets setup is not configured. Previously, bitcoind failed at runtime due to the missing secrets target. - Fail at evaluation when conflicting secrets setup methods are used. This happens when `secretsSetupMethod` has more than one definition. 2021-03-10 05:08:36 -08:00			`nix-bitcoin.secretsSetupMethod = "nixops";`

extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' 2020-02-26 08:11:19 -08:00			`deployment.keys = builtins.mapAttrs (n: v: {`
			`keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";`
			`destDir = config.nix-bitcoin.secretsDir;`
			`inherit (v) user group permissions;`
			`}) config.nix-bitcoin.secrets;`

			`# nixops makes the secrets directory accessible only for users with group 'key'.`
			`# For compatibility with other deployment methods besides nixops, we forego the`
			`# use of the 'key' group and make the secrets dir world-readable instead.`
			`# This is safe because all containing files have their specific private`
			`# permissions set.`
			`systemd.services.allowSecretsDirAccess = {`
			`requires = [ "keys.target" ];`
			`after = [ "keys.target" ];`
			`script = "chmod o+x ${config.nix-bitcoin.secretsDir}";`
			`serviceConfig.Type = "oneshot";`
			`};`

			`systemd.targets.nix-bitcoin-secrets = {`
			`requires = [ "allowSecretsDirAccess.service" ];`
			`after = [ "allowSecretsDirAccess.service" ];`
			`};`
			`}`