2019-11-27 05:04:26 -08:00
|
|
|
{
|
2018-11-13 15:44:54 -08:00
|
|
|
network.description = "Bitcoin Core node";
|
|
|
|
|
2018-12-06 03:33:13 -08:00
|
|
|
bitcoin-node =
|
2019-11-27 05:04:19 -08:00
|
|
|
{ config, pkgs, lib, ... }: {
|
2019-11-27 05:04:18 -08:00
|
|
|
imports = [ ../configuration.nix ];
|
|
|
|
|
2020-01-12 11:52:38 -08:00
|
|
|
deployment.keys = builtins.mapAttrs (n: v: {
|
|
|
|
keyFile = "${toString ../secrets}/${n}";
|
|
|
|
destDir = "/secrets/";
|
|
|
|
inherit (v) user group permissions;
|
|
|
|
}) config.nix-bitcoin.secrets;
|
2019-11-27 05:04:19 -08:00
|
|
|
|
|
|
|
# nixops makes the secrets directory accessible only for users with group 'key'.
|
|
|
|
# For compatibility with other deployment methods besides nixops, we forego the
|
|
|
|
# use of the 'key' group and make the secrets dir world-readable instead.
|
|
|
|
# This is safe because all containing files have their specific private
|
|
|
|
# permissions set.
|
|
|
|
systemd.services.allowSecretsDirAccess = {
|
|
|
|
requires = [ "keys.target" ];
|
|
|
|
after = [ "keys.target" ];
|
|
|
|
script = "chmod o+x /secrets";
|
|
|
|
serviceConfig.Type = "oneshot";
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.targets.nix-bitcoin-secrets = {
|
|
|
|
requires = [ "allowSecretsDirAccess.service" ];
|
|
|
|
after = [ "allowSecretsDirAccess.service" ];
|
|
|
|
};
|
2019-11-27 05:04:18 -08:00
|
|
|
};
|
2018-11-13 15:44:54 -08:00
|
|
|
}
|