nix-bitcoin/network/network.nix

let
  secrets = import ../secrets/secrets.nix;
  bitcoin-rpcpassword = {
    text = secrets.bitcoinrpcpassword;
    destDir = "/secrets/";
    user = "bitcoin";
    group = "bitcoinrpc";
    permissions = "0440";
  };
  lnd-wallet-password = {
    text = secrets.lnd-wallet-password;
    destDir = "/secrets/";
    user = "lnd";
    group = "lnd";
    permissions = "0440";
  };
  lightning-charge-api-token = {
    text = "API_TOKEN=" + secrets.lightning-charge-api-token;
    destDir = "/secrets/";
    user = "clightning";
    group = "clightning";
    permissions = "0440";
  };
  # variable is called CHARGE_TOKEN instead of API_TOKEN
  lightning-charge-api-token-for-nanopos = {
    text = "CHARGE_TOKEN=" + secrets.lightning-charge-api-token;
    destDir = "/secrets/";
    user = "nanopos";
    group = "nanopos";
    permissions = "0440";
  };
  liquid-rpcpassword = {
    text = secrets.liquidrpcpassword;
    destDir = "/secrets/";
    user = "liquid";
    group = "liquid";
    permissions = "0440";
  };
  spark-wallet-login = {
    text = "login=" + "spark-wallet:" + secrets.spark-wallet-password;
    destDir = "/secrets/";
    user = "clightning";
    group = "clightning";
    permissions = "0440";
  };
  nginx_key = {
    keyFile = toString ../../secrets/nginx.key;
    destDir = "/secrets/";
    user = "nginx";
    group = "root";
    permissions = "0440";
  };
  nginx_cert = {
    keyFile = toString ../../secrets/nginx.cert;
    destDir = "/secrets/";
    user = "nginx";
    group = "root";
    permissions = "0440";
  };
  lnd_key = {
    keyFile = toString ../../secrets/lnd.key;
    destDir = "/secrets/";
    user = "lnd";
    group = "lnd";
    permissions = "0440";
  };
  lnd_cert = {
    keyFile = toString ../../secrets/lnd.cert;
    destDir = "/secrets/";
    user = "lnd";
    group = "lnd";
    permissions = "0440";
  };
in {
  network.description = "Bitcoin Core node";

  bitcoin-node =
    { config, pkgs, lib, ... }: {
      imports = [ ../configuration.nix ];

      deployment.keys = {
        inherit bitcoin-rpcpassword;
      }
      // (if (config.services.lnd.enable) then { inherit lnd-wallet-password lnd_key lnd_cert; } else { })
      // (if (config.services.lightning-charge.enable) then { inherit lightning-charge-api-token; } else { })
      // (if (config.services.nanopos.enable) then { inherit lightning-charge-api-token-for-nanopos; } else { })
      // (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { })
      // (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { })
      // (if (config.services.electrs.enable) then { inherit nginx_key nginx_cert; } else { });

      # nixops makes the secrets directory accessible only for users with group 'key'.
      # For compatibility with other deployment methods besides nixops, we forego the
      # use of the 'key' group and make the secrets dir world-readable instead.
      # This is safe because all containing files have their specific private
      # permissions set.
      systemd.services.allowSecretsDirAccess = {
        requires = [ "keys.target" ];
        after = [ "keys.target" ];
        script = "chmod o+x /secrets";
        serviceConfig.Type = "oneshot";
      };

      systemd.targets.nix-bitcoin-secrets = {
        requires = [ "allowSecretsDirAccess.service" ];
        after = [ "allowSecretsDirAccess.service" ];
      };
    };
}
Move deployment keys into network.nix 2018-12-06 03:33:13 -08:00			`let`
Fix network.nix after changing directory structure 2019-04-12 06:14:00 -07:00			`secrets = import ../secrets/secrets.nix;`
Move deployment keys into network.nix 2018-12-06 03:33:13 -08:00			`bitcoin-rpcpassword = {`
			`text = secrets.bitcoinrpcpassword;`
			`destDir = "/secrets/";`
			`user = "bitcoin";`
			`group = "bitcoinrpc";`
			`permissions = "0440";`
			`};`
Add LND support 2019-08-05 01:44:38 -07:00			`lnd-wallet-password = {`
			`text = secrets.lnd-wallet-password;`
			`destDir = "/secrets/";`
			`user = "lnd";`
			`group = "lnd";`
			`permissions = "0440";`
			`};`
Move deployment keys into network.nix 2018-12-06 03:33:13 -08:00			`lightning-charge-api-token = {`
			`text = "API_TOKEN=" + secrets.lightning-charge-api-token;`
			`destDir = "/secrets/";`
			`user = "clightning";`
			`group = "clightning";`
			`permissions = "0440";`
			`};`
			`# variable is called CHARGE_TOKEN instead of API_TOKEN`
			`lightning-charge-api-token-for-nanopos = {`
			`text = "CHARGE_TOKEN=" + secrets.lightning-charge-api-token;`
			`destDir = "/secrets/";`
			`user = "nanopos";`
			`group = "nanopos";`
			`permissions = "0440";`
			`};`
			`liquid-rpcpassword = {`
			`text = secrets.liquidrpcpassword;`
			`destDir = "/secrets/";`
			`user = "liquid";`
			`group = "liquid";`
			`permissions = "0440";`
			`};`
Add spark-wallet 2018-12-10 08:34:41 -08:00			`spark-wallet-login = {`
			`text = "login=" + "spark-wallet:" + secrets.spark-wallet-password;`
			`destDir = "/secrets/";`
			`user = "clightning";`
			`group = "clightning";`
			`permissions = "0440";`
			`};`
Rename nginx certificate files 2019-08-13 13:57:59 -07:00			`nginx_key = {`
don't copy secret files to store during nixops deployment 2019-11-27 05:04:24 -08:00			`keyFile = toString ../../secrets/nginx.key;`
electrs ssl 2019-04-26 02:09:55 -07:00			`destDir = "/secrets/";`
			`user = "nginx";`
			`group = "root";`
			`permissions = "0440";`
			`};`
Rename nginx certificate files 2019-08-13 13:57:59 -07:00			`nginx_cert = {`
don't copy secret files to store during nixops deployment 2019-11-27 05:04:24 -08:00			`keyFile = toString ../../secrets/nginx.cert;`
electrs ssl 2019-04-26 02:09:55 -07:00			`destDir = "/secrets/";`
			`user = "nginx";`
			`group = "root";`
			`permissions = "0440";`
			`};`
Add LND support 2019-08-05 01:44:38 -07:00			`lnd_key = {`
don't copy secret files to store during nixops deployment 2019-11-27 05:04:24 -08:00			`keyFile = toString ../../secrets/lnd.key;`
Add LND support 2019-08-05 01:44:38 -07:00			`destDir = "/secrets/";`
			`user = "lnd";`
			`group = "lnd";`
			`permissions = "0440";`
			`};`
			`lnd_cert = {`
don't copy secret files to store during nixops deployment 2019-11-27 05:04:24 -08:00			`keyFile = toString ../../secrets/lnd.cert;`
Add LND support 2019-08-05 01:44:38 -07:00			`destDir = "/secrets/";`
			`user = "lnd";`
			`group = "lnd";`
			`permissions = "0440";`
			`};`
Move deployment keys into network.nix 2018-12-06 03:33:13 -08:00			`in {`
running bitcoin 2018-11-13 15:44:54 -08:00			`network.description = "Bitcoin Core node";`

Move deployment keys into network.nix 2018-12-06 03:33:13 -08:00			`bitcoin-node =`
add nix-bitcoin-secrets.target Remove use of nixops-specific 'keys' group and key services. Instead: - Add nix-bitcoin-secrets.target, which should be required by all units that depend on secrets. (To keep it simple, it's okay to meet the secrets dependency indirectly by e.g. depending on bitcoind.) Various secret deployment methods can use this target by setting up the secrets before activating the target. In case of nixops we just specify that nixops' keys.target comes before nix-bitcoin-secrets.target. If the target is left undefined in the case of manual secrets deployment, systemd will simply ignore unit dependencies on the target. - Allow all users to access the secrets dir. The access protection for the individual secret files is unchanged. This allows us to drop the unit dependency on the nixops 'keys' group. 2019-11-27 05:04:19 -08:00			`{ config, pkgs, lib, ... }: {`
network.nix: simplify import of main config 2019-11-27 05:04:18 -08:00			`imports = [ ../configuration.nix ];`

Move deployment keys into network.nix 2018-12-06 03:33:13 -08:00			`deployment.keys = {`
Stop assuming that clightning is always enabled 2019-04-05 06:49:38 -07:00			`inherit bitcoin-rpcpassword;`
Move deployment keys into network.nix 2018-12-06 03:33:13 -08:00			`}`
Add LND support 2019-08-05 01:44:38 -07:00			`// (if (config.services.lnd.enable) then { inherit lnd-wallet-password lnd_key lnd_cert; } else { })`
Stop assuming that clightning is always enabled 2019-04-05 06:49:38 -07:00			`// (if (config.services.lightning-charge.enable) then { inherit lightning-charge-api-token; } else { })`
Move deployment keys into network.nix 2018-12-06 03:33:13 -08:00			`// (if (config.services.nanopos.enable) then { inherit lightning-charge-api-token-for-nanopos; } else { })`
Add spark-wallet 2018-12-10 08:34:41 -08:00			`// (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { })`
electrs ssl 2019-04-26 02:09:55 -07:00			`// (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { })`
Rename nginx certificate files 2019-08-13 13:57:59 -07:00			`// (if (config.services.electrs.enable) then { inherit nginx_key nginx_cert; } else { });`
add nix-bitcoin-secrets.target Remove use of nixops-specific 'keys' group and key services. Instead: - Add nix-bitcoin-secrets.target, which should be required by all units that depend on secrets. (To keep it simple, it's okay to meet the secrets dependency indirectly by e.g. depending on bitcoind.) Various secret deployment methods can use this target by setting up the secrets before activating the target. In case of nixops we just specify that nixops' keys.target comes before nix-bitcoin-secrets.target. If the target is left undefined in the case of manual secrets deployment, systemd will simply ignore unit dependencies on the target. - Allow all users to access the secrets dir. The access protection for the individual secret files is unchanged. This allows us to drop the unit dependency on the nixops 'keys' group. 2019-11-27 05:04:19 -08:00
			`# nixops makes the secrets directory accessible only for users with group 'key'.`
			`# For compatibility with other deployment methods besides nixops, we forego the`
			`# use of the 'key' group and make the secrets dir world-readable instead.`
			`# This is safe because all containing files have their specific private`
			`# permissions set.`
			`systemd.services.allowSecretsDirAccess = {`
			`requires = [ "keys.target" ];`
			`after = [ "keys.target" ];`
			`script = "chmod o+x /secrets";`
			`serviceConfig.Type = "oneshot";`
			`};`

			`systemd.targets.nix-bitcoin-secrets = {`
			`requires = [ "allowSecretsDirAccess.service" ];`
			`after = [ "allowSecretsDirAccess.service" ];`
			`};`
network.nix: simplify import of main config 2019-11-27 05:04:18 -08:00			`};`
running bitcoin 2018-11-13 15:44:54 -08:00			`}`