extract module 'deployment/nixops.nix', add option 'deployment.secretsDir'

examples/nixops/node.nix

@@ -1,31 +1,13 @@
 {
   network.description = "Bitcoin Core node";
 
-  bitcoin-node =
+  bitcoin-node = { config, pkgs, lib, ... }: {
-    { config, pkgs, lib, ... }: {
+    imports = [
-      imports = [ ../configuration.nix <nix-bitcoin/modules/nix-bitcoin.nix> ];
+      ../configuration.nix
+      <nix-bitcoin/modules/nix-bitcoin.nix>
+      <nix-bitcoin/modules/deployment/nixops.nix>
+    ];
 
-      deployment.keys = builtins.mapAttrs (n: v: {
+    nix-bitcoin.deployment.secretsDir = toString ../secrets;
-        keyFile = "${toString ../secrets}/${n}";
-        destDir = config.nix-bitcoin.secretsDir;
-        inherit (v) user group permissions;
-      }) config.nix-bitcoin.secrets;
-
-      # nixops makes the secrets directory accessible only for users with group 'key'.
-      # For compatibility with other deployment methods besides nixops, we forego the
-      # use of the 'key' group and make the secrets dir world-readable instead.
-      # This is safe because all containing files have their specific private
-      # permissions set.
-      systemd.services.allowSecretsDirAccess = {
-        requires = [ "keys.target" ];
-        after = [ "keys.target" ];
-        script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
-        serviceConfig.Type = "oneshot";
-      };
-
-      systemd.targets.nix-bitcoin-secrets = {
-        requires = [ "allowSecretsDirAccess.service" ];
-        after = [ "allowSecretsDirAccess.service" ];
-      };
   };
 }

modules/deployment/nixops.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  deployment.keys = builtins.mapAttrs (n: v: {
+    keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
+    destDir = config.nix-bitcoin.secretsDir;
+    inherit (v) user group permissions;
+  }) config.nix-bitcoin.secrets;
+
+  # nixops makes the secrets directory accessible only for users with group 'key'.
+  # For compatibility with other deployment methods besides nixops, we forego the
+  # use of the 'key' group and make the secrets dir world-readable instead.
+  # This is safe because all containing files have their specific private
+  # permissions set.
+  systemd.services.allowSecretsDirAccess = {
+    requires = [ "keys.target" ];
+    after = [ "keys.target" ];
+    script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
+    serviceConfig.Type = "oneshot";
+  };
+
+  systemd.targets.nix-bitcoin-secrets = {
+    requires = [ "allowSecretsDirAccess.service" ];
+    after = [ "allowSecretsDirAccess.service" ];
+  };
+}

modules/secrets/secrets.nix

@@ -15,6 +15,13 @@ in
       description = "Directory to store secrets";
     };
 
+    deployment.secretsDir = mkOption {
+      type = types.path;
+      description = ''
+        Directory of local secrets that are transfered to the nix-bitcoin node on deployment
+      '';
+    };
+
     secrets = mkOption {
       default = {};
       type = with types; attrsOf (submodule (