extract module 'deployment/nixops.nix', add option 'deployment.secretsDir'
This commit is contained in:
parent
87d0286498
commit
0c0978c007
@ -1,31 +1,13 @@
|
|||||||
{
|
{
|
||||||
network.description = "Bitcoin Core node";
|
network.description = "Bitcoin Core node";
|
||||||
|
|
||||||
bitcoin-node =
|
bitcoin-node = { config, pkgs, lib, ... }: {
|
||||||
{ config, pkgs, lib, ... }: {
|
imports = [
|
||||||
imports = [ ../configuration.nix <nix-bitcoin/modules/nix-bitcoin.nix> ];
|
../configuration.nix
|
||||||
|
<nix-bitcoin/modules/nix-bitcoin.nix>
|
||||||
|
<nix-bitcoin/modules/deployment/nixops.nix>
|
||||||
|
];
|
||||||
|
|
||||||
deployment.keys = builtins.mapAttrs (n: v: {
|
nix-bitcoin.deployment.secretsDir = toString ../secrets;
|
||||||
keyFile = "${toString ../secrets}/${n}";
|
};
|
||||||
destDir = config.nix-bitcoin.secretsDir;
|
|
||||||
inherit (v) user group permissions;
|
|
||||||
}) config.nix-bitcoin.secrets;
|
|
||||||
|
|
||||||
# nixops makes the secrets directory accessible only for users with group 'key'.
|
|
||||||
# For compatibility with other deployment methods besides nixops, we forego the
|
|
||||||
# use of the 'key' group and make the secrets dir world-readable instead.
|
|
||||||
# This is safe because all containing files have their specific private
|
|
||||||
# permissions set.
|
|
||||||
systemd.services.allowSecretsDirAccess = {
|
|
||||||
requires = [ "keys.target" ];
|
|
||||||
after = [ "keys.target" ];
|
|
||||||
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
|
|
||||||
serviceConfig.Type = "oneshot";
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.targets.nix-bitcoin-secrets = {
|
|
||||||
requires = [ "allowSecretsDirAccess.service" ];
|
|
||||||
after = [ "allowSecretsDirAccess.service" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
25
modules/deployment/nixops.nix
Normal file
25
modules/deployment/nixops.nix
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
deployment.keys = builtins.mapAttrs (n: v: {
|
||||||
|
keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
|
||||||
|
destDir = config.nix-bitcoin.secretsDir;
|
||||||
|
inherit (v) user group permissions;
|
||||||
|
}) config.nix-bitcoin.secrets;
|
||||||
|
|
||||||
|
# nixops makes the secrets directory accessible only for users with group 'key'.
|
||||||
|
# For compatibility with other deployment methods besides nixops, we forego the
|
||||||
|
# use of the 'key' group and make the secrets dir world-readable instead.
|
||||||
|
# This is safe because all containing files have their specific private
|
||||||
|
# permissions set.
|
||||||
|
systemd.services.allowSecretsDirAccess = {
|
||||||
|
requires = [ "keys.target" ];
|
||||||
|
after = [ "keys.target" ];
|
||||||
|
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.targets.nix-bitcoin-secrets = {
|
||||||
|
requires = [ "allowSecretsDirAccess.service" ];
|
||||||
|
after = [ "allowSecretsDirAccess.service" ];
|
||||||
|
};
|
||||||
|
}
|
@ -15,6 +15,13 @@ in
|
|||||||
description = "Directory to store secrets";
|
description = "Directory to store secrets";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
deployment.secretsDir = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
description = ''
|
||||||
|
Directory of local secrets that are transfered to the nix-bitcoin node on deployment
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
secrets = mkOption {
|
secrets = mkOption {
|
||||||
default = {};
|
default = {};
|
||||||
type = with types; attrsOf (submodule (
|
type = with types; attrsOf (submodule (
|
||||||
|
Loading…
Reference in New Issue
Block a user