extract module 'deployment/nixops.nix', add option 'deployment.secretsDir'

This commit is contained in:
Erik Arvstedt 2020-02-26 17:11:19 +01:00 committed by Jonas Nick
parent 87d0286498
commit 0c0978c007
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
3 changed files with 40 additions and 26 deletions

View File

@ -1,31 +1,13 @@
{
network.description = "Bitcoin Core node";
bitcoin-node =
{ config, pkgs, lib, ... }: {
imports = [ ../configuration.nix <nix-bitcoin/modules/nix-bitcoin.nix> ];
bitcoin-node = { config, pkgs, lib, ... }: {
imports = [
../configuration.nix
<nix-bitcoin/modules/nix-bitcoin.nix>
<nix-bitcoin/modules/deployment/nixops.nix>
];
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${toString ../secrets}/${n}";
destDir = config.nix-bitcoin.secretsDir;
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
nix-bitcoin.deployment.secretsDir = toString ../secrets;
};
}

View File

@ -0,0 +1,25 @@
{ config, ... }:
{
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
destDir = config.nix-bitcoin.secretsDir;
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
}

View File

@ -15,6 +15,13 @@ in
description = "Directory to store secrets";
};
deployment.secretsDir = mkOption {
type = types.path;
description = ''
Directory of local secrets that are transfered to the nix-bitcoin node on deployment
'';
};
secrets = mkOption {
default = {};
type = with types; attrsOf (submodule (