From 3b842e5fe773b9031b15ea2d0ae05749df079d02 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Wed, 27 Nov 2019 14:04:19 +0100
Subject: [PATCH] add nix-bitcoin-secrets.target

Remove use of nixops-specific 'keys' group and key services.
Instead:
- Add nix-bitcoin-secrets.target, which should be required by all
  units that depend on secrets. (To keep it simple, it's okay to meet
  the secrets dependency indirectly by e.g. depending on bitcoind.)

  Various secret deployment methods can use this target by
  setting up the secrets before activating the target.
  In case of nixops we just specify that nixops' keys.target comes
  before nix-bitcoin-secrets.target.

  If the target is left undefined in the case of manual secrets
  deployment, systemd will simply ignore unit dependencies on
  the target.

- Allow all users to access the secrets dir.
  The access protection for the individual secret files is unchanged.
  This allows us to drop the unit dependency on the nixops 'keys' group.
---
 modules/bitcoind.nix   |  5 ++---
 modules/clightning.nix |  2 +-
 modules/electrs.nix    |  6 +++++-
 modules/liquid.nix     |  5 ++---
 modules/lnd.nix        |  2 +-
 modules/nanopos.nix    |  1 -
 network/network.nix    | 19 ++++++++++++++++++-
 7 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index 31ad358..c1abaff 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -225,8 +225,8 @@ in {
     environment.systemPackages = [ cfg.package ];
     systemd.services.bitcoind = {
       description = "Bitcoin daemon";
-      requires = [ "bitcoin-rpcpassword-key.service" ];
-      after = [ "network.target" "bitcoin-rpcpassword-key.service" ];
+      requires = [ "nix-bitcoin-secrets.target" ];
+      after = [ "network.target" "nix-bitcoin-secrets.target" ];
       wantedBy = [ "multi-user.target" ];
       preStart = ''
         if ! test -e ${cfg.dataDir}; then
@@ -296,7 +296,6 @@ in {
 
     users.users.${cfg.user} = {
       group = cfg.group;
-      extraGroups = [ "keys" ];
       description = "Bitcoin daemon user";
       home = cfg.dataDir;
     };
diff --git a/modules/clightning.nix b/modules/clightning.nix
index 4fc1e89..a01ff7c 100644
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@@ -64,7 +64,7 @@ in {
     users.users.clightning = {
         description = "clightning User";
         group = "clightning";
-        extraGroups = [ "bitcoinrpc" "keys" ];
+        extraGroups = [ "bitcoinrpc" ];
         home = cfg.dataDir;
     };
     users.groups.clightning = {};
diff --git a/modules/electrs.nix b/modules/electrs.nix
index 2d6ee20..77d8944 100644
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@@ -60,7 +60,7 @@ in {
     users.users.${cfg.user} = {
         description = "electrs User";
         group = cfg.group;
-        extraGroups = [ "bitcoinrpc" "keys" "bitcoin"];
+        extraGroups = [ "bitcoinrpc" "bitcoin"];
         home = cfg.dataDir;
     };
     users.groups.${cfg.group} = {};
@@ -113,5 +113,9 @@ in {
         }
       '';
     };
+    systemd.services.nginx = {
+      requires = [ "nix-bitcoin-secrets.target" ];
+      after = [ "nix-bitcoin-secrets.target" ];
+    };
   };
 }
diff --git a/modules/liquid.nix b/modules/liquid.nix
index c558a6a..5ce72e2 100644
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@@ -183,8 +183,8 @@ in {
     environment.systemPackages = [ pkgs.elementsd ];
     systemd.services.liquidd = {
       description = "Elements daemon providing access to the Liquid sidechain";
-      requires = [ "liquid-rpcpassword-key.service" ];
-      after = [ "network.target" "liquid-rpcpassword-key.service" ];
+      requires = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" ];
       wantedBy = [ "multi-user.target" ];
       preStart = ''
         if ! test -e ${cfg.dataDir}; then
@@ -215,7 +215,6 @@ in {
     };
     users.users.${cfg.user} = {
       group = cfg.group;
-      extraGroups = [ "keys" ];
       description = "Liquid sidechain user";
       home = cfg.dataDir;
     };
diff --git a/modules/lnd.nix b/modules/lnd.nix
index 496eb11..3806477 100644
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@@ -95,7 +95,7 @@ in {
     users.users.lnd = {
         description = "LND User";
         group = "lnd";
-        extraGroups = [ "bitcoinrpc" "keys" ];
+        extraGroups = [ "bitcoinrpc" ];
         home = cfg.dataDir;
     };
     users.groups.lnd = {};
diff --git a/modules/nanopos.nix b/modules/nanopos.nix
index 2dc7364..9fb5337 100644
--- a/modules/nanopos.nix
+++ b/modules/nanopos.nix
@@ -55,7 +55,6 @@ in {
     users.users.nanopos = {
         description = "nanopos User";
         group = "nanopos";
-        extraGroups = [ "keys" ];
     };
     users.groups.nanopos = {};
 
diff --git a/network/network.nix b/network/network.nix
index 9a35e9d..f8ae92b 100644
--- a/network/network.nix
+++ b/network/network.nix
@@ -75,7 +75,7 @@ in {
   network.description = "Bitcoin Core node";
 
   bitcoin-node =
-    { config, pkgs, ... }: {
+    { config, pkgs, lib, ... }: {
       imports = [ ../configuration.nix ];
 
       deployment.keys = {
@@ -87,5 +87,22 @@ in {
       // (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { })
       // (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { })
       // (if (config.services.electrs.enable) then { inherit nginx_key nginx_cert; } else { });
+
+      # nixops makes the secrets directory accessible only for users with group 'key'.
+      # For compatibility with other deployment methods besides nixops, we forego the
+      # use of the 'key' group and make the secrets dir world-readable instead.
+      # This is safe because all containing files have their specific private
+      # permissions set.
+      systemd.services.allowSecretsDirAccess = {
+        requires = [ "keys.target" ];
+        after = [ "keys.target" ];
+        script = "chmod o+x /secrets";
+        serviceConfig.Type = "oneshot";
+      };
+
+      systemd.targets.nix-bitcoin-secrets = {
+        requires = [ "allowSecretsDirAccess.service" ];
+        after = [ "allowSecretsDirAccess.service" ];
+      };
     };
 }