add nix-bitcoin-secrets.target
Remove use of nixops-specific 'keys' group and key services. Instead: - Add nix-bitcoin-secrets.target, which should be required by all units that depend on secrets. (To keep it simple, it's okay to meet the secrets dependency indirectly by e.g. depending on bitcoind.) Various secret deployment methods can use this target by setting up the secrets before activating the target. In case of nixops we just specify that nixops' keys.target comes before nix-bitcoin-secrets.target. If the target is left undefined in the case of manual secrets deployment, systemd will simply ignore unit dependencies on the target. - Allow all users to access the secrets dir. The access protection for the individual secret files is unchanged. This allows us to drop the unit dependency on the nixops 'keys' group.
This commit is contained in:
Erik Arvstedt
@@ -225,8 +225,8 @@ in {
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
systemd.services.bitcoind = {
|
||||
description = "Bitcoin daemon";
|
||||
requires = [ "bitcoin-rpcpassword-key.service" ];
|
||||
after = [ "network.target" "bitcoin-rpcpassword-key.service" ];
|
||||
requires = [ "nix-bitcoin-secrets.target" ];
|
||||
after = [ "network.target" "nix-bitcoin-secrets.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
preStart = ''
|
||||
if ! test -e ${cfg.dataDir}; then
|
||||
@@ -296,7 +296,6 @@ in {
|
||||
|
||||
users.users.${cfg.user} = {
|
||||
group = cfg.group;
|
||||
extraGroups = [ "keys" ];
|
||||
description = "Bitcoin daemon user";
|
||||
home = cfg.dataDir;
|
||||
};
|
||||
|
||||
@@ -64,7 +64,7 @@ in {
|
||||
users.users.clightning = {
|
||||
description = "clightning User";
|
||||
group = "clightning";
|
||||
extraGroups = [ "bitcoinrpc" "keys" ];
|
||||
extraGroups = [ "bitcoinrpc" ];
|
||||
home = cfg.dataDir;
|
||||
};
|
||||
users.groups.clightning = {};
|
||||
|
||||
@@ -60,7 +60,7 @@ in {
|
||||
users.users.${cfg.user} = {
|
||||
description = "electrs User";
|
||||
group = cfg.group;
|
||||
extraGroups = [ "bitcoinrpc" "keys" "bitcoin"];
|
||||
extraGroups = [ "bitcoinrpc" "bitcoin"];
|
||||
home = cfg.dataDir;
|
||||
};
|
||||
users.groups.${cfg.group} = {};
|
||||
@@ -113,5 +113,9 @@ in {
|
||||
}
|
||||
'';
|
||||
};
|
||||
systemd.services.nginx = {
|
||||
requires = [ "nix-bitcoin-secrets.target" ];
|
||||
after = [ "nix-bitcoin-secrets.target" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -183,8 +183,8 @@ in {
|
||||
environment.systemPackages = [ pkgs.elementsd ];
|
||||
systemd.services.liquidd = {
|
||||
description = "Elements daemon providing access to the Liquid sidechain";
|
||||
requires = [ "liquid-rpcpassword-key.service" ];
|
||||
after = [ "network.target" "liquid-rpcpassword-key.service" ];
|
||||
requires = [ "bitcoind.service" ];
|
||||
after = [ "bitcoind.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
preStart = ''
|
||||
if ! test -e ${cfg.dataDir}; then
|
||||
@@ -215,7 +215,6 @@ in {
|
||||
};
|
||||
users.users.${cfg.user} = {
|
||||
group = cfg.group;
|
||||
extraGroups = [ "keys" ];
|
||||
description = "Liquid sidechain user";
|
||||
home = cfg.dataDir;
|
||||
};
|
||||
|
||||
@@ -95,7 +95,7 @@ in {
|
||||
users.users.lnd = {
|
||||
description = "LND User";
|
||||
group = "lnd";
|
||||
extraGroups = [ "bitcoinrpc" "keys" ];
|
||||
extraGroups = [ "bitcoinrpc" ];
|
||||
home = cfg.dataDir;
|
||||
};
|
||||
users.groups.lnd = {};
|
||||
|
||||
@@ -55,7 +55,6 @@ in {
|
||||
users.users.nanopos = {
|
||||
description = "nanopos User";
|
||||
group = "nanopos";
|
||||
extraGroups = [ "keys" ];
|
||||
};
|
||||
users.groups.nanopos = {};
|
||||
|
||||
|
||||
Reference in New Issue
Block a user