add nix-bitcoin-secrets.target

Remove use of nixops-specific 'keys' group and key services.
Instead:
- Add nix-bitcoin-secrets.target, which should be required by all
  units that depend on secrets. (To keep it simple, it's okay to meet
  the secrets dependency indirectly by e.g. depending on bitcoind.)

  Various secret deployment methods can use this target by
  setting up the secrets before activating the target.
  In case of nixops we just specify that nixops' keys.target comes
  before nix-bitcoin-secrets.target.

  If the target is left undefined in the case of manual secrets
  deployment, systemd will simply ignore unit dependencies on
  the target.

- Allow all users to access the secrets dir.
  The access protection for the individual secret files is unchanged.
  This allows us to drop the unit dependency on the nixops 'keys' group.
This commit is contained in:
Erik Arvstedt 2019-11-27 14:04:19 +01:00
parent bbf2bbc04a
commit 3b842e5fe7
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
7 changed files with 29 additions and 11 deletions

View File

@ -225,8 +225,8 @@ in {
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
systemd.services.bitcoind = { systemd.services.bitcoind = {
description = "Bitcoin daemon"; description = "Bitcoin daemon";
requires = [ "bitcoin-rpcpassword-key.service" ]; requires = [ "nix-bitcoin-secrets.target" ];
after = [ "network.target" "bitcoin-rpcpassword-key.service" ]; after = [ "network.target" "nix-bitcoin-secrets.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = '' preStart = ''
if ! test -e ${cfg.dataDir}; then if ! test -e ${cfg.dataDir}; then
@ -296,7 +296,6 @@ in {
users.users.${cfg.user} = { users.users.${cfg.user} = {
group = cfg.group; group = cfg.group;
extraGroups = [ "keys" ];
description = "Bitcoin daemon user"; description = "Bitcoin daemon user";
home = cfg.dataDir; home = cfg.dataDir;
}; };

View File

@ -64,7 +64,7 @@ in {
users.users.clightning = { users.users.clightning = {
description = "clightning User"; description = "clightning User";
group = "clightning"; group = "clightning";
extraGroups = [ "bitcoinrpc" "keys" ]; extraGroups = [ "bitcoinrpc" ];
home = cfg.dataDir; home = cfg.dataDir;
}; };
users.groups.clightning = {}; users.groups.clightning = {};

View File

@ -60,7 +60,7 @@ in {
users.users.${cfg.user} = { users.users.${cfg.user} = {
description = "electrs User"; description = "electrs User";
group = cfg.group; group = cfg.group;
extraGroups = [ "bitcoinrpc" "keys" "bitcoin"]; extraGroups = [ "bitcoinrpc" "bitcoin"];
home = cfg.dataDir; home = cfg.dataDir;
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
@ -113,5 +113,9 @@ in {
} }
''; '';
}; };
systemd.services.nginx = {
requires = [ "nix-bitcoin-secrets.target" ];
after = [ "nix-bitcoin-secrets.target" ];
};
}; };
} }

View File

@ -183,8 +183,8 @@ in {
environment.systemPackages = [ pkgs.elementsd ]; environment.systemPackages = [ pkgs.elementsd ];
systemd.services.liquidd = { systemd.services.liquidd = {
description = "Elements daemon providing access to the Liquid sidechain"; description = "Elements daemon providing access to the Liquid sidechain";
requires = [ "liquid-rpcpassword-key.service" ]; requires = [ "bitcoind.service" ];
after = [ "network.target" "liquid-rpcpassword-key.service" ]; after = [ "bitcoind.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = '' preStart = ''
if ! test -e ${cfg.dataDir}; then if ! test -e ${cfg.dataDir}; then
@ -215,7 +215,6 @@ in {
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {
group = cfg.group; group = cfg.group;
extraGroups = [ "keys" ];
description = "Liquid sidechain user"; description = "Liquid sidechain user";
home = cfg.dataDir; home = cfg.dataDir;
}; };

View File

@ -95,7 +95,7 @@ in {
users.users.lnd = { users.users.lnd = {
description = "LND User"; description = "LND User";
group = "lnd"; group = "lnd";
extraGroups = [ "bitcoinrpc" "keys" ]; extraGroups = [ "bitcoinrpc" ];
home = cfg.dataDir; home = cfg.dataDir;
}; };
users.groups.lnd = {}; users.groups.lnd = {};

View File

@ -55,7 +55,6 @@ in {
users.users.nanopos = { users.users.nanopos = {
description = "nanopos User"; description = "nanopos User";
group = "nanopos"; group = "nanopos";
extraGroups = [ "keys" ];
}; };
users.groups.nanopos = {}; users.groups.nanopos = {};

View File

@ -75,7 +75,7 @@ in {
network.description = "Bitcoin Core node"; network.description = "Bitcoin Core node";
bitcoin-node = bitcoin-node =
{ config, pkgs, ... }: { { config, pkgs, lib, ... }: {
imports = [ ../configuration.nix ]; imports = [ ../configuration.nix ];
deployment.keys = { deployment.keys = {
@ -87,5 +87,22 @@ in {
// (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { }) // (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { })
// (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { }) // (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { })
// (if (config.services.electrs.enable) then { inherit nginx_key nginx_cert; } else { }); // (if (config.services.electrs.enable) then { inherit nginx_key nginx_cert; } else { });
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x /secrets";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
}; };
} }