greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

extract make-secrets.nix

Browse Source 
Needed by the next commit.
This commit is contained in:
Erik Arvstedt 2019-11-27 14:04:26 +01:00
parent f9c29b9318
commit 437b268433
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
2 changed files with 73 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
modules/secrets/make-secrets.nix Normal file
View File

@ -0,0 +1,68 @@
{ secretsFile ? null, config ? null }:
let
secrets = import secretsFile;
secretsDir = "/secrets/";
secret = { text ? null, keyFile ? null, user, group ? user }: {
inherit text keyFile user group;
destDir = secretsDir;
permissions = "0440";
};
in rec {
allSecrets = {
bitcoin-rpcpassword = secret {
text = secrets.bitcoinrpcpassword;
user = "bitcoin";
group = "bitcoinrpc";
};
lnd-wallet-password = secret {
text = secrets.lnd-wallet-password;
user = "lnd";
};
lightning-charge-api-token = secret {
text = "API_TOKEN=" + secrets.lightning-charge-api-token;
user = "clightning";
};
# variable is called CHARGE_TOKEN instead of API_TOKEN
lightning-charge-api-token-for-nanopos = secret {
text = "CHARGE_TOKEN=" + secrets.lightning-charge-api-token;
user = "nanopos";
};
liquid-rpcpassword = secret {
text = secrets.liquidrpcpassword;
user = "liquid";
};
spark-wallet-login = secret {
text = "login=" + "spark-wallet:" + secrets.spark-wallet-password;
user = "clightning";
};
nginx_key = secret {
keyFile = toString ../../secrets/nginx.key;
user = "nginx";
group = "root";
};
nginx_cert = secret {
keyFile = toString ../../secrets/nginx.cert;
user = "nginx";
group = "root";
};
lnd_key = secret {
keyFile = toString ../../secrets/lnd.key;
user = "lnd";
};
lnd_cert = secret {
keyFile = toString ../../secrets/lnd.cert;
user = "lnd";
};
};
activeSecrets = let
secretsFor = service: attrs: if service.enable then attrs else {};
in with allSecrets;
(secretsFor config.services.bitcoind { inherit bitcoin-rpcpassword; })
// (secretsFor config.services.lnd { inherit lnd-wallet-password lnd_key lnd_cert; })
// (secretsFor config.services.lightning-charge { inherit lightning-charge-api-token; })
// (secretsFor config.services.nanopos { inherit lightning-charge-api-token-for-nanopos; })
// (secretsFor config.services.liquidd { inherit liquid-rpcpassword; })
// (secretsFor config.services.spark-wallet { inherit spark-wallet-login; })
// (secretsFor config.services.electrs { inherit nginx_key nginx_cert; });
}

69
network/network.nix
View File

@ -1,73 +1,14 @@
let {
secrets = import ../secrets/secrets.nix;
secretsDir = "/secrets/";
secret = { text ? null, keyFile ? null, user, group ? user }: {
inherit text user group;
destDir = secretsDir;
permissions = "0440";
};
bitcoin-rpcpassword = secret {
text = secrets.bitcoinrpcpassword;
user = "bitcoin";
group = "bitcoinrpc";
};
lnd-wallet-password = secret {
text = secrets.lnd-wallet-password;
user = "lnd";
};
lightning-charge-api-token = secret {
text = "API_TOKEN=" + secrets.lightning-charge-api-token;
user = "clightning";
};
# variable is called CHARGE_TOKEN instead of API_TOKEN
lightning-charge-api-token-for-nanopos = secret {
text = "CHARGE_TOKEN=" + secrets.lightning-charge-api-token;
user = "nanopos";
};
liquid-rpcpassword = secret {
text = secrets.liquidrpcpassword;
user = "liquid";
};
spark-wallet-login = secret {
text = "login=" + "spark-wallet:" + secrets.spark-wallet-password;
user = "clightning";
};
nginx_key = secret {
keyFile = toString ../../secrets/nginx.key;
user = "nginx";
group = "root";
};
nginx_cert = secret {
keyFile = toString ../../secrets/nginx.cert;
user = "nginx";
group = "root";
};
lnd_key = secret {
keyFile = toString ../../secrets/lnd.key;
user = "lnd";
};
lnd_cert = secret {
keyFile = toString ../../secrets/lnd.cert;
user = "lnd";
};
in {
network.description = "Bitcoin Core node"; network.description = "Bitcoin Core node";
bitcoin-node = bitcoin-node =
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
imports = [ ../configuration.nix ]; imports = [ ../configuration.nix ];
deployment.keys = { deployment.keys = (import ../modules/secrets/make-secrets.nix {
inherit bitcoin-rpcpassword; inherit config;
} secretsFile = ../secrets/secrets.nix;
// (if (config.services.lnd.enable) then { inherit lnd-wallet-password lnd_key lnd_cert; } else { }) }).activeSecrets;
// (if (config.services.lightning-charge.enable) then { inherit lightning-charge-api-token; } else { })
// (if (config.services.nanopos.enable) then { inherit lightning-charge-api-token-for-nanopos; } else { })
// (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { })
// (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { })
// (if (config.services.electrs.enable) then { inherit nginx_key nginx_cert; } else { });
# nixops makes the secrets directory accessible only for users with group 'key'. # nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the # For compatibility with other deployment methods besides nixops, we forego the