From 55d87490ec330b2fe78b4cc9275db287990f59fc Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Wed, 10 Mar 2021 14:08:36 +0100
Subject: [PATCH] secrets: make configuration more robust

- Fail at evaluation when secrets setup is not configured.
  Previously, bitcoind failed at runtime due to the missing secrets target.

- Fail at evaluation when conflicting secrets setup methods are used.
  This happens when `secretsSetupMethod` has more than one definition.
---
 modules/deployment/nixops.nix |  2 ++
 modules/secrets/secrets.nix   | 18 +++++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/modules/deployment/nixops.nix b/modules/deployment/nixops.nix
index 50f9468..980d91c 100644
--- a/modules/deployment/nixops.nix
+++ b/modules/deployment/nixops.nix
@@ -1,5 +1,7 @@
 { config, ... }:
 {
+  nix-bitcoin.secretsSetupMethod = "nixops";
+
   deployment.keys = builtins.mapAttrs (n: v: {
     keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
     destDir = config.nix-bitcoin.secretsDir;
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index ccb495f..30618e8 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -58,11 +58,25 @@ in
         }
       ));
     };
+
+    secretsSetupMethod = mkOption {
+      type = types.str;
+      default = throw  ''
+        Error: No secrets setup method has been defined.
+        To fix this, choose one of the following:
+
+         - Use one of the deployment methods in ${toString ./../deployment}
+
+         - Set `nix-bitcoin.generateSecrets = true` to automatically generate secrets
+
+         - Set `nix-bitcoin.secretsSetupMethod = "manual"` if you want to manually setup secrets
+      '';
+    };
   };
 
   config = {
     # This target is active when secrets have been setup successfully.
-    systemd.targets.nix-bitcoin-secrets = {
+    systemd.targets.nix-bitcoin-secrets = mkIf (cfg.secretsSetupMethod != "manual") {
       # This ensures that the secrets target is always activated when switching
       # configurations.
       # In this way `switch-to-configuration` is guaranteed to show an error
@@ -72,6 +86,8 @@ in
 
     nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true;
 
+    nix-bitcoin.secretsSetupMethod = mkIf cfg.setupSecrets "setup-secrets";
+
     # Operation of this service:
     #  - Set owner and permissions for all used secrets
     #  - Make all other secrets accessible to root only