secrets: make configuration more robust

- Fail at evaluation when secrets setup is not configured.
  Previously, bitcoind failed at runtime due to the missing secrets target.

- Fail at evaluation when conflicting secrets setup methods are used.
  This happens when `secretsSetupMethod` has more than one definition.
This commit is contained in:
Erik Arvstedt 2021-03-10 14:08:36 +01:00 committed by Jonas Nick
parent b0c223e716
commit 55d87490ec
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
2 changed files with 19 additions and 1 deletions

View File

@ -1,5 +1,7 @@
{ config, ... }: { config, ... }:
{ {
nix-bitcoin.secretsSetupMethod = "nixops";
deployment.keys = builtins.mapAttrs (n: v: { deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}"; keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
destDir = config.nix-bitcoin.secretsDir; destDir = config.nix-bitcoin.secretsDir;

View File

@ -58,11 +58,25 @@ in
} }
)); ));
}; };
secretsSetupMethod = mkOption {
type = types.str;
default = throw ''
Error: No secrets setup method has been defined.
To fix this, choose one of the following:
- Use one of the deployment methods in ${toString ./../deployment}
- Set `nix-bitcoin.generateSecrets = true` to automatically generate secrets
- Set `nix-bitcoin.secretsSetupMethod = "manual"` if you want to manually setup secrets
'';
};
}; };
config = { config = {
# This target is active when secrets have been setup successfully. # This target is active when secrets have been setup successfully.
systemd.targets.nix-bitcoin-secrets = { systemd.targets.nix-bitcoin-secrets = mkIf (cfg.secretsSetupMethod != "manual") {
# This ensures that the secrets target is always activated when switching # This ensures that the secrets target is always activated when switching
# configurations. # configurations.
# In this way `switch-to-configuration` is guaranteed to show an error # In this way `switch-to-configuration` is guaranteed to show an error
@ -72,6 +86,8 @@ in
nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true; nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true;
nix-bitcoin.secretsSetupMethod = mkIf cfg.setupSecrets "setup-secrets";
# Operation of this service: # Operation of this service:
# - Set owner and permissions for all used secrets # - Set owner and permissions for all used secrets
# - Make all other secrets accessible to root only # - Make all other secrets accessible to root only