secrets: make configuration more robust

- Fail at evaluation when secrets setup is not configured.
  Previously, bitcoind failed at runtime due to the missing secrets target.

- Fail at evaluation when conflicting secrets setup methods are used.
  This happens when `secretsSetupMethod` has more than one definition.

modules/deployment/nixops.nix

@@ -1,5 +1,7 @@
 { config, ... }:
 {
+  nix-bitcoin.secretsSetupMethod = "nixops";
+
   deployment.keys = builtins.mapAttrs (n: v: {
     keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
     destDir = config.nix-bitcoin.secretsDir;

modules/secrets/secrets.nix

@@ -58,11 +58,25 @@ in
         }
       ));
     };
+
+    secretsSetupMethod = mkOption {
+      type = types.str;
+      default = throw  ''
+        Error: No secrets setup method has been defined.
+        To fix this, choose one of the following:
+
+         - Use one of the deployment methods in ${toString ./../deployment}
+
+         - Set `nix-bitcoin.generateSecrets = true` to automatically generate secrets
+
+         - Set `nix-bitcoin.secretsSetupMethod = "manual"` if you want to manually setup secrets
+      '';
+    };
   };
 
   config = {
     # This target is active when secrets have been setup successfully.
-    systemd.targets.nix-bitcoin-secrets = {
+    systemd.targets.nix-bitcoin-secrets = mkIf (cfg.secretsSetupMethod != "manual") {
       # This ensures that the secrets target is always activated when switching
       # configurations.
       # In this way `switch-to-configuration` is guaranteed to show an error
@@ -72,6 +86,8 @@ in
 
     nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true;
 
+    nix-bitcoin.secretsSetupMethod = mkIf cfg.setupSecrets "setup-secrets";
+
     # Operation of this service:
     #  - Set owner and permissions for all used secrets
     #  - Make all other secrets accessible to root only