secrets: allow extending generate-secrets

`generate-secrets` is no longer a monolithic script. Instead, it's composed of the values of option `nix-bitcoin.generateSecretsCmds`. This has the following advantages: - generate-secrets is now extensible by users - Only secrets of enabled services are generated - RPC IPs in the `lnd` and `loop` certs are no longer hardcoded. Secrets are no longer automatically generated when entering nix-shell. Instead, they are generated before deployment (via `krops-deploy`) because secrets generation is now dependant on the node configuration.
2021-09-08 17:01:18 +02:00
parent 24fd1e9bdc
commit a2466b1127
15 changed files with 136 additions and 131 deletions
--- a/helper/makeShell.nix
+++ b/helper/makeShell.nix
@@ -21,12 +21,22 @@ stdenv.mkDerivation rec {
      ${toString ./fetch-release}
    }

-    krops-deploy() {
+    generate-secrets() {(
+      set -euo pipefail
+      genSecrets=$(nix-build --no-out-link -I nixos-config="${cfgDir}/configuration.nix" \
+                   '<nixpkgs/nixos>' -A config.nix-bitcoin.generateSecretsScript)
+      mkdir -p "${cfgDir}/secrets"
+      (cd "${cfgDir}/secrets"; $genSecrets)
+    )}
+
+    krops-deploy() {(
+      set -euo pipefail
+      generate-secrets
      # Ensure strict permissions on secrets/ directory before rsyncing it to
      # the target machine
      chmod 700 "${cfgDir}/secrets"
      $(nix-build --no-out-link "${cfgDir}/krops/deploy.nix")
-    }
+    )}

    # Print logo if
    # 1. stdout is a TTY, i.e. we're not piping the output