diff --git a/examples/deploy-container.sh b/examples/deploy-container.sh index 408c590..8cc424b 100755 --- a/examples/deploy-container.sh +++ b/examples/deploy-container.sh @@ -83,8 +83,8 @@ read -d '' src < - ]; + nix-bitcoin.generateSecrets = true; }; }; } diff --git a/examples/deploy-qemu-vm.sh b/examples/deploy-qemu-vm.sh index c0a005e..bff14db 100755 --- a/examples/deploy-qemu-vm.sh +++ b/examples/deploy-qemu-vm.sh @@ -26,8 +26,8 @@ nix-build --out-link $tmpDir/vm - <<'EOF' imports = [ - ]; + nix-bitcoin.generateSecrets = true; }; }).vm EOF diff --git a/examples/minimal-configuration.nix b/examples/minimal-configuration.nix index db6cc66..e7c2757 100644 --- a/examples/minimal-configuration.nix +++ b/examples/minimal-configuration.nix @@ -1,9 +1,10 @@ { config, pkgs, lib, ... }: { imports = [ - ]; + nix-bitcoin.generateSecrets = true; + services.bitcoind.enable = true; services.clightning.enable = true; diff --git a/modules/obsolete-options.nix b/modules/obsolete-options.nix index 4c39aff..fc10181 100644 --- a/modules/obsolete-options.nix +++ b/modules/obsolete-options.nix @@ -22,6 +22,8 @@ in { (mkRenamedOptionModule [ "services" "liquidd" "bind" ] [ "services" "liquidd" "address" ]) (mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ]) + (mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ]) + (mkRenamedAnnounceTorOption "clightning") (mkRenamedAnnounceTorOption "lnd") ]; diff --git a/modules/secrets/generate-secrets.nix b/modules/secrets/generate-secrets.nix index 83ef423..9061a62 100644 --- a/modules/secrets/generate-secrets.nix +++ b/modules/secrets/generate-secrets.nix @@ -1,26 +1,4 @@ -{ config, pkgs, lib, ... }: - -# This is mainly for testing. -# When using this for regular deployments, make sure to create a backup of the -# generated secrets. - -with lib; -{ - nix-bitcoin.setup-secrets = true; - - systemd.services.generate-secrets = { - requiredBy = [ "setup-secrets.service" ]; - before = [ "setup-secrets.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - mkdir -p "${config.nix-bitcoin.secretsDir}" - cd "${config.nix-bitcoin.secretsDir}" - chown root: . - chmod 0700 . - ${config.nix-bitcoin.pkgs.generate-secrets} - ''; - }; -} +throw '' + The module `generate-secrets.nix` has been removed. + Set option `nix-bitcoin.generateSecrets = true;` instead. +'' diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 5358bae..83f84ea 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -3,9 +3,6 @@ with lib; let cfg = config.nix-bitcoin; - setupSecrets = concatStrings (mapAttrsToList (n: v: '' - setupSecret ${n} ${v.user} ${v.group} ${v.permissions} } - '') cfg.secrets); in { options.nix-bitcoin = { @@ -15,6 +12,24 @@ in description = "Directory to store secrets"; }; + setupSecrets = mkOption { + type = types.bool; + default = false; + description = '' + Set permissions for existing secrets in `nix-bitcoin.secretsDir`. + ''; + }; + + generateSecrets = mkOption { + type = types.bool; + default = false; + description = '' + Automatically generate all required secrets. + Make sure to create a backup of the generated secrets. + ''; + }; + + # Currently, this is used only by ../deployment/nixops.nix deployment.secretsDir = mkOption { type = types.path; description = '' @@ -43,27 +58,34 @@ in } )); }; - - setup-secrets = mkEnableOption "Set permissions for secrets generated by 'generate-secrets.sh'"; }; - config = mkIf cfg.setup-secrets { - systemd.targets.nix-bitcoin-secrets = { - requires = [ "setup-secrets.service" ]; - after = [ "setup-secrets.service" ]; - }; + config = { + systemd.targets.nix-bitcoin-secrets = {}; + + nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true; # Operation of this service: # - Set owner and permissions for all used secrets # - Make all other secrets accessible to root only # For all steps make sure that no secrets are copied to the nix store. # - systemd.services.setup-secrets = { + systemd.services.setup-secrets = mkIf cfg.setupSecrets { + requiredBy = [ "nix-bitcoin-secrets.target" ]; + before = [ "nix-bitcoin-secrets.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' + ${optionalString cfg.generateSecrets '' + mkdir -p "${cfg.secretsDir}" + cd "${cfg.secretsDir}" + chown root: . + chmod 0700 . + ${cfg.pkgs.generate-secrets} + ''} + setupSecret() { file="$1" user="$2" @@ -87,7 +109,11 @@ in cd "$dir" processedFiles=() - ${setupSecrets} + ${ + concatStrings (mapAttrsToList (n: v: '' + setupSecret ${n} ${v.user} ${v.group} ${v.permissions} } + '') cfg.secrets) + } # Make all other files accessible to root only unprocessedFiles=$(comm -23 <(printf '%s\n' *) <(printf '%s\n' "''${processedFiles[@]}" | sort)) diff --git a/test/tests.nix b/test/tests.nix index c7d11a2..f9db2e0 100644 --- a/test/tests.nix +++ b/test/tests.nix @@ -12,10 +12,10 @@ let testEnv = rec { imports = [ ./lib/test-lib.nix ../modules/modules.nix - ../modules/secrets/generate-secrets.nix { # Features required by the Python test suite nix-bitcoin.secretsDir = "/secrets"; + nix-bitcoin.generateSecrets = true; nix-bitcoin.operator.enable = true; environment.systemPackages = with pkgs; [ jq ]; } @@ -80,8 +80,8 @@ let testEnv = rec { tests.backups = cfg.backups.enable; # To test that unused secrets are made inaccessible by 'setup-secrets' - systemd.services.generate-secrets.postStart = mkIfTest "security" '' - install -o nobody -g nogroup -m777 <(:) /secrets/dummy + systemd.services.setup-secrets.preStart = mkIfTest "security" '' + install -D -o nobody -g nogroup -m777 <(:) /secrets/dummy ''; } (mkIf config.test.features.clightningPlugins {