secrets: add option 'generateSecrets'

Move this feature from a module preset to a regular option, so that it's
easily discoverable and accessible.

Simplify the implementation of `generateSecrets` by adding it to the
existing `setup-secrets` service script.

Also rename option setup-secrets -> setupSecrets.
This commit is contained in:
Erik Arvstedt 2021-03-10 14:08:34 +01:00 committed by Jonas Nick
parent 03515a8da6
commit b701cb5603
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
7 changed files with 51 additions and 44 deletions

View File

@ -83,8 +83,8 @@ read -d '' src <<EOF || true
config = { pkgs, config, lib, ... }: { config = { pkgs, config, lib, ... }: {
imports = [ imports = [
<${configuration}> <${configuration}>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
]; ];
nix-bitcoin.generateSecrets = true;
}; };
}; };
} }

View File

@ -26,8 +26,8 @@ nix-build --out-link $tmpDir/vm - <<'EOF'
imports = [ imports = [
<configuration.nix> <configuration.nix>
<qemu-vm/vm-config.nix> <qemu-vm/vm-config.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
]; ];
nix-bitcoin.generateSecrets = true;
}; };
}).vm }).vm
EOF EOF

View File

@ -1,9 +1,10 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
imports = [ imports = [
<nix-bitcoin/modules/nix-bitcoin.nix> <nix-bitcoin/modules/nix-bitcoin.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
]; ];
nix-bitcoin.generateSecrets = true;
services.bitcoind.enable = true; services.bitcoind.enable = true;
services.clightning.enable = true; services.clightning.enable = true;

View File

@ -22,6 +22,8 @@ in {
(mkRenamedOptionModule [ "services" "liquidd" "bind" ] [ "services" "liquidd" "address" ]) (mkRenamedOptionModule [ "services" "liquidd" "bind" ] [ "services" "liquidd" "address" ])
(mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ]) (mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ])
(mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ])
(mkRenamedAnnounceTorOption "clightning") (mkRenamedAnnounceTorOption "clightning")
(mkRenamedAnnounceTorOption "lnd") (mkRenamedAnnounceTorOption "lnd")
]; ];

View File

@ -1,26 +1,4 @@
{ config, pkgs, lib, ... }: throw ''
The module `generate-secrets.nix` has been removed.
# This is mainly for testing. Set option `nix-bitcoin.generateSecrets = true;` instead.
# When using this for regular deployments, make sure to create a backup of the ''
# generated secrets.
with lib;
{
nix-bitcoin.setup-secrets = true;
systemd.services.generate-secrets = {
requiredBy = [ "setup-secrets.service" ];
before = [ "setup-secrets.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p "${config.nix-bitcoin.secretsDir}"
cd "${config.nix-bitcoin.secretsDir}"
chown root: .
chmod 0700 .
${config.nix-bitcoin.pkgs.generate-secrets}
'';
};
}

View File

@ -3,9 +3,6 @@
with lib; with lib;
let let
cfg = config.nix-bitcoin; cfg = config.nix-bitcoin;
setupSecrets = concatStrings (mapAttrsToList (n: v: ''
setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }
'') cfg.secrets);
in in
{ {
options.nix-bitcoin = { options.nix-bitcoin = {
@ -15,6 +12,24 @@ in
description = "Directory to store secrets"; description = "Directory to store secrets";
}; };
setupSecrets = mkOption {
type = types.bool;
default = false;
description = ''
Set permissions for existing secrets in `nix-bitcoin.secretsDir`.
'';
};
generateSecrets = mkOption {
type = types.bool;
default = false;
description = ''
Automatically generate all required secrets.
Make sure to create a backup of the generated secrets.
'';
};
# Currently, this is used only by ../deployment/nixops.nix
deployment.secretsDir = mkOption { deployment.secretsDir = mkOption {
type = types.path; type = types.path;
description = '' description = ''
@ -43,27 +58,34 @@ in
} }
)); ));
}; };
setup-secrets = mkEnableOption "Set permissions for secrets generated by 'generate-secrets.sh'";
}; };
config = mkIf cfg.setup-secrets { config = {
systemd.targets.nix-bitcoin-secrets = { systemd.targets.nix-bitcoin-secrets = {};
requires = [ "setup-secrets.service" ];
after = [ "setup-secrets.service" ]; nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true;
};
# Operation of this service: # Operation of this service:
# - Set owner and permissions for all used secrets # - Set owner and permissions for all used secrets
# - Make all other secrets accessible to root only # - Make all other secrets accessible to root only
# For all steps make sure that no secrets are copied to the nix store. # For all steps make sure that no secrets are copied to the nix store.
# #
systemd.services.setup-secrets = { systemd.services.setup-secrets = mkIf cfg.setupSecrets {
requiredBy = [ "nix-bitcoin-secrets.target" ];
before = [ "nix-bitcoin-secrets.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
}; };
script = '' script = ''
${optionalString cfg.generateSecrets ''
mkdir -p "${cfg.secretsDir}"
cd "${cfg.secretsDir}"
chown root: .
chmod 0700 .
${cfg.pkgs.generate-secrets}
''}
setupSecret() { setupSecret() {
file="$1" file="$1"
user="$2" user="$2"
@ -87,7 +109,11 @@ in
cd "$dir" cd "$dir"
processedFiles=() processedFiles=()
${setupSecrets} ${
concatStrings (mapAttrsToList (n: v: ''
setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }
'') cfg.secrets)
}
# Make all other files accessible to root only # Make all other files accessible to root only
unprocessedFiles=$(comm -23 <(printf '%s\n' *) <(printf '%s\n' "''${processedFiles[@]}" | sort)) unprocessedFiles=$(comm -23 <(printf '%s\n' *) <(printf '%s\n' "''${processedFiles[@]}" | sort))

View File

@ -12,10 +12,10 @@ let testEnv = rec {
imports = [ imports = [
./lib/test-lib.nix ./lib/test-lib.nix
../modules/modules.nix ../modules/modules.nix
../modules/secrets/generate-secrets.nix
{ {
# Features required by the Python test suite # Features required by the Python test suite
nix-bitcoin.secretsDir = "/secrets"; nix-bitcoin.secretsDir = "/secrets";
nix-bitcoin.generateSecrets = true;
nix-bitcoin.operator.enable = true; nix-bitcoin.operator.enable = true;
environment.systemPackages = with pkgs; [ jq ]; environment.systemPackages = with pkgs; [ jq ];
} }
@ -80,8 +80,8 @@ let testEnv = rec {
tests.backups = cfg.backups.enable; tests.backups = cfg.backups.enable;
# To test that unused secrets are made inaccessible by 'setup-secrets' # To test that unused secrets are made inaccessible by 'setup-secrets'
systemd.services.generate-secrets.postStart = mkIfTest "security" '' systemd.services.setup-secrets.preStart = mkIfTest "security" ''
install -o nobody -g nogroup -m777 <(:) /secrets/dummy install -D -o nobody -g nogroup -m777 <(:) /secrets/dummy
''; '';
} }
(mkIf config.test.features.clightningPlugins { (mkIf config.test.features.clightningPlugins {