secrets: add option 'generateSecrets'

Move this feature from a module preset to a regular option, so that it's
easily discoverable and accessible.

Simplify the implementation of `generateSecrets` by adding it to the
existing `setup-secrets` service script.

Also rename option setup-secrets -> setupSecrets.

examples/deploy-container.sh

@@ -83,8 +83,8 @@ read -d '' src <<EOF || true
     config = { pkgs, config, lib, ... }: {
       imports = [
         <${configuration}>
-        <nix-bitcoin/modules/secrets/generate-secrets.nix>
       ];
+      nix-bitcoin.generateSecrets = true;
     };
   };
 }

examples/deploy-qemu-vm.sh

@@ -26,8 +26,8 @@ nix-build --out-link $tmpDir/vm - <<'EOF'
     imports = [
       <configuration.nix>
       <qemu-vm/vm-config.nix>
-      <nix-bitcoin/modules/secrets/generate-secrets.nix>
     ];
+    nix-bitcoin.generateSecrets = true;
   };
 }).vm
 EOF

examples/minimal-configuration.nix

@@ -1,9 +1,10 @@
 { config, pkgs, lib, ... }: {
   imports = [
     <nix-bitcoin/modules/nix-bitcoin.nix>
-    <nix-bitcoin/modules/secrets/generate-secrets.nix>
   ];
 
+  nix-bitcoin.generateSecrets = true;
+
   services.bitcoind.enable = true;
   services.clightning.enable = true;
 

modules/obsolete-options.nix

@@ -22,6 +22,8 @@ in {
     (mkRenamedOptionModule [ "services" "liquidd" "bind" ] [ "services" "liquidd" "address" ])
     (mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ])
 
+    (mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ])
+
     (mkRenamedAnnounceTorOption "clightning")
     (mkRenamedAnnounceTorOption "lnd")
   ];

modules/secrets/generate-secrets.nix

@@ -1,26 +1,4 @@
-{ config, pkgs, lib, ... }:
+throw ''
-
+  The module `generate-secrets.nix` has been removed.
-# This is mainly for testing.
+  Set option `nix-bitcoin.generateSecrets = true;` instead.
-# When using this for regular deployments, make sure to create a backup of the
+''
-# generated secrets.
-
-with lib;
-{
-  nix-bitcoin.setup-secrets = true;
-
-  systemd.services.generate-secrets = {
-    requiredBy = [ "setup-secrets.service" ];
-    before = [ "setup-secrets.service" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      mkdir -p "${config.nix-bitcoin.secretsDir}"
-      cd "${config.nix-bitcoin.secretsDir}"
-      chown root: .
-      chmod 0700 .
-      ${config.nix-bitcoin.pkgs.generate-secrets}
-    '';
-  };
-}

modules/secrets/secrets.nix

@@ -3,9 +3,6 @@
 with lib;
 let
   cfg = config.nix-bitcoin;
-  setupSecrets = concatStrings (mapAttrsToList (n: v: ''
-    setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }
-  '') cfg.secrets);
 in
 {
   options.nix-bitcoin = {
@@ -15,6 +12,24 @@ in
       description = "Directory to store secrets";
     };
 
+    setupSecrets = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Set permissions for existing secrets in `nix-bitcoin.secretsDir`.
+      '';
+    };
+
+    generateSecrets = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Automatically generate all required secrets.
+        Make sure to create a backup of the generated secrets.
+      '';
+    };
+
+    # Currently, this is used only by ../deployment/nixops.nix
     deployment.secretsDir = mkOption {
       type = types.path;
       description = ''
@@ -43,27 +58,34 @@ in
         }
       ));
     };
-
-    setup-secrets = mkEnableOption "Set permissions for secrets generated by 'generate-secrets.sh'";
   };
 
-  config = mkIf cfg.setup-secrets {
+  config =  {
-    systemd.targets.nix-bitcoin-secrets = {
+    systemd.targets.nix-bitcoin-secrets = {};
-      requires = [ "setup-secrets.service" ];
+
-      after = [ "setup-secrets.service" ];
+    nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true;
-    };
 
     # Operation of this service:
     #  - Set owner and permissions for all used secrets
     #  - Make all other secrets accessible to root only
     # For all steps make sure that no secrets are copied to the nix store.
     #
-    systemd.services.setup-secrets = {
+    systemd.services.setup-secrets = mkIf cfg.setupSecrets {
+      requiredBy = [ "nix-bitcoin-secrets.target" ];
+      before = [ "nix-bitcoin-secrets.target" ];
       serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
       };
       script = ''
+        ${optionalString cfg.generateSecrets ''
+          mkdir -p "${cfg.secretsDir}"
+          cd "${cfg.secretsDir}"
+          chown root: .
+          chmod 0700 .
+          ${cfg.pkgs.generate-secrets}
+        ''}
+
         setupSecret() {
             file="$1"
             user="$2"
@@ -87,7 +109,11 @@ in
         cd "$dir"
 
         processedFiles=()
-        ${setupSecrets}
+        ${
+          concatStrings (mapAttrsToList (n: v: ''
+            setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }
+          '') cfg.secrets)
+        }
 
         # Make all other files accessible to root only
         unprocessedFiles=$(comm -23 <(printf '%s\n' *) <(printf '%s\n' "''${processedFiles[@]}" | sort))

test/tests.nix

@@ -12,10 +12,10 @@ let testEnv = rec {
     imports = [
       ./lib/test-lib.nix
       ../modules/modules.nix
-      ../modules/secrets/generate-secrets.nix
       {
         # Features required by the Python test suite
         nix-bitcoin.secretsDir = "/secrets";
+        nix-bitcoin.generateSecrets = true;
         nix-bitcoin.operator.enable = true;
         environment.systemPackages = with pkgs; [ jq ];
       }
@@ -80,8 +80,8 @@ let testEnv = rec {
       tests.backups = cfg.backups.enable;
 
       # To test that unused secrets are made inaccessible by 'setup-secrets'
-      systemd.services.generate-secrets.postStart = mkIfTest "security" ''
+      systemd.services.setup-secrets.preStart = mkIfTest "security" ''
-        install -o nobody -g nogroup -m777 <(:) /secrets/dummy
+        install -D -o nobody -g nogroup -m777 <(:) /secrets/dummy
       '';
     }
     (mkIf config.test.features.clightningPlugins {