From 89f9bedb9df71be71c4784c289026126e15c38a4 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Wed, 26 Feb 2020 20:37:46 +0100
Subject: [PATCH 1/2] generate-secrets.nix: fix indentation

---
 modules/secrets/generate-secrets.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/secrets/generate-secrets.nix b/modules/secrets/generate-secrets.nix
index fa72110..c9a38aa 100644
--- a/modules/secrets/generate-secrets.nix
+++ b/modules/secrets/generate-secrets.nix
@@ -12,8 +12,8 @@ with lib;
     requiredBy = [ "setup-secrets.service" ];
     before = [ "setup-secrets.service" ];
     serviceConfig = {
-       Type = "oneshot";
-       RemainAfterExit = true;
+      Type = "oneshot";
+      RemainAfterExit = true;
     } // config.nix-bitcoin-services.defaultHardening;
     script = ''
       mkdir -p "${config.nix-bitcoin.secretsDir}"

From ad23b508e3199490709608bc26e9cddb49bb6805 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Wed, 26 Feb 2020 20:37:47 +0100
Subject: [PATCH 2/2] {generate,setup}-secrets: remove process hardening

ProtectSystem=full disables writing to /etc which is the default
secrets location.

Besides that, hardening is pointless for {generate,setup}-secrets which
don't read external input and are fully under our control.
---
 modules/secrets/generate-secrets.nix | 2 +-
 modules/secrets/secrets.nix          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/secrets/generate-secrets.nix b/modules/secrets/generate-secrets.nix
index c9a38aa..493c8ff 100644
--- a/modules/secrets/generate-secrets.nix
+++ b/modules/secrets/generate-secrets.nix
@@ -14,7 +14,7 @@ with lib;
     serviceConfig = {
       Type = "oneshot";
       RemainAfterExit = true;
-    } // config.nix-bitcoin-services.defaultHardening;
+    };
     script = ''
       mkdir -p "${config.nix-bitcoin.secretsDir}"
       cd "${config.nix-bitcoin.secretsDir}"
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 163346d..0149289 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -56,7 +56,7 @@ in
       serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
-      } // config.nix-bitcoin-services.defaultHardening;
+      };
       script = ''
         setupSecret() {
             file="$1"