Erik Arvstedt a2466b1127
secrets: allow extending generate-secrets
`generate-secrets` is no longer a monolithic script. Instead, it's
composed of the values of option `nix-bitcoin.generateSecretsCmds`.

This has the following advantages:
- generate-secrets is now extensible by users
- Only secrets of enabled services are generated
- RPC IPs in the `lnd` and `loop` certs are no longer hardcoded.

Secrets are no longer automatically generated when entering nix-shell.
Instead, they are generated before deployment (via `krops-deploy`)
because secrets generation is now dependant on the node configuration.
2021-09-12 11:29:54 +02:00

220 lines
6.7 KiB

{ config, pkgs, lib, ... }:
with lib;
options.nix-bitcoin = {
secretsDir = mkOption {
type = types.path;
default = "/etc/nix-bitcoin-secrets";
description = "Directory to store secrets";
setupSecrets = mkOption {
type = types.bool;
default = false;
description = ''
Set permissions for existing secrets in `nix-bitcoin.secretsDir`.
generateSecrets = mkOption {
type = types.bool;
default = false;
description = ''
Automatically generate all required secrets at system startup.
Note: Make sure to create a backup of the generated secrets.
generateSecretsCmds = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
Bash expressions for generating secrets.
# Currently, this is used only by ../deployment/nixops.nix
deployment.secretsDir = mkOption {
type = types.path;
description = ''
Directory of local secrets that are transferred to the nix-bitcoin node on deployment
secrets = mkOption {
default = {};
type = with types; attrsOf (submodule (
{ config, ... }: {
options = {
user = mkOption {
type = str;
default = "root";
group = mkOption {
type = str;
default = config.user;
permissions = mkOption {
type = str;
default = "0440";
secretsSetupMethod = mkOption {
type = types.str;
default = throw ''
Error: No secrets setup method has been defined.
To fix this, choose one of the following:
- Use one of the deployment methods in ${toString ./../deployment}
- Set `nix-bitcoin.generateSecrets = true` to automatically generate secrets
- Set `nix-bitcoin.secretsSetupMethod = "manual"` if you want to manually setup secrets
generateSecretsScript = mkOption {
internal = true;
default = let
rpcauthSrc = builtins.fetchurl {
url = "";
sha256 = "189mpplam6yzizssrgiyv70c9899ggh8cac76j4n7v0xqzfip07n";
rpcauth = pkgs.writers.writeBash "rpcauth" ''
exec ${pkgs.python3}/bin/python ${rpcauthSrc} "$@"
in pkgs.writers.writeBash "generate-secrets" ''
set -euo pipefail
export PATH=${lib.makeBinPath (with pkgs; [ coreutils gnugrep ])}
makePasswordSecret() {
# Passwords have alphabet {a-z, A-Z, 0-9} and ~119 bits of entropy
[[ -e $1 ]] || ${pkgs.pwgen}/bin/pwgen -s 20 1 > "$1"
makeBitcoinRPCPassword() {
makePasswordSecret "$file"
if [[ $file -nt $HMACfile ]]; then
${rpcauth} $user $(cat "$file") | grep rpcauth | cut -d ':' -f 2 > "$HMACfile"
makeCert() {
# Add leading comma if not empty
if [[ ! -e $name-key ]]; then
# Create new key and cert
doMakeCert "-newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout $name-key"
elif [[ ! -e $name-cert \
|| $(cat "$name-cert-alt-names" 2>/dev/null) != $extraAltNames ]]; then
# Create cert from existing key
doMakeCert "-key $name-key"
doMakeCert() {
# This fn uses global variables `name` and `extraAltNames`
${pkgs.openssl}/bin/openssl req -x509 \
-sha256 -days 3650 $keyOpts -out "$name-cert" \
-subj "/CN=localhost/O=$name" \
-addext "subjectAltName=DNS:localhost,IP:$extraAltNames"
echo "$extraAltNames" > "$name-cert-alt-names"
umask u=rw,go=
${builtins.concatStringsSep "\n" (builtins.attrValues cfg.generateSecretsCmds)}
cfg = config.nix-bitcoin;
in {
inherit options;
config = {
# This target is active when secrets have been setup successfully.
systemd.targets.nix-bitcoin-secrets = mkIf (cfg.secretsSetupMethod != "manual") {
# This ensures that the secrets target is always activated when switching
# configurations.
# In this way `switch-to-configuration` is guaranteed to show an error
# when activating the secrets target fails on deployment.
wantedBy = [ "" ];
nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true;
nix-bitcoin.secretsSetupMethod = mkIf cfg.setupSecrets "setup-secrets";
# Operation of this service:
# - Set owner and permissions for all used secrets
# - Make all other secrets accessible to root only
# For all steps make sure that no secrets are copied to the nix store.
# = mkIf cfg.setupSecrets {
requiredBy = [ "" ];
before = [ "" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
script = ''
${optionalString cfg.generateSecrets ''
mkdir -p "${cfg.secretsDir}"
cd "${cfg.secretsDir}"
chown root: .
chmod 0700 .
setupSecret() {
if [[ ! -e $file ]]; then
echo "Error: Secret file '$file' is missing"
exit 1
chown "$user:$group" "$file"
chmod "$permissions" "$file"
if [[ ! -e $dir ]]; then
echo "Error: Secrets dir '$dir' is missing"
exit 1
chown root: "$dir"
cd "$dir"
concatStrings (mapAttrsToList (n: v: ''
setupSecret ${n} ${v.user} ${} ${v.permissions} }
'') cfg.secrets)
# Make all other files accessible to root only
unprocessedFiles=$(comm -23 <(printf '%s\n' *) <(printf '%s\n' "''${processedFiles[@]}" | sort))
if [[ $unprocessedFiles ]]; then
chown root: $unprocessedFiles
chmod 0440 $unprocessedFiles
# Now make the secrets dir accessible to other users
chmod 0751 "$dir"