nix-bitcoin/network/network.nix
2020-01-12 20:02:00 +01:00

90 lines
2.9 KiB
Nix

let
secrets = import ../secrets/secrets.nix;
secretsDir = "/secrets/";
secret = { text ? null, keyFile ? null, user, group ? user }: {
inherit text user group;
destDir = secretsDir;
permissions = "0440";
};
bitcoin-rpcpassword = secret {
text = secrets.bitcoinrpcpassword;
user = "bitcoin";
group = "bitcoinrpc";
};
lnd-wallet-password = secret {
text = secrets.lnd-wallet-password;
user = "lnd";
};
lightning-charge-api-token = secret {
text = "API_TOKEN=" + secrets.lightning-charge-api-token;
user = "clightning";
};
# variable is called CHARGE_TOKEN instead of API_TOKEN
lightning-charge-api-token-for-nanopos = secret {
text = "CHARGE_TOKEN=" + secrets.lightning-charge-api-token;
user = "nanopos";
};
liquid-rpcpassword = secret {
text = secrets.liquidrpcpassword;
user = "liquid";
};
spark-wallet-login = secret {
text = "login=" + "spark-wallet:" + secrets.spark-wallet-password;
user = "clightning";
};
nginx_key = secret {
keyFile = toString ../../secrets/nginx.key;
user = "nginx";
group = "root";
};
nginx_cert = secret {
keyFile = toString ../../secrets/nginx.cert;
user = "nginx";
group = "root";
};
lnd_key = secret {
keyFile = toString ../../secrets/lnd.key;
user = "lnd";
};
lnd_cert = secret {
keyFile = toString ../../secrets/lnd.cert;
user = "lnd";
};
in {
network.description = "Bitcoin Core node";
bitcoin-node =
{ config, pkgs, lib, ... }: {
imports = [ ../configuration.nix ];
deployment.keys = {
inherit bitcoin-rpcpassword;
}
// (if (config.services.lnd.enable) then { inherit lnd-wallet-password lnd_key lnd_cert; } else { })
// (if (config.services.lightning-charge.enable) then { inherit lightning-charge-api-token; } else { })
// (if (config.services.nanopos.enable) then { inherit lightning-charge-api-token-for-nanopos; } else { })
// (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { })
// (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { })
// (if (config.services.electrs.enable) then { inherit nginx_key nginx_cert; } else { });
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x /secrets";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
};
}