nix-bitcoin/network/network.nix

32 lines
1.1 KiB
Nix
Raw Normal View History

{
2018-11-14 02:44:54 +03:00
network.description = "Bitcoin Core node";
2018-12-06 14:33:13 +03:00
bitcoin-node =
{ config, pkgs, lib, ... }: {
imports = [ ../configuration.nix ];
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${toString ../secrets}/${n}";
destDir = "/secrets/";
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x /secrets";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
};
2018-11-14 02:44:54 +03:00
}