mirror of
https://github.com/fort-nix/nix-bitcoin.git
synced 2024-11-27 02:12:45 +03:00
9239268ab6
b2e15c17b8
docs: Update to new deployment method (import instead of fork) (Jonas Nick)5ed0284db9
Add fetch-release script (Jonas Nick)c303cd47e4
Add push-release.sh helper (Jonas Nick)705d187a35
examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt)65039be656
docs: Remove duplicate instructions (Jonas Nick)455c5664c9
docs: Replace tabs with spaces (Jonas Nick)8aa4714979
docs: Update NixOS version (Jonas Nick)9df22a2764
add deploy-qemu-vm.sh example (Erik Arvstedt)548ced1994
README: Add Example section (Jonas Nick)44ccbb91d0
Clean up development shell.nix (Jonas Nick)abcee651d3
add deploy-container.sh (Erik Arvstedt)5dadea310c
add deploy-nixops.sh (Erik Arvstedt)0c74c365de
mention performance loss with hardened kernel profile (Erik Arvstedt)f3121892ef
move main module import to configuration.nix (Erik Arvstedt)0c0978c007
extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt)87d0286498
Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick) Pull request description: Top commit has no ACKs. Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
104 lines
2.7 KiB
Nix
104 lines
2.7 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.nix-bitcoin;
|
|
setupSecrets = concatStrings (mapAttrsToList (n: v: ''
|
|
setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }
|
|
'') cfg.secrets);
|
|
in
|
|
{
|
|
options.nix-bitcoin = {
|
|
secretsDir = mkOption {
|
|
type = types.path;
|
|
default = "/etc/nix-bitcoin-secrets";
|
|
description = "Directory to store secrets";
|
|
};
|
|
|
|
deployment.secretsDir = mkOption {
|
|
type = types.path;
|
|
description = ''
|
|
Directory of local secrets that are transfered to the nix-bitcoin node on deployment
|
|
'';
|
|
};
|
|
|
|
secrets = mkOption {
|
|
default = {};
|
|
type = with types; attrsOf (submodule (
|
|
{ config, ... }: {
|
|
options = {
|
|
user = mkOption {
|
|
type = str;
|
|
default = "root";
|
|
};
|
|
group = mkOption {
|
|
type = str;
|
|
default = config.user;
|
|
};
|
|
permissions = mkOption {
|
|
type = str;
|
|
default = "0440";
|
|
};
|
|
};
|
|
}
|
|
));
|
|
};
|
|
|
|
setup-secrets = mkEnableOption "Set permissions for secrets generated by 'generate-secrets.sh'";
|
|
};
|
|
|
|
config = mkIf cfg.setup-secrets {
|
|
systemd.targets.nix-bitcoin-secrets = {
|
|
requires = [ "setup-secrets.service" ];
|
|
after = [ "setup-secrets.service" ];
|
|
};
|
|
|
|
# Operation of this service:
|
|
# - Set owner and permissions for all used secrets
|
|
# - Make all other secrets accessible to root only
|
|
# For all steps make sure that no secrets are copied to the nix store.
|
|
#
|
|
systemd.services.setup-secrets = {
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
};
|
|
script = ''
|
|
setupSecret() {
|
|
file="$1"
|
|
user="$2"
|
|
group="$3"
|
|
permissions="$4"
|
|
if [[ ! -e $file ]]; then
|
|
echo "Error: Secret file '$file' is missing"
|
|
exit 1
|
|
fi
|
|
chown "$user:$group" "$file"
|
|
chmod "$permissions" "$file"
|
|
processedFiles+=("$file")
|
|
}
|
|
|
|
dir="${cfg.secretsDir}"
|
|
if [[ ! -e $dir ]]; then
|
|
echo "Error: Secrets dir '$dir' is missing"
|
|
exit 1
|
|
fi
|
|
chown root: "$dir"
|
|
cd "$dir"
|
|
|
|
processedFiles=()
|
|
${setupSecrets}
|
|
|
|
# Make all other files accessible to root only
|
|
unprocessedFiles=$(comm -23 <(printf '%s\n' *) <(printf '%s\n' "''${processedFiles[@]}" | sort))
|
|
IFS=$'\n'
|
|
chown root: $unprocessedFiles
|
|
chmod 0440 $unprocessedFiles
|
|
|
|
# Now make the secrets dir accessible to other users
|
|
chmod 0751 "$dir"
|
|
'';
|
|
};
|
|
};
|
|
}
|