mirror of
https://github.com/fort-nix/nix-bitcoin.git
synced 2024-11-27 12:06:33 +03:00
826245484e
Users of the nix-bitcoin modules shouldn't be forced to add an extra dir under root. The secrets location is unchanged for the default node config.
32 lines
1.1 KiB
Nix
32 lines
1.1 KiB
Nix
{
|
|
network.description = "Bitcoin Core node";
|
|
|
|
bitcoin-node =
|
|
{ config, pkgs, lib, ... }: {
|
|
imports = [ ../configuration.nix ];
|
|
|
|
deployment.keys = builtins.mapAttrs (n: v: {
|
|
keyFile = "${toString ../secrets}/${n}";
|
|
destDir = config.nix-bitcoin.secretsDir;
|
|
inherit (v) user group permissions;
|
|
}) config.nix-bitcoin.secrets;
|
|
|
|
# nixops makes the secrets directory accessible only for users with group 'key'.
|
|
# For compatibility with other deployment methods besides nixops, we forego the
|
|
# use of the 'key' group and make the secrets dir world-readable instead.
|
|
# This is safe because all containing files have their specific private
|
|
# permissions set.
|
|
systemd.services.allowSecretsDirAccess = {
|
|
requires = [ "keys.target" ];
|
|
after = [ "keys.target" ];
|
|
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
|
|
serviceConfig.Type = "oneshot";
|
|
};
|
|
|
|
systemd.targets.nix-bitcoin-secrets = {
|
|
requires = [ "allowSecretsDirAccess.service" ];
|
|
after = [ "allowSecretsDirAccess.service" ];
|
|
};
|
|
};
|
|
}
|