Merge #136: Change the nix-bitcoin deployment from forking this repo to importing the module

b2e15c17b8 docs: Update to new deployment method (import instead of fork) (Jonas Nick) 5ed0284db9 Add fetch-release script (Jonas Nick) c303cd47e4 Add push-release.sh helper (Jonas Nick) 705d187a35 examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt) 65039be656 docs: Remove duplicate instructions (Jonas Nick) 455c5664c9 docs: Replace tabs with spaces (Jonas Nick) 8aa4714979 docs: Update NixOS version (Jonas Nick) 9df22a2764 add deploy-qemu-vm.sh example (Erik Arvstedt) 548ced1994 README: Add Example section (Jonas Nick) 44ccbb91d0 Clean up development shell.nix (Jonas Nick) abcee651d3 add deploy-container.sh (Erik Arvstedt) 5dadea310c add deploy-nixops.sh (Erik Arvstedt) 0c74c365de mention performance loss with hardened kernel profile (Erik Arvstedt) f3121892ef move main module import to configuration.nix (Erik Arvstedt) 0c0978c007 extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt) 87d0286498 Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick) Pull request description: Top commit has no ACKs. Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
2020-04-08 15:03:00 +00:00 · 2020-04-08 15:03:00 +00:00 · 9239268ab6
commit 9239268ab6
parent b9fbb144ca b2e15c17b8
23 changed files with 833 additions and 459 deletions
--- a/modules/deployment/nixops.nix
+++ b/modules/deployment/nixops.nix
@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  deployment.keys = builtins.mapAttrs (n: v: {
+    keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
+    destDir = config.nix-bitcoin.secretsDir;
+    inherit (v) user group permissions;
+  }) config.nix-bitcoin.secrets;
+
+  # nixops makes the secrets directory accessible only for users with group 'key'.
+  # For compatibility with other deployment methods besides nixops, we forego the
+  # use of the 'key' group and make the secrets dir world-readable instead.
+  # This is safe because all containing files have their specific private
+  # permissions set.
+  systemd.services.allowSecretsDirAccess = {
+    requires = [ "keys.target" ];
+    after = [ "keys.target" ];
+    script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
+    serviceConfig.Type = "oneshot";
+  };
+
+  systemd.targets.nix-bitcoin-secrets = {
+    requires = [ "allowSecretsDirAccess.service" ];
+    after = [ "allowSecretsDirAccess.service" ];
+  };
+}
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -15,6 +15,13 @@ in
      description = "Directory to store secrets";
    };

+    deployment.secretsDir = mkOption {
+      type = types.path;
+      description = ''
+        Directory of local secrets that are transfered to the nix-bitcoin node on deployment
+      '';
+    };
+
    secrets = mkOption {
      default = {};
      type = with types; attrsOf (submodule (