secrets: allow extending generate-secrets

`generate-secrets` is no longer a monolithic script. Instead, it's composed of the values of option `nix-bitcoin.generateSecretsCmds`. This has the following advantages: - generate-secrets is now extensible by users - Only secrets of enabled services are generated - RPC IPs in the `lnd` and `loop` certs are no longer hardcoded. Secrets are no longer automatically generated when entering nix-shell. Instead, they are generated before deployment (via `krops-deploy`) because secrets generation is now dependant on the node configuration.
2021-09-08 17:01:18 +02:00 · 2021-09-08 17:01:18 +02:00 · a2466b1127
commit a2466b1127
parent 24fd1e9bdc
15 changed files with 136 additions and 131 deletions
--- a/pkgs/generate-secrets/default.nix
+++ b/pkgs/generate-secrets/default.nix
@ -1,15 +0,0 @@
-{ pkgs }: with pkgs;
-
-let
-  rpcauthSrc = builtins.fetchurl {
-    url = "https://raw.githubusercontent.com/bitcoin/bitcoin/d6cde007db9d3e6ee93bd98a9bbfdce9bfa9b15b/share/rpcauth/rpcauth.py";
-    sha256 = "189mpplam6yzizssrgiyv70c9899ggh8cac76j4n7v0xqzfip07n";
-  };
-  rpcauth = pkgs.writeScriptBin "rpcauth" ''
-    exec ${pkgs.python3}/bin/python ${rpcauthSrc} "$@"
-  '';
-in
-writers.writeBash "generate-secrets" ''
-  export PATH=${lib.makeBinPath [ coreutils pwgen openssl gnugrep rpcauth ]}
-  . ${./generate-secrets.sh} ${./openssl.cnf}
-''
--- a/pkgs/generate-secrets/generate-secrets.sh
+++ b/pkgs/generate-secrets/generate-secrets.sh
@ -1,44 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-opensslConf=${1:-openssl.cnf}
-
-makePasswordSecret() {
-    # Passwords have alphabet {a-z, A-Z, 0-9} and ~119 bits of entropy
-    [[ -e $1 ]] || pwgen -s 20 1 > "$1"
-}
-makeHMAC() {
-    user=$1
-    rpcauth $user $(cat bitcoin-rpcpassword-$user) | grep rpcauth | cut -d ':' -f 2 > bitcoin-HMAC-$user
-}
-
-makePasswordSecret bitcoin-rpcpassword-privileged
-makePasswordSecret bitcoin-rpcpassword-btcpayserver
-makePasswordSecret bitcoin-rpcpassword-joinmarket-ob-watcher
-makePasswordSecret bitcoin-rpcpassword-public
-makePasswordSecret lnd-wallet-password
-makePasswordSecret liquid-rpcpassword
-makePasswordSecret spark-wallet-password
-makePasswordSecret backup-encryption-password
-makePasswordSecret jm-wallet-password
-
-[[ -e bitcoin-HMAC-privileged ]] || makeHMAC privileged
-[[ -e bitcoin-HMAC-public ]] || makeHMAC public
-[[ -e bitcoin-HMAC-btcpayserver ]] || makeHMAC btcpayserver
-[[ -e bitcoin-HMAC-joinmarket-ob-watcher ]] || makeHMAC joinmarket-ob-watcher
-[[ -e spark-wallet-login   ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
-[[ -e backup-encryption-env ]] || echo "PASSPHRASE=$(cat backup-encryption-password)" > backup-encryption-env
-
-makeCert() {
-  if [[ ! -e $name-key || ! -e $name-cert ]]; then
-    openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
-      -sha256 -days 3650 -nodes -keyout "$name-key" -out "$name-cert" \
-      -subj "/CN=localhost/O=$name" \
-      -addext "subjectAltName=DNS:localhost,IP:127.0.0.1,IP:169.254.1.14,IP:169.254.1.22"
-    # TODO: Remove hardcoded lnd, loopd netns ips
-  fi
-}
-
-makeCert lnd
-makeCert loop
--- a/pkgs/generate-secrets/update-and-generate.nix
+++ b/pkgs/generate-secrets/update-and-generate.nix
@ -1,10 +0,0 @@
-{ pkgs }: with pkgs;
-
-let
-  generate-secrets = callPackage ./. {};
-in
-writeScript "make-secrets" ''
-  # Update from old secrets format
-  [[ -e secrets.nix ]] && . ${./update-secrets.sh}
-  ${generate-secrets}
-''
--- a/pkgs/generate-secrets/update-secrets.sh
+++ b/pkgs/generate-secrets/update-secrets.sh
@ -1,45 +0,0 @@
-#!/usr/bin/env bash
-
-set -eo pipefail
-
-# Update secrets from the old format to the current one where each secret
-# has a local source file.
-
-reportError() {
-    echo "Updating secrets failed. (Error in line $1)"
-    echo "The secret files have been moved to secrets/old-secrets"
-}
-trap 'reportError $LINENO' ERR
-
-echo "Updating old secrets to the current format."
-
-mkdir old-secrets
-# move all files into old-secrets
-shopt -s extglob dotglob
-mv !(old-secrets) old-secrets
-shopt -u dotglob
-
-secrets=$(cat old-secrets/secrets.nix)
-
-extractPassword() {
-    pwName="$1"
-    destFile="${2:-$pwName}"
-    echo "$secrets" | sed -nE "s/.*?$pwName = \"(.*?)\".*/\1/p" > "$destFile"
-}
-
-rename() {
-    old="old-secrets/$1"
-    if [[ -e $old ]]; then
-        cp "$old" "$2"
-    fi
-}
-
-extractPassword bitcoinrpcpassword bitcoin-rpcpassword
-extractPassword lnd-wallet-password
-extractPassword liquidrpcpassword liquid-rpcpassword
-extractPassword spark-wallet-password
-
-rename lnd.key lnd-key
-rename lnd.cert lnd-cert
-
-rm -r old-secrets