From 90ce68cb16cac9455eb5812447052e830528ba59 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Tue, 3 Oct 2023 13:00:23 +0200
Subject: [PATCH] treewide: ensure services are started after secrets setup

Now all services that access secrets only run after the secrets setup
has finished.

Previously, we assumed that the systemd `after` dependency is
transitive, i.e. that adding an `after = [ "bitcoind.service" ]`
to a service implicitly pulled in the `after` dependency to
`nix-bitcoin-secrets.target` (which is defined for `bitcoind`).
This is not the case. Services could start before secrets setup
had finished, leading to service failure.
---
 modules/backups.nix               | 2 +-
 modules/btcpayserver.nix          | 2 +-
 modules/clightning.nix            | 2 +-
 modules/electrs.nix               | 2 +-
 modules/fulcrum.nix               | 2 +-
 modules/joinmarket-ob-watcher.nix | 2 +-
 modules/joinmarket.nix            | 4 ++--
 modules/lightning-loop.nix        | 2 +-
 modules/liquid.nix                | 2 +-
 modules/lnd.nix                   | 2 +-
 modules/rtl.nix                   | 2 +-
 11 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/modules/backups.nix b/modules/backups.nix
index e2228af..6db4458 100644
--- a/modules/backups.nix
+++ b/modules/backups.nix
@@ -106,7 +106,7 @@ in {
 
       systemd.services.duplicity = {
         wants = postgresqlBackupServices;
-        after = postgresqlBackupServices;
+        after = postgresqlBackupServices ++ [ "nix-bitcoin-secrets.target" ];
       };
 
       services.postgresqlBackup = {
diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix
index 1bdd02c..24c73b2 100644
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@@ -174,7 +174,7 @@ in {
     in rec {
       wantedBy = [ "multi-user.target" ];
       requires = [ "bitcoind.service" "postgresql.service" ] ++ optional cfg.btcpayserver.lbtc "liquidd.service";
-      after = requires;
+      after = requires ++ [ "nix-bitcoin-secrets.target" ];
       preStart = ''
         install -m 600 ${configFile} '${cfg.nbxplorer.dataDir}/settings.config'
         {
diff --git a/modules/clightning.nix b/modules/clightning.nix
index e99dee3..d1fead7 100644
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@@ -168,7 +168,7 @@ in {
       path  = [ bitcoind.package ];
       wantedBy = [ "multi-user.target" ];
       requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
       preStart = ''
         umask u=rw,g=r,o=
         {
diff --git a/modules/electrs.nix b/modules/electrs.nix
index c3ca425..110086f 100644
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@@ -68,7 +68,7 @@ in {
     systemd.services.electrs = {
       wantedBy = [ "multi-user.target" ];
       requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
       preStart = ''
         echo "auth = \"${bitcoind.rpc.users.public.name}:$(cat ${secretsDir}/bitcoin-rpcpassword-public)\"" \
           > electrs.toml
diff --git a/modules/fulcrum.nix b/modules/fulcrum.nix
index 592757a..131fddd 100644
--- a/modules/fulcrum.nix
+++ b/modules/fulcrum.nix
@@ -112,7 +112,7 @@ in {
     systemd.services.fulcrum = {
       wantedBy = [ "multi-user.target" ];
       requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
       preStart = ''
         {
           cat ${configFile}
diff --git a/modules/joinmarket-ob-watcher.nix b/modules/joinmarket-ob-watcher.nix
index b5aa4ef..e2233be 100644
--- a/modules/joinmarket-ob-watcher.nix
+++ b/modules/joinmarket-ob-watcher.nix
@@ -75,7 +75,7 @@ in {
     systemd.services.joinmarket-ob-watcher = rec {
       wantedBy = [ "multi-user.target" ];
       requires = [ "tor.service" "bitcoind.service" ];
-      after = requires;
+      after = requires ++ [ "nix-bitcoin-secrets.target" ];
       # The service writes to HOME/.config/matplotlib
       environment.HOME = cfg.dataDir;
       preStart = ''
diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix
index fe87bf4..4e68d66 100644
--- a/modules/joinmarket.nix
+++ b/modules/joinmarket.nix
@@ -303,7 +303,7 @@ in {
     systemd.services.joinmarket = {
       wantedBy = [ "multi-user.target" ];
       requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
       preStart = ''
         {
           cat ${configFile}
@@ -387,7 +387,7 @@ in {
     systemd.services.joinmarket-yieldgenerator = {
       wantedBy = [ "joinmarket.service" ];
       requires = [ "joinmarket.service" ];
-      after = [ "joinmarket.service" ];
+      after = [ "joinmarket.service" "nix-bitcoin-secrets.target" ];
       script = ''
         tr -d "\n" <"${secretsDir}/jm-wallet-password" \
         | ${nbPkgs.joinmarket}/bin/jm-yg-privacyenhanced --datadir='${cfg.dataDir}' \
diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix
index 5ca8483..ceab36c 100644
--- a/modules/lightning-loop.nix
+++ b/modules/lightning-loop.nix
@@ -126,7 +126,7 @@ in {
     systemd.services.lightning-loop = {
       wantedBy = [ "multi-user.target" ];
       requires = [ "lnd.service" ];
-      after = [ "lnd.service" ];
+      after = [ "lnd.service" "nix-bitcoin-secrets.target" ];
       serviceConfig = nbLib.defaultHardening // {
         ExecStart = "${cfg.package}/bin/loopd --configfile=${configFile}";
         User = lnd.user;
diff --git a/modules/liquid.nix b/modules/liquid.nix
index 7acf412..1ad6c5c 100644
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@@ -256,7 +256,7 @@ in {
 
     systemd.services.liquidd = {
       requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
       wantedBy = [ "multi-user.target" ];
       preStart = ''
         install -m 640 ${configFile} '${cfg.dataDir}/elements.conf'
diff --git a/modules/lnd.nix b/modules/lnd.nix
index cfb4f2e..c2b9c08 100644
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@@ -229,7 +229,7 @@ in {
     systemd.services.lnd = {
       wantedBy = [ "multi-user.target" ];
       requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
       preStart = ''
         install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
         {
diff --git a/modules/rtl.nix b/modules/rtl.nix
index aa6c5bf..73e9cf0 100644
--- a/modules/rtl.nix
+++ b/modules/rtl.nix
@@ -189,7 +189,7 @@ in {
       wantedBy = [ "multi-user.target" ];
       requires = optional cfg.nodes.clightning.enable "clightning-rest.service" ++
                  optional cfg.nodes.lnd.enable "lnd.service";
-      after = requires;
+      after = requires ++ [ "nix-bitcoin-secrets.target" ];
       environment.RTL_CONFIG_PATH = cfg.dataDir;
       environment.DB_DIRECTORY_PATH = cfg.dataDir;
       serviceConfig = nbLib.defaultHardening // {