simplify secrets file format

Each secret file to be deployed is now backed by one local file. This simplifies 'setup-secrets' and the secret definitions. Also, with the old format it was not possible to add new secrets to secrets.nix in a simple way. Old secrets are automatically converted to the new format when running nix-shell. Using the new option 'nix-bitcoin.secrets', secrets are now directly defined by the services that use them.
2020-01-12 20:52:38 +01:00 · 2020-01-12 20:52:38 +01:00 · b1e13e9415
commit b1e13e9415
parent 314272a228
15 changed files with 151 additions and 152 deletions
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -9,8 +9,8 @@ let
    datadir=${cfg.dataDir}
    logdir=${cfg.dataDir}/logs
    bitcoin.mainnet=1
-    tlscertpath=/secrets/lnd_cert
-    tlskeypath=/secrets/lnd_key
+    tlscertpath=/secrets/lnd-cert
+    tlskeypath=/secrets/lnd-key

    rpclisten=localhost:${toString cfg.rpcPort}

@ -61,7 +61,7 @@ in {
      default = pkgs.writeScriptBin "lncli"
      # Switch user because lnd makes datadir contents readable by user only
      ''
-        exec sudo -u lnd ${pkgs.nix-bitcoin.lnd}/bin/lncli --tlscertpath /secrets/lnd_cert \
+        exec sudo -u lnd ${pkgs.nix-bitcoin.lnd}/bin/lncli --tlscertpath /secrets/lnd-cert \
          --macaroonpath '${cfg.dataDir}/chain/bitcoin/mainnet/admin.macaroon' "$@"
      '';
      description = "Binary to connect with the lnd instance.";
@ -109,7 +109,7 @@ in {
          echo Create lnd seed

          ${pkgs.curl}/bin/curl -s \
-            --cacert /secrets/lnd_cert \
+            --cacert /secrets/lnd-cert \
            -X GET https://127.0.0.1:8080/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > /secrets/lnd-seed-mnemonic
        fi

@ -117,7 +117,7 @@ in {
          echo Create lnd wallet

          ${pkgs.curl}/bin/curl -s --output /dev/null --show-error \
-            --cacert /secrets/lnd_cert \
+            --cacert /secrets/lnd-cert \
            -X POST -d "{\"wallet_password\": \"$(cat /secrets/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \
            \"cipher_seed_mnemonic\": $(cat /secrets/lnd-seed-mnemonic | tr -d '\n')}" \
            https://127.0.0.1:8080/v1/initwallet
@ -132,7 +132,7 @@ in {

          ${pkgs.curl}/bin/curl -s \
            -H "Grpc-Metadata-macaroon: $(${pkgs.xxd}/bin/xxd -ps -u -c 99999 '${mainnetDir}/admin.macaroon')" \
-            --cacert /secrets/lnd_cert \
+            --cacert /secrets/lnd-cert \
            -X POST \
            -d "{\"wallet_password\": \"$(cat /secrets/lnd-wallet-password | tr -d '\n' | base64 -w0)\"}" \
            https://127.0.0.1:8080/v1/unlockwallet
@ -151,5 +151,10 @@ in {
      home = cfg.dataDir;
    };
    users.groups.lnd = {};
+    nix-bitcoin.secrets = {
+      lnd-wallet-password.user = "lnd";
+      lnd-key.user = "lnd";
+      lnd-cert.user = "lnd";
+    };
  };
 }