simplify secrets file format

Each secret file to be deployed is now backed by one local file. This simplifies 'setup-secrets' and the secret definitions. Also, with the old format it was not possible to add new secrets to secrets.nix in a simple way. Old secrets are automatically converted to the new format when running nix-shell. Using the new option 'nix-bitcoin.secrets', secrets are now directly defined by the services that use them.
2020-01-12 20:52:38 +01:00 · 2020-01-12 20:52:38 +01:00 · b1e13e9415
commit b1e13e9415
parent 314272a228
15 changed files with 151 additions and 152 deletions
--- a/pkgs/generate-secrets/generate-secrets.sh
+++ b/pkgs/generate-secrets/generate-secrets.sh
@ -1,43 +1,31 @@
-#!/bin/sh
+#!/usr/bin/env bash

 opensslConf=${1:-openssl.cnf}
-secretsFile=secrets.nix

-if [ ! -e "$secretsFile" ]; then
-    echo Write secrets to $secretsFile
-    makepw="apg -m 20 -x 20 -M Ncl -n 1"
-    {
-        echo \{
-        echo "  bitcoinrpcpassword = \"$($makepw)\";"
-        echo "  lnd-wallet-password = \"$($makepw)\";"
-        echo "  lightning-charge-api-token = \"$($makepw)\";"
-        echo "  liquidrpcpassword = \"$($makepw)\";"
-        echo "  spark-wallet-password = \"$($makepw)\";"
-        echo \}
-    } >> $secretsFile
-    echo Done
-else
-    echo $secretsFile already exists. Skipping.
-fi
+makePasswordSecret() {
+    [[ -e $1 ]] || apg -m 20 -x 20 -M Ncl -n 1 > "$1"
+}

-if [ ! -e nginx.key ] || [ ! -e nginx.cert ]; then
-    echo Generate Nginx Self-Signed Cert
-    openssl genrsa -out nginx.key 2048
-    openssl req -new -key nginx.key -out nginx.csr -subj "/C=KN"
-    openssl x509 -req -days 1825 -in nginx.csr -signkey nginx.key -out nginx.cert
+makePasswordSecret bitcoin-rpcpassword
+makePasswordSecret lnd-wallet-password
+makePasswordSecret liquid-rpcpassword
+makePasswordSecret lightning-charge-token
+makePasswordSecret spark-wallet-password
+
+[[ -e lightning-charge-env ]] || echo "API_TOKEN=$(cat lightning-charge-token)" > lightning-charge-env
+[[ -e nanopos-env          ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env
+[[ -e spark-wallet-login   ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
+
+if [[ ! -e nginx-key || ! -e nginx-cert ]]; then
+    openssl genrsa -out nginx-key 2048
+    openssl req -new -key nginx-key -out nginx.csr -subj "/C=KN"
+    openssl x509 -req -days 1825 -in nginx.csr -signkey nginx-key -out nginx-cert
    rm nginx.csr
-    echo Done
-else
-    echo Nginx Cert already exists. Skipping.
 fi

-if [ ! -e lnd.key ] || [ ! -e lnd.cert ]; then
-    echo Generate LND compatible TLS Cert
-    openssl ecparam -genkey -name prime256v1 -out lnd.key
-    openssl req -config $opensslConf -new -sha256 -key lnd.key -out lnd.csr -subj '/CN=localhost/O=lnd'
-    openssl req -config $opensslConf -x509 -sha256 -days 1825 -key lnd.key -in lnd.csr -out lnd.cert
+if [[ ! -e lnd-key || ! -e lnd-cert ]]; then
+    openssl ecparam -genkey -name prime256v1 -out lnd-key
+    openssl req -config $opensslConf -new -sha256 -key lnd-key -out lnd.csr -subj '/CN=localhost/O=lnd'
+    openssl req -config $opensslConf -x509 -sha256 -days 1825 -key lnd-key -in lnd.csr -out lnd-cert
    rm lnd.csr
-    echo Done
-else
-    echo LND cert already exists. Skipping.
 fi
--- a/pkgs/generate-secrets/update-and-generate.nix
+++ b/pkgs/generate-secrets/update-and-generate.nix
@ -0,0 +1,10 @@
+{ pkgs }: with pkgs;
+
+let
+  generate-secrets = callPackage ./. {};
+in
+writeScript "make-secrets" ''
+  # Update from old secrets format
+  [[ -e secrets.nix ]] && . ${./update-secrets.sh}
+  ${generate-secrets}
+''
--- a/pkgs/generate-secrets/update-secrets.sh
+++ b/pkgs/generate-secrets/update-secrets.sh
@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+# Update secrets from the old format to the current one where each secret
+# has a local source file.
+
+reportError() {
+    echo "Updating secrets failed. (Error in line $1)"
+    echo "The secret files have been moved to secrets/old-secrets"
+}
+trap 'reportError $LINENO' ERR
+
+echo "Updating old secrets to the current format."
+
+mkdir old-secrets
+# move all files into old-secrets
+shopt -s extglob dotglob
+mv !(old-secrets) old-secrets
+shopt -u dotglob
+
+secrets=$(cat old-secrets/secrets.nix)
+
+extractPassword() {
+    pwName="$1"
+    destFile="${2:-$pwName}"
+    echo "$secrets" | sed -nE "s/.*?$pwName = \"(.*?)\".*/\1/p" > "$destFile"
+}
+
+rename() {
+    old="old-secrets/$1"
+    if [[ -e $old ]]; then
+        cp "$old" "$2"
+    fi
+}
+
+extractPassword bitcoinrpcpassword bitcoin-rpcpassword
+extractPassword lnd-wallet-password
+extractPassword liquidrpcpassword liquid-rpcpassword
+extractPassword lightning-charge-api-token lightning-charge-token
+extractPassword spark-wallet-password
+
+rename nginx.key nginx-key
+rename nginx.cert nginx-cert
+rename lnd.key lnd-key
+rename lnd.cert lnd-cert
+
+rm -r old-secrets