secrets: make configuration more robust
- Fail at evaluation when secrets setup is not configured. Previously, bitcoind failed at runtime due to the missing secrets target. - Fail at evaluation when conflicting secrets setup methods are used. This happens when `secretsSetupMethod` has more than one definition.
This commit is contained in:
parent
b0c223e716
commit
55d87490ec
|
@ -1,5 +1,7 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
nix-bitcoin.secretsSetupMethod = "nixops";
|
||||
|
||||
deployment.keys = builtins.mapAttrs (n: v: {
|
||||
keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
|
||||
destDir = config.nix-bitcoin.secretsDir;
|
||||
|
|
|
@ -58,11 +58,25 @@ in
|
|||
}
|
||||
));
|
||||
};
|
||||
|
||||
secretsSetupMethod = mkOption {
|
||||
type = types.str;
|
||||
default = throw ''
|
||||
Error: No secrets setup method has been defined.
|
||||
To fix this, choose one of the following:
|
||||
|
||||
- Use one of the deployment methods in ${toString ./../deployment}
|
||||
|
||||
- Set `nix-bitcoin.generateSecrets = true` to automatically generate secrets
|
||||
|
||||
- Set `nix-bitcoin.secretsSetupMethod = "manual"` if you want to manually setup secrets
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
# This target is active when secrets have been setup successfully.
|
||||
systemd.targets.nix-bitcoin-secrets = {
|
||||
systemd.targets.nix-bitcoin-secrets = mkIf (cfg.secretsSetupMethod != "manual") {
|
||||
# This ensures that the secrets target is always activated when switching
|
||||
# configurations.
|
||||
# In this way `switch-to-configuration` is guaranteed to show an error
|
||||
|
@ -72,6 +86,8 @@ in
|
|||
|
||||
nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true;
|
||||
|
||||
nix-bitcoin.secretsSetupMethod = mkIf cfg.setupSecrets "setup-secrets";
|
||||
|
||||
# Operation of this service:
|
||||
# - Set owner and permissions for all used secrets
|
||||
# - Make all other secrets accessible to root only
|
||||
|
|
Loading…
Reference in New Issue
Block a user