make secrets dir location configurable

Users of the nix-bitcoin modules shouldn't be forced to add an extra dir under root. The secrets location is unchanged for the default node config.
2020-01-12 20:52:39 +01:00 · 2020-01-12 20:52:39 +01:00 · 826245484e
commit 826245484e
parent b1e13e9415
12 changed files with 38 additions and 32 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -238,7 +238,7 @@ in {
        cp '${cfg.configFileOption}' '${cfg.dataDir}/bitcoin.conf'
        chmod o-rw  '${cfg.dataDir}/bitcoin.conf'
        chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
-        echo "rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf'
+        echo "rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf'
        chmod -R g+rX '${cfg.dataDir}/blocks'
      '';
      # Wait until RPC port is open. This usually takes just a few ms.
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@ -93,7 +93,7 @@ in {
        chmod u=rw,g=r,o= ${cfg.dataDir}/config
        # The RPC socket has to be removed otherwise we might have stale sockets
        rm -f ${cfg.dataDir}/lightning-rpc
-        echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
+        echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
        '';
      serviceConfig = {
        PermissionsStartOnly = "true";
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -5,6 +5,7 @@ with lib;
 let
  cfg = config.services.electrs;
  inherit (config) nix-bitcoin-services;
  secretsDir = config.nix-bitcoin.secretsDir;
  index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}";
  jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}";
 in {
@ -74,7 +75,7 @@ in {
      preStart = ''
        mkdir -m 0770 -p ${cfg.dataDir}
        chown -R '${cfg.user}:${cfg.group}' ${cfg.dataDir}
-        echo "${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv ${index-batch-size} ${jsonrpc-import} --timestamp --db-dir ${cfg.dataDir} --daemon-dir /var/lib/bitcoind --cookie=${config.services.bitcoind.rpcuser}:$(cat /secrets/bitcoin-rpcpassword) --electrum-rpc-addr=127.0.0.1:${toString cfg.port}" > /run/electrs/startscript.sh
+        echo "${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv ${index-batch-size} ${jsonrpc-import} --timestamp --db-dir ${cfg.dataDir} --daemon-dir /var/lib/bitcoind --cookie=${config.services.bitcoind.rpcuser}:$(cat ${secretsDir}/bitcoin-rpcpassword) --electrum-rpc-addr=127.0.0.1:${toString cfg.port}" > /run/electrs/startscript.sh
        '';	
      serviceConfig = rec {
        RuntimeDirectory = "electrs";
@ -103,8 +104,8 @@ in {
            listen ${toString config.services.electrs.nginxport} ssl;
            proxy_pass electrs;
-            ssl_certificate /secrets/nginx-cert;
+            ssl_certificate ${secretsDir}/nginx-cert;
-            ssl_certificate_key /secrets/nginx-key;
+            ssl_certificate_key ${secretsDir}/nginx-key;
            ssl_session_cache shared:SSL:1m;
            ssl_session_timeout 4h;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
--- a/modules/lightning-charge.nix
+++ b/modules/lightning-charge.nix
@ -30,7 +30,7 @@ in {
      requires = [ "clightning.service" ];
      after = [ "clightning.service" ];
      serviceConfig = {
-          EnvironmentFile = "/secrets/lightning-charge-env";
+          EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env";
          ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir} -d ${config.services.clightning.dataDir}/lightning-charge.db";
          # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket,
          # so this must run as the clightning user
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@ -5,6 +5,7 @@ with lib;
 let
  cfg = config.services.liquidd;
  inherit (config) nix-bitcoin-services;
  secretsDir = config.nix-bitcoin.secretsDir;
  pidFile = "${cfg.dataDir}/liquidd.pid";
  configFile = pkgs.writeText "elements.conf" ''
    chain=liquidv1
@ -207,8 +208,8 @@ in {
        cp '${configFile}' '${cfg.dataDir}/elements.conf'
        chmod o-rw  '${cfg.dataDir}/elements.conf'
        chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
-        echo "rpcpassword=$(cat /secrets/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
+        echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
-        echo "mainchainrpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
+        echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
      '';
      serviceConfig = {
        Type = "simple";
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -5,12 +5,13 @@ with lib;
 let
  cfg = config.services.lnd;
  inherit (config) nix-bitcoin-services;
  secretsDir = config.nix-bitcoin.secretsDir;
  configFile = pkgs.writeText "lnd.conf" ''
    datadir=${cfg.dataDir}
    logdir=${cfg.dataDir}/logs
    bitcoin.mainnet=1
-    tlscertpath=/secrets/lnd-cert
+    tlscertpath=${secretsDir}/lnd-cert
-    tlskeypath=/secrets/lnd-key
+    tlskeypath=${secretsDir}/lnd-key
    rpclisten=localhost:${toString cfg.rpcPort}
@ -61,7 +62,7 @@ in {
      default = pkgs.writeScriptBin "lncli"
      # Switch user because lnd makes datadir contents readable by user only
      ''
-        exec sudo -u lnd ${pkgs.nix-bitcoin.lnd}/bin/lncli --tlscertpath /secrets/lnd-cert \
+        exec sudo -u lnd ${pkgs.nix-bitcoin.lnd}/bin/lncli --tlscertpath ${secretsDir}/lnd-cert \
          --macaroonpath '${cfg.dataDir}/chain/bitcoin/mainnet/admin.macaroon' "$@"
      '';
      description = "Binary to connect with the lnd instance.";
@ -81,7 +82,7 @@ in {
        cp ${configFile} ${cfg.dataDir}/lnd.conf
        chown -R 'lnd:lnd' '${cfg.dataDir}'
        chmod u=rw,g=r,o= ${cfg.dataDir}/lnd.conf
-        echo "bitcoind.rpcpass=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf'
+        echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf'
      '';
      serviceConfig = {
        PermissionsStartOnly = "true";
@ -105,21 +106,21 @@ in {
              sleep 0.1
        done
-        if [[ ! -f /secrets/lnd-seed-mnemonic ]]; then
+        if [[ ! -f ${secretsDir}/lnd-seed-mnemonic ]]; then
          echo Create lnd seed
          ${pkgs.curl}/bin/curl -s \
-            --cacert /secrets/lnd-cert \
+            --cacert ${secretsDir}/lnd-cert \
-            -X GET https://127.0.0.1:8080/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > /secrets/lnd-seed-mnemonic
+            -X GET https://127.0.0.1:8080/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > ${secretsDir}/lnd-seed-mnemonic
        fi
        if [[ ! -f ${mainnetDir}/wallet.db ]]; then
          echo Create lnd wallet
          ${pkgs.curl}/bin/curl -s --output /dev/null --show-error \
-            --cacert /secrets/lnd-cert \
+            --cacert ${secretsDir}/lnd-cert \
-            -X POST -d "{\"wallet_password\": \"$(cat /secrets/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \
+            -X POST -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \
-            \"cipher_seed_mnemonic\": $(cat /secrets/lnd-seed-mnemonic | tr -d '\n')}" \
+            \"cipher_seed_mnemonic\": $(cat ${secretsDir}/lnd-seed-mnemonic | tr -d '\n')}" \
            https://127.0.0.1:8080/v1/initwallet
          # Guarantees that RPC calls with cfg.cli succeed after the service is started
@ -132,9 +133,9 @@ in {
          ${pkgs.curl}/bin/curl -s \
            -H "Grpc-Metadata-macaroon: $(${pkgs.xxd}/bin/xxd -ps -u -c 99999 '${mainnetDir}/admin.macaroon')" \
-            --cacert /secrets/lnd-cert \
+            --cacert ${secretsDir}/lnd-cert \
            -X POST \
-            -d "{\"wallet_password\": \"$(cat /secrets/lnd-wallet-password | tr -d '\n' | base64 -w0)\"}" \
+            -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\"}" \
            https://127.0.0.1:8080/v1/unlockwallet
        fi
--- a/modules/nanopos.nix
+++ b/modules/nanopos.nix
@ -58,7 +58,7 @@ in {
      requires = [ "lightning-charge.service" ];
      after = [ "lightning-charge.service" ];
      serviceConfig = {
-        EnvironmentFile = "/secrets/nanopos-env";
+        EnvironmentFile = "${config.nix-bitcoin.secretsDir}/nanopos-env";
        ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11";
        User = "nanopos";
--- a/modules/nix-bitcoin.nix
+++ b/modules/nix-bitcoin.nix
@ -28,6 +28,8 @@ in {
  };
  config = mkIf cfg.enable {
    nix-bitcoin.secretsDir = mkDefault "/secrets";
    networking.firewall.enable = true;
    # Tor
--- a/modules/secrets/generate-secrets.nix
+++ b/modules/secrets/generate-secrets.nix
@ -5,9 +5,6 @@
 # generated secrets.
 with lib;
 let
  secretsDir = "/secrets/"; # TODO: make this an option
 in
 {
  nix-bitcoin.setup-secrets = true;
@ -19,8 +16,8 @@ in
       RemainAfterExit = true;
    } // config.nix-bitcoin-services.defaultHardening;
    script = ''
-      mkdir -p "${secretsDir}"
+      mkdir -p "${config.nix-bitcoin.secretsDir}"
-      cd "${secretsDir}"
+      cd "${config.nix-bitcoin.secretsDir}"
      chown root: .
      chmod 0700 .
      ${pkgs.nix-bitcoin.generate-secrets}
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -3,14 +3,18 @@
 with lib;
 let
  cfg = config.nix-bitcoin;
  secretsDir = "/secrets/"; # TODO: make this an option
  setupSecrets = concatStrings (mapAttrsToList (n: v: ''
    setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }
  '') cfg.secrets);
 in
 {
  options.nix-bitcoin = {
    secretsDir = mkOption {
      type = types.path;
      default = "/etc/nix-bitcoin-secrets";
      description = "Directory to store secrets";
    };
    secrets = mkOption {
      default = {};
      type = with types; attrsOf (submodule (
@ -68,7 +72,7 @@ in
            processedFiles+=("$file")
        }
-        dir="${secretsDir}"
+        dir="${cfg.secretsDir}"
        if [[ ! -e $dir ]]; then
          echo "Error: Secrets dir '$dir' is missing"
          exit 1
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@ -8,7 +8,7 @@ let
  dataDir = "/var/lib/spark-wallet/";
  onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
  run-spark-wallet = pkgs.writeScript "run-spark-wallet" ''
-    CMD="${pkgs.nix-bitcoin.spark-wallet}/bin/spark-wallet --ln-path ${cfg.ln-path} -Q -k -c /secrets/spark-wallet-login"
+    CMD="${pkgs.nix-bitcoin.spark-wallet}/bin/spark-wallet --ln-path ${cfg.ln-path} -Q -k -c ${config.nix-bitcoin.secretsDir}/spark-wallet-login"
    ${optionalString cfg.onion-service
      ''
      echo Getting onion hostname
--- a/network/network.nix
+++ b/network/network.nix
@ -7,7 +7,7 @@
      deployment.keys = builtins.mapAttrs (n: v: {
        keyFile = "${toString ../secrets}/${n}";
-        destDir = "/secrets/";
+        destDir = config.nix-bitcoin.secretsDir;
        inherit (v) user group permissions;
      }) config.nix-bitcoin.secrets;
@ -19,7 +19,7 @@
      systemd.services.allowSecretsDirAccess = {
        requires = [ "keys.target" ];
        after = [ "keys.target" ];
-        script = "chmod o+x /secrets";
+        script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
        serviceConfig.Type = "oneshot";
      };