secure-node: don't set nix-bitcoin.secretsDir

This simplifies the docs and the secure-node module. This change doesn't affect users that deploy via krops.
2022-02-03 20:46:33 +01:00 · 2022-02-03 20:46:33 +01:00 · d959d5b558
commit d959d5b558
parent 7b0c3d48c9
5 changed files with 27 additions and 12 deletions
--- a/docs/configuration.md
+++ b/docs/configuration.md
@ -250,9 +250,4 @@ following default values:

 - If you're using the krops deployment method: `/var/src/secrets`

- Otherwise:
-  - `/secrets` (if you're using the `secure-node.nix` template)
-  - `/etc/nix-bitcoin-secrets` (otherwise)
-
-  `/secrets` only exists to provide backwards compatibility for users of the
-  `secure-node.nix` template.
+- Otherwise: `/etc/nix-bitcoin-secrets`
--- a/docs/services.md
+++ b/docs/services.md
@ -41,7 +41,8 @@ ssh -L 3000:169.254.1.29:3000 root@bitcoin-node

 Otherwise, you can access it via Tor Browser at `http://<onion-address>`.
 You can find the `<onion-address>` with command `nodeinfo`.
-The default password location is `/secrets/rtl-password`.
+The default password location is `$secretsDir/rtl-password`.
+See: [Secrets dir](./configuration.md#secrets-dir)

 # Connect to spark-wallet
 ### Requirements
@ -305,9 +306,10 @@ If you want to manually initialize your wallet instead, follow these steps:
    Follow the on-screen instructions and write down your seed.

    In order to use nix-bitcoin's `joinmarket.yieldgenerator`, use the password
-    from `/secrets/jm-wallet-password` and use the suggested default wallet name
+    from `$secretsDir/jm-wallet-password` and use the suggested default wallet name
    `wallet.jmdat`. If you want to use your own `jm-wallet-password`, simply
    replace the password string in your local secrets directory.
+    See: [Secrets dir](./configuration.md#secrets-dir)

 ## Run the tumbler

--- a/examples/configuration.nix
+++ b/examples/configuration.nix
@ -266,5 +266,5 @@
  # The nix-bitcoin release version that your config is compatible with.
  # When upgrading to a backwards-incompatible release, nix-bitcoin will display an
  # an error and provide hints for migrating your config to the new release.
-  nix-bitcoin.configVersion = "0.0.57";
+  nix-bitcoin.configVersion = "0.0.65";
 }
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -18,9 +18,6 @@ in {
  };

  config =  {
-    # For backwards compatibility only
-    nix-bitcoin.secretsDir = mkDefault "/secrets";
-
    networking.firewall.enable = true;

    nix-bitcoin.security.dbusHideProcessInformation = true;
--- a/modules/versioning.nix
+++ b/modules/versioning.nix
@ -181,6 +181,27 @@ let
            once.
      '';
    }
+    {
+      version = "0.0.65";
+      condition = config.nix-bitcoin ? secure-node-preset-enabled &&
+                  config.nix-bitcoin.secretsDir == "/etc/nix-bitcoin-secrets";
+      message = ''
+        The `secure-node.nix` preset does not set the secrets directory
+        to "/secrets" anymore.
+        Instead, the default location "/etc/nix-bitcoin-secrets" is used.
+
+        To upgrade, choose one of the following:
+
+        - Continue using "/secrets":
+          Add `nix-bitcoin.secretsDir = "/secrets";` to your configuration.nix.
+
+        - Move your secrets to the default location:
+          Run the following command as root on your node:
+          `rsync -a /secrets/ /etc/nix-bitcoin-secrets`.
+          You can delete the old "/secrets" directory after deploying the new system
+          config to your node.
+      '';
+    }
  ];

  mkOnionServiceChange = service: {