Change the nix-bitcoin deployment from forking this repo to importing the module

Instead of forking this repo, it is now recommended that users simply import the nix-bitcoin module. This commit adds an example directory that contains the network/ examples and a shell.nix for deployment with nixops.
2020-02-19 16:37:46 +00:00
parent 2d51c722cc
commit 87d0286498
7 changed files with 33 additions and 8 deletions
--- a/examples/nixops/node.nix
+++ b/examples/nixops/node.nix
@@ -0,0 +1,31 @@
+{
+  network.description = "Bitcoin Core node";
+
+  bitcoin-node =
+    { config, pkgs, lib, ... }: {
+      imports = [ ../configuration.nix <nix-bitcoin/modules/nix-bitcoin.nix> ];
+
+      deployment.keys = builtins.mapAttrs (n: v: {
+        keyFile = "${toString ../secrets}/${n}";
+        destDir = config.nix-bitcoin.secretsDir;
+        inherit (v) user group permissions;
+      }) config.nix-bitcoin.secrets;
+
+      # nixops makes the secrets directory accessible only for users with group 'key'.
+      # For compatibility with other deployment methods besides nixops, we forego the
+      # use of the 'key' group and make the secrets dir world-readable instead.
+      # This is safe because all containing files have their specific private
+      # permissions set.
+      systemd.services.allowSecretsDirAccess = {
+        requires = [ "keys.target" ];
+        after = [ "keys.target" ];
+        script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
+        serviceConfig.Type = "oneshot";
+      };
+
+      systemd.targets.nix-bitcoin-secrets = {
+        requires = [ "allowSecretsDirAccess.service" ];
+        after = [ "allowSecretsDirAccess.service" ];
+      };
+    };
+}