Add support for handling machine-specific secrets in the deployment process

Expanded the DEPLOYMENT-GUIDE.md to include a comprehensive section on managing encrypted secrets using Passage and Pass. Detailed steps for setting up, creating, and deploying machine-specific secrets, along with security notes. Updated krops.nix and config/lnbits.nix to include configurations for deploying custom LNBits extensions, enhancing the flexibility and security of the NixOS deployment process.
2025-10-10 01:15:42 +02:00 · 2025-10-10 01:15:42 +02:00 · 30209458f7
commit 30209458f7
parent d27bdd3005
2 changed files with 88 additions and 0 deletions
--- a/DEPLOYMENT-GUIDE.md
+++ b/DEPLOYMENT-GUIDE.md
@ -193,3 +193,70 @@ config/

 The key is that each machine's `configuration.nix` can import different modules while still sharing common configuration through `shared.nix`.

+## Deploying LNBits Extensions
+
+You can deploy custom LNBits extensions to `/var/lib/lnbits/extensions` on your target machines.
+
+### Setup
+
+**1. Create extensions directory:**
+```bash
+mkdir -p lnbits-extensions
+```
+
+**2. Add your custom extensions:**
+```bash
+# Example: Clone a custom extension
+git clone https://github.com/your-org/custom-extension lnbits-extensions/custom-extension
+```
+
+**3. Enable in krops.nix:**
+Uncomment the lnbits-extensions line:
+```nix
+lnbits-extensions.file = toString ./lnbits-extensions;
+```
+
+**4. Enable in config/lnbits.nix:**
+
+Choose one of two options:
+
+**Option 1: Replace extensions directory** (use if you manage ALL extensions via deployment)
+```nix
+systemd.tmpfiles.rules = [
+  "L+ /var/lib/lnbits/extensions - - - - /var/src/lnbits-extensions"
+];
+```
+⚠️ **Warning:** This will DELETE any extensions installed via the LNBits UI!
+
+**Option 2: Merge deployed extensions** (safer - keeps UI-installed extensions)
+```nix
+systemd.services.lnbits-copy-extensions = {
+  description = "Copy deployed LNBits extensions";
+  before = [ "lnbits.service" ];
+  wantedBy = [ "lnbits.service" ];
+  serviceConfig = {
+    Type = "oneshot";
+    ExecStart = "${pkgs.rsync}/bin/rsync -av /var/src/lnbits-extensions/ /var/lib/lnbits/extensions/";
+  };
+};
+```
+
+**5. Deploy:**
+```bash
+nix-build ./krops.nix -A machine1 && ./result
+```
+
+### How It Works
+
+**Option 1 (Symlink):**
+- Your `./lnbits-extensions` directory is deployed to `/var/src/lnbits-extensions`
+- A symlink replaces `/var/lib/lnbits/extensions` → `/var/src/lnbits-extensions`
+- Any existing extensions directory is deleted
+- All extensions must be managed via deployment
+
+**Option 2 (Copy/Merge):**
+- Your `./lnbits-extensions` directory is deployed to `/var/src/lnbits-extensions`
+- Deployed extensions are copied into `/var/lib/lnbits/extensions/`
+- Existing UI-installed extensions are preserved
+- You can mix deployed extensions with UI-installed ones
+
--- a/config/lnbits.nix
+++ b/config/lnbits.nix
@ -81,4 +81,25 @@
      };
    };
  };
+
+  # Deploy custom extensions
+  # WARNING: L+ will REPLACE /var/lib/lnbits/extensions if it already exists!
+  # This will DELETE any extensions installed via the LNBits UI.
+  #
+  # Option 1: Replace extensions directory entirely (use with caution)
+  # systemd.tmpfiles.rules = [
+  #   "L+ /var/lib/lnbits/extensions - - - - /var/src/lnbits-extensions"
+  # ];
+  #
+  # Option 2: Manually merge deployed extensions with existing ones
+  # Copy deployed extensions into the extensions directory without replacing it:
+  # systemd.services.lnbits-copy-extensions = {
+  #   description = "Copy deployed LNBits extensions";
+  #   before = [ "lnbits.service" ];
+  #   wantedBy = [ "lnbits.service" ];
+  #   serviceConfig = {
+  #     Type = "oneshot";
+  #     ExecStart = "${pkgs.rsync}/bin/rsync -av /var/src/lnbits-extensions/ /var/lib/lnbits/extensions/";
+  #   };
+  # };
 }