Newer
Older
# This is all of the static NixOS system configuration necessary to specify an
# "issuer"-type system. The configuration has various holes in it which must
# be filled somehow. These holes correspond to configuration which is not
# statically known. This value is suitable for use as a module to be imported
# into a more complete system configuration. It is expected that the holes
# will be filled by a sibling module created by ``customize-issuer.nix``.
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
rec {
deployment = {
secrets = {
"ristretto-signing-key" = {
destination = "/run/keys/ristretto.signing-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
"stripe-secret-key" = {
destination = "/run/keys/stripe.secret-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
"monitoringvpn-secret-key" = {
destination = "/run/keys/monitoringvpn/client.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
"monitoringvpn-preshared-key" = {
destination = "/run/keys/monitoringvpn/preshared.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
};
};
imports = [
# Allow us to remotely trigger updates to this system.
../../nixos/modules/deployment.nix
../../nixos/modules/issuer.nix
../../nixos/modules/monitoring/vpn/client.nix
../../nixos/modules/monitoring/exporters/node.nix
];
services.private-storage-issuer = {
enable = true;
ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
database = "SQLite3";
databasePath = "/var/db/vouchers.sqlite3";
};
}