Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
rec {
deployment = {
secrets = {
"ristretto-signing-key" = {
# source = ... fill this in ...
destination = "/run/keys/ristretto.signing-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
"stripe-secret-key" = {
# source = ... fill this in ...
destination = "/run/keys/stripe.secret-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
"monitoringvpn-secret-key" = {
# source = ... fill this in ...
destination = "/run/keys/monitoringvpn/client.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
"monitoringvpn-preshared-key" = {
# source = ... fill this in ...
destination = "/run/keys/monitoringvpn/preshared.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
};
};
imports = [
../../nixos/modules/issuer.nix
../../nixos/modules/monitoring/vpn/client.nix
../../nixos/modules/monitoring/exporters/node.nix
];
services.private-storage = {
# sshUsers = ...
monitoring.vpn.client = {
# enable = ...
# ip = ...
# endpoint = ...
# endpointPublicKeyFile = ...
};
};
services.private-storage-issuer = {
enable = true;
tls = true;
ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
database = "SQLite3";
databasePath = "/var/db/vouchers.sqlite3";
# letsEncryptAdminEmail = ...;
# domains = ...;
# allowedChargeOrigins = ...;