Newer
Older
{ hardware
, ristrettoSigningKeyPath
, issuerDomain
, letsEncryptAdminEmail
Jean-Paul Calderone
committed
, allowedChargeOrigins
, publicIPv4
, monitoringvpnKeyDir ? null
, monitoringvpnIPv4 ? null
enableVpn = if (monitoringvpnKeyDir != null &&
monitoringvpnIPv4 != null)
then true else false;
vpnSecrets = if !enableVpn then {} else {
"monitoringvpn-secret-key" = {
source = monitoringvpnKeyDir + "/${monitoringvpnIPv4}.key";
destination = "/run/keys/monitoringvpn/client.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
"monitoringvpn-preshared-key" = {
source = monitoringvpnKeyDir + "/preshared.key";
destination = "/run/keys/monitoringvpn/preshared.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
};
in rec {
targetHost = publicIPv4;
secrets = {
"ristretto-signing-key" = {
source = ristrettoSigningKeyPath;
destination = "/run/keys/ristretto.signing-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
"stripe-secret-key" = {
source = stripeSecretKeyPath;
destination = "/run/keys/stripe.secret-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
} // vpnSecrets;
};
imports = [
hardware
../../nixos/modules/issuer.nix
services.private-storage.sshUsers = sshUsers;
services.private-storage-issuer = {
enable = true;
ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
database = "SQLite3";
databasePath = "/var/db/vouchers.sqlite3";
inherit letsEncryptAdminEmail;
domain = issuerDomain;
Jean-Paul Calderone
committed
inherit allowedChargeOrigins;
};
system.stateVersion = stateVersion;
services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {