Newer
Older
# Define a function which returns a value which fills in all the holes left by
# ``issuer.nix``.
{
# A string giving the IP address and port number (":"-separated) of the VPN
# server.
# A string giving the VPN IPv4 address for this system.
, monitoringvpnIPv4
# A string giving an email address to use for Let's Encrypt registration and
# certificate issuance.
, letsEncryptAdminEmail
# A list of strings giving the domain names that point at this issuer
# system. These will all be included in Let's Encrypt certificate.
, issuerDomains
# A list of strings giving CORS Origins will the issuer will be configured
# to allow.
, allowedChargeOrigins
, ...
{ config, ... }:
let
inherit (config.grid) publicKeyPath privateKeyPath;
in {
deployment.secrets = {
# ``.../monitoringvpn`` is a path on the deployment system of a directory
# containing a number of VPN-related secrets. This is expected to contain
# a number of files named like ``<VPN IPv4 address>.key`` containing the
# VPN private key for the corresponding host. It must also contain
# ``server.pub`` and ``preshared.key`` holding the VPN server's public key
# and the pre-shared key, respectively. All of these things are used as
# the sources of various VPN-related morph secrets.
"monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
"monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
};
services.private-storage.monitoring.vpn.client = {
enable = true;
ip = monitoringvpnIPv4;
endpoint = monitoringvpnEndpoint;
endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
};
services.private-storage-issuer = {
inherit letsEncryptAdminEmail allowedChargeOrigins;
domains = issuerDomains;
};
system.stateVersion = "19.03";
}