customize-issuer.nix

# Define a function which returns a value which fills in all the holes left by
# ``issuer.nix``.
{
  # A path on the deployment system of a directory containing all of the
  # public keys for the system.  For example, this holds Wireguard public keys
  # for the VPN configuration and SSH public keys to configure SSH
  # authentication.
  publicKeyPath

  # A path on the deployment system of a directory containing all of the
  # corresponding private keys for the system.
, privateKeyPath

  # A string giving the IP address and port number (":"-separated) of the VPN
  # server.
, monitoringvpnEndpoint

  # A string giving the VPN IPv4 address for this system.
, monitoringvpnIPv4

  # A string giving the domain name associated with this grid.  This is meant
  # to be combined with the hostname for this system to produce a
  # fully-qualified domain name.  For example, an issuer might have "payments"
  # as its hostname and belong to a grid with the domain
  # "example-grid.invalid".  This ``domain`` parameter should have the value
  # ``"example-grid.invalid"`` for the system figure out that
  # ``payments.example-grid.invalid`` is the name of this system.
, domain

  # A set mapping usernames as strings to SSH public keys as strings.  For
  # each element of the site, the indicated user is configured on the system
  # with the indicated SSH key as an authorized key.
, sshUsers

  # A string giving an email address to use for Let's Encrypt registration and
  # certificate issuance.
, letsEncryptAdminEmail

  # A list of strings giving the domain names that point at this issuer
  # system.  These will all be included in Let's Encrypt certificate.
, issuerDomains

  # A list of strings giving CORS Origins will the issuer will be configured
  # to allow.
, allowedChargeOrigins
, ...
}:
{ config, ... }: {
  # The morph default deployment target the name of the node in the network
  # attrset.  We don't always want to give the node its proper public address
  # there (because it depends on which domain is associated with the grid
  # being configured and using variable names complicates a lot of things).
  # Instead, just tell morph how to reach the node here - by using its fully
  # qualified domain name.
  deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";

  deployment.secrets = {
    # A path on the deployment system to a file containing the Ristretto
    # signing key.  This is used as the source of the Ristretto signing key
    # morph secret.
    "ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";

    # A path on the deployment system to a file containing the Stripe secret
    # key.  This is used as the source of the Stripe secret key morph secret.
    "stripe-secret-key".source = "${privateKeyPath}/stripe.secret";

    # ``.../monitoringvpn`` is a path on the deployment system of a directory
    # containing a number of VPN-related secrets.  This is expected to contain
    # a number of files named like ``<VPN IPv4 address>.key`` containing the
    # VPN private key for the corresponding host.  It must also contain
    # ``server.pub`` and ``preshared.key`` holding the VPN server's public key
    # and the pre-shared key, respectively.  All of these things are used as
    # the sources of various VPN-related morph secrets.
    "monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
    "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
  };

  networking.domain = domain;

  services.private-storage.sshUsers = sshUsers;
  services.private-storage.monitoring.vpn.client = {
    enable = true;
    ip = monitoringvpnIPv4;
    endpoint = monitoringvpnEndpoint;
    endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
  };

  services.private-storage-issuer = {
    inherit allowedChargeOrigins;
    domains = issuerDomains;
    # Arbitrary non-priviledged port:
    httpPort = 1061;
  };

  # nginx reverse proxy
  security.acme.email = letsEncryptAdminEmail;
  security.acme.acceptTerms = true;
  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    # Only allow PFS-enabled ciphers with AES256:
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    virtualHosts."${config.networking.hostName}.${config.networking.domain}" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}";
      };
    };
  };

  system.stateVersion = "19.03";
}