Newer
Older
# This contains all of the NixOS system configuration necessary to specify an
# "issuer"-type system.
{ lib, config, ...}:
Tom Prince
committed
inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnEndpoint monitoringvpnIPv4;
Tom Prince
committed
inherit (config.grid.issuer) issuerDomains allowedChargeOrigins;
imports = [
../../nixos/modules/monitoring/vpn/client.nix
../../nixos/modules/monitoring/exporters/node.nix
];
options.grid.issuer = {
issuerDomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
A list of strings giving the domain names that point at this issuer
system. These will all be included in Let's Encrypt certificate.
'';
};
Tom Prince
committed
allowedChargeOrigins = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
A list of strings giving CORS Origins will the issuer will be configured
to allow.
'';
};
Tom Prince
committed
};
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
config = {
deployment = {
secrets = {
"ristretto-signing-key" = {
destination = "/run/keys/ristretto.signing-key";
source = "${privateKeyPath}/ristretto.signing-key";
owner.user = "zkapissuer";
owner.group = "zkapissuer";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
"stripe-secret-key" = {
destination = "/run/keys/stripe.secret-key";
source = "${privateKeyPath}/stripe.secret";
owner.user = "zkapissuer";
owner.group = "zkapissuer";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
"monitoringvpn-secret-key" = {
destination = "/run/keys/monitoringvpn/client.key";
source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
"monitoringvpn-preshared-key" = {
destination = "/run/keys/monitoringvpn/preshared.key";
source = "${privateKeyPath}/monitoringvpn/preshared.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
};
};
services.private-storage-issuer = {
enable = true;
tls = true;
ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
stripeSecretKeyPath = config.deployment.secrets.stripe-secret-key.destination;
database = "SQLite3";
databasePath = "${config.fileSystems."zkapissuer-data".mountPoint}/vouchers.sqlite3";
Tom Prince
committed
inherit (config.grid) letsEncryptAdminEmail;
inherit allowedChargeOrigins;
domains = issuerDomains;
};
services.private-storage.monitoring.vpn.client = {
enable = true;
ip = monitoringvpnIPv4;
endpoint = monitoringvpnEndpoint;
endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
};
system.stateVersion = "19.03";
};