Skip to content
Snippets Groups Projects
customize-issuer.nix 3.49 KiB
Newer Older
  • Learn to ignore specific revisions
  • # Define a function which returns a value which fills in all the holes left by
    # ``issuer.nix``.
    {
      # A path on the deployment system to a file containing the Ristretto signing
      # key.  This is used as the source of the Ristretto signing key morph
      # secret.
      ristrettoSigningKeyPath
    
      # A path on the deployment system to a file containing the Stripe secret
      # key.  This is used as the source of the Stripe secret key morph secret.
    
    
      # A path on the deployment system to a directory containing a number of
      # VPN-related secrets.  This is expected to contain a number of files named
      # like ``<VPN IPv4 address>.key`` containing the VPN private key for the
      # corresponding host.  It must also contain ``server.pub`` and
      # ``preshared.key`` holding the VPN server's public key and the pre-shared
      # key, respectively.  All of these things are used as the sources of various
      # VPN-related morph secrets.
    
    
      # A string giving the IP address and port number (":"-separated) of the VPN
      # server.
    
    
      # A string giving the VPN IPv4 address for this system.
    
      # A string giving the domain name associated with this grid.  This is meant
      # to be combined with the hostname for this system to produce a
      # fully-qualified domain name.  For example, an issuer might have "payments"
      # as its hostname and belong to a grid with the domain
      # "example-grid.invalid".  This ``domain`` parameter should have the value
      # ``"example-grid.invalid"`` for the system figure out that
      # ``payments.example-grid.invalid`` is the name of this system.
    
      # A set mapping usernames as strings to SSH public keys as strings.  For
      # each element of the site, the indicated user is configured on the system
      # with the indicated SSH key as an authorized key.
    
    
      # A string giving an email address to use for Let's Encrypt registration and
      # certificate issuance.
    
    
      # A list of strings giving the domain names that point at this issuer
      # system.  These will all be included in Let's Encrypt certificate.
    
    
      # A list of strings giving CORS Origins will the issuer will be configured
      # to allow.
    
    }:
    { config, ... }: {
      # The morph default deployment target the name of the node in the network
      # attrset.  We don't always want to give the node its proper public address
      # there (because it depends on which domain is associated with the grid
      # being configured and using variable names complicates a lot of things).
      # Instead, just tell morph how to reach the node here - by using its fully
      # qualified domain name.
      deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
    
    
        "ristretto-signing-key".source = ristrettoSigningKeyPath;
        "stripe-secret-key".source = stripeSecretKeyPath;
    
        "monitoringvpn-secret-key".source = "${monitoringvpnKeyDir}/${monitoringvpnIPv4}.key";
        "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
      };
    
    
      services.private-storage.sshUsers = sshUsers;
      services.private-storage.monitoring.vpn.client = {
        enable = true;
        ip = monitoringvpnIPv4;
    
        endpoint = monitoringvpnEndpoint;
    
        endpointPublicKeyFile = "${monitoringvpnKeyDir}/server.pub";
      };
    
      services.private-storage-issuer = {
    
        inherit letsEncryptAdminEmail allowedChargeOrigins;