Newer
Older
# Define a function which returns a value which fills in all the holes left by
# ``issuer.nix``.
{
# A path on the deployment system of a directory containing all of the
# public keys for the system. For example, this holds Wireguard public keys
# for the VPN configuration and SSH public keys to configure SSH
# authentication.
publicKeyPath
# A path on the deployment system of a directory containing all of the
# corresponding private keys for the system.
, privateKeyPath
# A string giving the IP address and port number (":"-separated) of the VPN
# server.
, monitoringvpnEndpoint
# A string giving the VPN IPv4 address for this system.
, monitoringvpnIPv4
# A string giving the domain name associated with this grid. This is meant
# to be combined with the hostname for this system to produce a
# fully-qualified domain name. For example, an issuer might have "payments"
# as its hostname and belong to a grid with the domain
# "example-grid.invalid". This ``domain`` parameter should have the value
# ``"example-grid.invalid"`` for the system figure out that
# ``payments.example-grid.invalid`` is the name of this system.
, domain
Jean-Paul Calderone
committed
# A set mapping usernames as strings to SSH public keys as strings. For
# each element of the site, the indicated user is configured on the system
# with the indicated SSH key as an authorized key.
, sshUsers
# A string giving an email address to use for Let's Encrypt registration and
# certificate issuance.
, letsEncryptAdminEmail
# A list of strings giving the domain names that point at this issuer
# system. These will all be included in Let's Encrypt certificate.
, issuerDomains
# A list of strings giving CORS Origins will the issuer will be configured
# to allow.
, allowedChargeOrigins
, ...
}:
{ config, ... }: {
# The morph default deployment target the name of the node in the network
# attrset. We don't always want to give the node its proper public address
# there (because it depends on which domain is associated with the grid
# being configured and using variable names complicates a lot of things).
# Instead, just tell morph how to reach the node here - by using its fully
# qualified domain name.
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
deployment.secrets = {
# A path on the deployment system to a file containing the Ristretto
# signing key. This is used as the source of the Ristretto signing key
# morph secret.
"ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";
# A path on the deployment system to a file containing the Stripe secret
# key. This is used as the source of the Stripe secret key morph secret.
"stripe-secret-key".source = "${privateKeyPath}/stripe.secret";
# ``.../monitoringvpn`` is a path on the deployment system of a directory
# containing a number of VPN-related secrets. This is expected to contain
# a number of files named like ``<VPN IPv4 address>.key`` containing the
# VPN private key for the corresponding host. It must also contain
# ``server.pub`` and ``preshared.key`` holding the VPN server's public key
# and the pre-shared key, respectively. All of these things are used as
# the sources of various VPN-related morph secrets.
"monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
"monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
networking.domain = domain;
services.private-storage.sshUsers = sshUsers;
services.private-storage.monitoring.vpn.client = {
enable = true;
ip = monitoringvpnIPv4;
endpoint = monitoringvpnEndpoint;
endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
};
services.private-storage-issuer = {
domains = issuerDomains;
# Arbitrary non-priviledged port:
httpPort = 1061;
};
# nginx reverse proxy
security.acme.email = letsEncryptAdminEmail;
security.acme.acceptTerms = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256:
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."${config.networking.hostName}.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}";
};
locations."/metrics" = {
# Only allow our monitoringvpn subnet
extraConfig = ''
allow 172.23.23.0/24;
deny all;
'';
proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}";
};
};
system.stateVersion = "19.03";
}