Skip to content
Snippets Groups Projects
Select Git revision
  • 808ddf2ac4d5cecb4b8543372abf3310285e54c8
  • develop default protected
  • production protected
  • nixpkgs-upgrade-2025-06-16
  • nixpkgs-upgrade-2024-12-23
  • 190-our-regular-updates-fill-up-the-servers-boot-partitions
  • nixpkgs-upgrade-2024-10-14
  • hro-cloud protected
  • 162.flexible-grafana-module
  • nixpkgs-upgrade-2024-05-13
  • nixpkgs-upgrade-2024-04-22
  • nixpkgs-upgrade-2024-03-25
  • nixpkgs-upgrade-2024-03-18
  • nixpkgs-upgrade-2024-03-11
  • nixpkgs-upgrade-2024-03-04
  • 163.jp-to-ben-for-prod
  • nixpkgs-upgrade-2024-02-26
  • 164.grafana-alert-rules
  • 157.authorize-new-hro-key
  • nixpkgs-upgrade-2024-02-19
  • nixpkgs-upgrade-2024-02-12
21 results

issuer.nix

Blame
  • issuer.nix 3.13 KiB
    # This contains all of the NixOS system configuration necessary to specify an
    # "issuer"-type system.
    { lib, config, ...}:
    let
      inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnEndpoint monitoringvpnIPv4;
      inherit (config.grid.issuer) issuerDomains allowedChargeOrigins;
    in {
      imports = [
        ../../nixos/modules/monitoring/vpn/client.nix
        ../../nixos/modules/monitoring/exporters/node.nix
      ];
    
      options.grid.issuer = {
        issuerDomains = lib.mkOption {
          type = lib.types.listOf lib.types.str;
          description = ''
            A list of strings giving the domain names that point at this issuer
            system.  These will all be included in Let's Encrypt certificate.
          '';
        };
    
        allowedChargeOrigins = lib.mkOption {
          type = lib.types.listOf lib.types.str;
          description = ''
            A list of strings giving CORS Origins will the issuer will be configured
            to allow.
          '';
        };
      };
    
      config = {
        deployment = {
          secrets = {
            "ristretto-signing-key" = {
              destination = "/run/keys/ristretto.signing-key";
              source = "${privateKeyPath}/ristretto.signing-key";
              owner.user = "zkapissuer";
              owner.group = "zkapissuer";
              permissions = "0400";
              action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
            };
            "stripe-secret-key" = {
              destination = "/run/keys/stripe.secret-key";
              source = "${privateKeyPath}/stripe.secret";
              owner.user = "zkapissuer";
              owner.group = "zkapissuer";
              permissions = "0400";
              action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
            };
    
            "monitoringvpn-secret-key" = {
              destination = "/run/keys/monitoringvpn/client.key";
              source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
              owner.user = "root";
              owner.group = "root";
              permissions = "0400";
              action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
            };
            "monitoringvpn-preshared-key" = {
              destination = "/run/keys/monitoringvpn/preshared.key";
              source = "${privateKeyPath}/monitoringvpn/preshared.key";
              owner.user = "root";
              owner.group = "root";
              permissions = "0400";
              action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
            };
          };
        };
    
        services.private-storage-issuer = {
          enable = true;
          tls = true;
          ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
          stripeSecretKeyPath = config.deployment.secrets.stripe-secret-key.destination;
          database = "SQLite3";
          databasePath = "${config.fileSystems."zkapissuer-data".mountPoint}/vouchers.sqlite3";
          inherit (config.grid) letsEncryptAdminEmail;
          inherit allowedChargeOrigins;
          domains = issuerDomains;
        };
    
        services.private-storage.monitoring.vpn.client = {
          enable = true;
          ip = monitoringvpnIPv4;
          endpoint = monitoringvpnEndpoint;
          endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
        };
    
        system.stateVersion = "19.03";
      };
    }