Skip to content
Snippets Groups Projects
Select Git revision
  • 808ddf2ac4d5cecb4b8543372abf3310285e54c8
  • develop default protected
  • production protected
  • nixpkgs-upgrade-2025-06-16
  • nixpkgs-upgrade-2024-12-23
  • 190-our-regular-updates-fill-up-the-servers-boot-partitions
  • nixpkgs-upgrade-2024-10-14
  • hro-cloud protected
  • 162.flexible-grafana-module
  • nixpkgs-upgrade-2024-05-13
  • nixpkgs-upgrade-2024-04-22
  • nixpkgs-upgrade-2024-03-25
  • nixpkgs-upgrade-2024-03-18
  • nixpkgs-upgrade-2024-03-11
  • nixpkgs-upgrade-2024-03-04
  • 163.jp-to-ben-for-prod
  • nixpkgs-upgrade-2024-02-26
  • 164.grafana-alert-rules
  • 157.authorize-new-hro-key
  • nixpkgs-upgrade-2024-02-19
  • nixpkgs-upgrade-2024-02-12
21 results

issuer.nix

Blame
    • issuer.nix 3.13 KiB 
    # This contains all of the NixOS system configuration necessary to specify an
# "issuer"-type system.
{ lib, config, ...}:
let
  inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnEndpoint monitoringvpnIPv4;
  inherit (config.grid.issuer) issuerDomains allowedChargeOrigins;
in {
  imports = [
    ../../nixos/modules/monitoring/vpn/client.nix
    ../../nixos/modules/monitoring/exporters/node.nix
  ];

  options.grid.issuer = {
    issuerDomains = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = ''
        A list of strings giving the domain names that point at this issuer
        system.  These will all be included in Let's Encrypt certificate.
      '';
    };

    allowedChargeOrigins = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = ''
        A list of strings giving CORS Origins will the issuer will be configured
        to allow.
      '';
    };
  };

  config = {
    deployment = {
      secrets = {
        "ristretto-signing-key" = {
          destination = "/run/keys/ristretto.signing-key";
          source = "${privateKeyPath}/ristretto.signing-key";
          owner.user = "zkapissuer";
          owner.group = "zkapissuer";
          permissions = "0400";
          action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
        };
        "stripe-secret-key" = {
          destination = "/run/keys/stripe.secret-key";
          source = "${privateKeyPath}/stripe.secret";
          owner.user = "zkapissuer";
          owner.group = "zkapissuer";
          permissions = "0400";
          action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
        };

        "monitoringvpn-secret-key" = {
          destination = "/run/keys/monitoringvpn/client.key";
          source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
          owner.user = "root";
          owner.group = "root";
          permissions = "0400";
          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
        };
        "monitoringvpn-preshared-key" = {
          destination = "/run/keys/monitoringvpn/preshared.key";
          source = "${privateKeyPath}/monitoringvpn/preshared.key";
          owner.user = "root";
          owner.group = "root";
          permissions = "0400";
          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
        };
      };
    };

    services.private-storage-issuer = {
          enable = true;
      tls = true;
      ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
      stripeSecretKeyPath = config.deployment.secrets.stripe-secret-key.destination;
      database = "SQLite3";
      databasePath = "${config.fileSystems."zkapissuer-data".mountPoint}/vouchers.sqlite3";
      inherit (config.grid) letsEncryptAdminEmail;
      inherit allowedChargeOrigins;
      domains = issuerDomains;
    };

    services.private-storage.monitoring.vpn.client = {
      enable = true;
      ip = monitoringvpnIPv4;
      endpoint = monitoringvpnEndpoint;
      endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
    };

    system.stateVersion = "19.03";
  };
}