Skip to content
Snippets Groups Projects
Select Git revision
  • production protected
  • develop default protected
  • nixpkgs-upgrade-2024-12-23
  • 190-our-regular-updates-fill-up-the-servers-boot-partitions
  • nixpkgs-upgrade-2024-10-14
  • hro-cloud protected
  • 162.flexible-grafana-module
  • nixpkgs-upgrade-2024-05-13
  • nixpkgs-upgrade-2024-04-22
  • nixpkgs-upgrade-2024-03-25
  • nixpkgs-upgrade-2024-03-18
  • nixpkgs-upgrade-2024-03-11
  • nixpkgs-upgrade-2024-03-04
  • 163.jp-to-ben-for-prod
  • nixpkgs-upgrade-2024-02-26
  • 164.grafana-alert-rules
  • 157.authorize-new-hro-key
  • nixpkgs-upgrade-2024-02-19
  • nixpkgs-upgrade-2024-02-12
  • make-sure-we-run-a-openzfs-compatible-kernel
20 results
Blame Permalink
generating-keys.rst 2.58 KiB

Generating keys

There are example public-keys and private-keys repos in morph/grid/local/. <grid>/config.json has the paths for the key files for the respective grid. Create a symlink private-keys to your secret key repositories for the deployment you are working on. Create a directory named public-keys containing the corresponding public keys for the deployment.

Stripe

For the Stripe key any random bytes with a little light formatting "work" - at least to make our software happy - but if you want to be able to interact with Stripe and have payments (even pretend payments) move all the way through the system you should get a Stripe account and generate a key w/ them. Lauri can get you added to our "dev" Stripe account, too, though I forget how important that is for ad hoc dev/testing.

I think this will work for generating random Stripe secret keys (that our software will load, I think, but Stripe will reject):

>>> import base64, os
>>> print((b"sk_test_" + base64.b64encode(os.urandom(25)).strip(b"=")).decode("ascii"))
sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw

Public keys are the same but "pk_test" instead of "sk_test" ("test" is for "test mode" key that can only process pretend txns; for real txns there are keys with "live" embedded).

ZKAP-Issuer Ristretto

Here is a Ristretto key you can use, randomly generated just now:

SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=

Generate your own like this:

[flo@la:~/PrivateStorageio]$ nix-shell
[nix-shell:~/PrivateStorageio]$ nix-shell -p zkapissuer.components.exes.PaymentServer-generate-key
[nix-shell:~/PrivateStorageio]$ PaymentServer-generate-key
SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=

Make sure you write it into the key file without any leading or trailing white space, also without newlines. For example:

echo -n "SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=" > ristretto.signing-key

ZKAP-Issuer TLS

The ZKAPIssuer.service needs a working TLS certificate and expects it in the certbot directory for the domain you configured, in my case:

openssl req -x509 -newkey rsa:4096 -nodes -keyout privkey.pem -out cert.pem -days 3650
touch chain.pem

Move the three .pem files into the payment's server /var/lib/letsencrypt/live/payments.localdev/ directory and issue a sudo systemctl restart zkapissuer.service.

Monitoring VPN

Create all of the Wireguard VPN keys for a grid:

./tools/create-vpn-keys.sh morph/grid/testing/grid.nix