Skip to content
Snippets Groups Projects
Select Git revision
  • production protected
  • develop default protected
  • nixpkgs-upgrade-2024-12-23
  • 190-our-regular-updates-fill-up-the-servers-boot-partitions
  • nixpkgs-upgrade-2024-10-14
  • hro-cloud protected
  • 162.flexible-grafana-module
  • nixpkgs-upgrade-2024-05-13
  • nixpkgs-upgrade-2024-04-22
  • nixpkgs-upgrade-2024-03-25
  • nixpkgs-upgrade-2024-03-18
  • nixpkgs-upgrade-2024-03-11
  • nixpkgs-upgrade-2024-03-04
  • 163.jp-to-ben-for-prod
  • nixpkgs-upgrade-2024-02-26
  • 164.grafana-alert-rules
  • 157.authorize-new-hro-key
  • nixpkgs-upgrade-2024-02-19
  • nixpkgs-upgrade-2024-02-12
  • make-sure-we-run-a-openzfs-compatible-kernel
20 results
Blame Permalink
README.rst 5.13 KiB

Set up and use a network of local development VMs

... using Vagrant to manage VirtualBox VMs [1]. To get started, first install Vagrant and make sure it works. One possible way to do it in NixOS:

  1. Install Vagrant, by adding the packages:
  • vagrant (orchestrating virtual machines on the command line)
    • Only use when version >= 2.2.16 has become available. Else see below.
  • Optional: packer (for creating your own VM images)
  1. Add configuration to install and enable VirtualBox:
  • virtualisation.virtualbox.host.enable = true;
  1. Add your user to the vboxusers group, for example:
  • users.extraGroups.vboxusers.members = [ "flo" "jp" ];
[1] The author of this documentation wasted a lot of time trying to get Vagrant to work with KVM/libvirt. Issues with networking that looked like guest misconfigurations vanished after changing to the better-tested combination of Vagrant and VirtualBox.

Pre-Vagrant 2.2.16: Get Vagrant with the required fixes for NixOS guests

The Vagrant nixos-guest template received a critical update on 2021-03-08 which came out with Vagrant version 2.2.16.

If you run an older Nixpkgs, retrieve and use the latest Vagrant development version like so:

NIX_PATH=nixpkgs=https://github.com/NixOS/nixpkgs/archive/refs/heads/master.tar.gz nix-shell -p vagrant

Generating keys

config.json has the paths for the Ristretto and the Stripe secret key files.

Here is a Ristretto key you can use, randomly generated just now:

SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=

Generate your own like this:

[flo@la:~/PrivateStorageio]$ nix-shell
[nix-shell:~/PrivateStorageio]$ nix-shell -p zkapissuer.components.exes.PaymentServer-generate-key
[nix-shell:~/PrivateStorageio]$ PaymentServer-generate-key
SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=

Make sure you write it into the key file without any leading or trailing white space, also without newlines. For example:

echo -n "SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=" > ristretto.signing-key

For the Stripe key any random bytes with a little light formatting "work" - at least to make our software happy - but if you want to be able to interact with Stripe and have payments (even pretend payments) move all the way through the system you should get a Stripe account and generate a key w/ them. Lauri can get you added to our "dev" Stripe account, too, though I forget how important that is for ad hoc dev/testing.

I think this will work for generating random Stripe secret keys (that our software will load, I think, but Stripe will reject):

>>> import base64, os
>>> print((b"sk_test_" + base64.b64encode(os.urandom(25)).strip(b"=")).decode("ascii"))
sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw

Public keys are the same but "pk_test" instead of "sk_test" ("test" is for "test mode" key that can only process pretend txns; for real txns there are keys with "live" embedded).

The ZKAPIssuer.service needs a working TLS certificate and expects it in the certbot directory for the domain you configured, in my case:

openssl req -x509 -newkey rsa:4096 -nodes -keyout privkey.pem -out cert.pem -days 3650
touch chain.pem

Move the three .pem files into the payment's server /var/lib/letsencrypt/live/payments.localdev/ directory and issue a sudo systemctl restart zkapissuer.service.

Create Wireguard VPN key pairs in PrivateStorageSecrets/monitoringvpn/ or where you have them:

for i in "172.23.23.11" "172.23.23.12" "172.23.23.13" "server"; do
  wg genkey | tee ${i}.key | wg pubkey > ${i}.pub
done

And a shared VPN key for "post-quantum resistance":

wg genpsk > preshared.key

Use the local development environment

  1. Build and start the VMs:

    VAGRANT_DEFAULT_PROVIDER=virtualbox vagrant up

  2. Then, once:

    vagrant ssh-config > ./vagrant-ssh-config

  3. Edit the output: Add the IPs from grid.nix to the vagrant-ssh-config Host match blocks so the config reads like:

    Host payments1 192.168.67.21
  HostName 192.168.67.21
  User vagrant
  Port 22
  [...]

  4. Then, make morph use this ssh config either - with newer morph [2] - by pointing it to it:

    export SSH_CONFIG_FILE=./vagrant-ssh-config

Or, with older morph, adding the config to your user's ~/.ssh/config file.

[2] Morph honors the SSH_CONFIG_FILE environment variable since 3f90aa88 (March 2020, v 1.5.0).

  1. Then, build and deploy our software to the Vagrant VMs:

    morph build grid.nix
morph push grid.nix
morph upload-secrets grid.nix
morph deploy grid.nix switch
You will now be able to log in with the users and keys you set in your localdev-users.nix file.