diff --git a/docs.nix b/docs.nix
index 813a6cb432942fccd96b96ee07313ff84cf885c6..2db695d9f5756e35824b1dd1fb15938d532bcb96 100644
--- a/docs.nix
+++ b/docs.nix
@@ -1,4 +1,4 @@
-{ pkgs ? import <nixpkgs> { } }:
+{ pkgs ? import ./nixpkgs.nix { } }:
let
# NixOS 19.03 packaged graphviz has trouble rendering our architecture
# overview. Latest from upstream does alright, though. Use that.
diff --git a/morph/make-grid.nix b/morph/make-grid.nix
index 1728dacac5413fb014ef257172181b2e19078164..d740adbe237cbae54192843a6b11969a4672c6d8 100644
--- a/morph/make-grid.nix
+++ b/morph/make-grid.nix
@@ -5,7 +5,7 @@
# server in the morph network.
{ name, nodes }:
let
- pkgs = import ./nixpkgs.nix { };
+ pkgs = import ../nixpkgs.nix { };
# Load our JSON configuration for later use.
cfg = pkgs.lib.trivial.importJSON ./grid.config.json;
in
diff --git a/morph/nixpkgs.nix b/morph/nixpkgs.nix
deleted file mode 100644
index ab317b2e6821b0c35310eb95e8b9d9532dc67dd2..0000000000000000000000000000000000000000
--- a/morph/nixpkgs.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-# Pin the deployment package-set to a specific version of nixpkgs. This is
-# NixOS 19.03 as of Aug 28 2019. There's nothing special about it. It's
-# just recent at the time of development. It can be upgraded when there is
-# value in doing so. Meanwhile, our platform doesn't shift around beneath
-# us in surprising ways as time passes.
-(builtins.fetchTarball {
- url = "https://github.com/NixOS/nixpkgs/archive/3c83ad6ac13b67101cc3e2e07781963a010c1624.tar.gz";
- sha256 = "0cdq342wrkvkyccygpp1gvwp7hhqg68hljjwld4vjixm901ayy14";
-})
diff --git a/nixos/lib/ini.nix b/nixos/lib/ini.nix
index 43f211b121fddcf0bfddbfa3a4e620667d2147b4..8ae933e409ec757de32fd285c732566eda139880 100644
--- a/nixos/lib/ini.nix
+++ b/nixos/lib/ini.nix
@@ -1,6 +1,6 @@
# Functionality related to writing out ini syntax files (like Tahoe-LAFS'
# tahoe.cfg).
-{ pkgs ? import <nixpkgs> { } }:
+{ pkgs }:
let lib = pkgs.lib;
in rec {
# Get the .ini-file-appropriate string representation of a simple value.
diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index 58f4ba36bedac2b7b2de626132b831d8cdbdc142..f27e6ec8d9c82df4a06b6b4816c4b6e0eb38b849 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -63,6 +63,13 @@ in
The URL of the Ristretto issuer service to announce.
'';
};
+ services.private-storage.ristrettoSigningKeyPath = lib.mkOption
+ { type = lib.types.path;
+ example = lib.literalExample "/var/run/secrets/signing-key.private";
+ description = ''
+ The path to the Ristretto signing key for the service.
+ '';
+ };
};
# Define configuration based on values given for our options - starting with
@@ -108,6 +115,7 @@ in
};
"storageserver.plugins.privatestorageio-zkapauthz-v1" =
{ "ristretto-issuer-root-url" = cfg.issuerRootURL;
+ "ristretto-signing-key-path" = cfg.ristrettoSigningKeyPath;
};
};
};
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index f7e7ef9fa25ace1bc47506413e91d100ebd85fe4..5df571f2ad10ba27a0607df11a8405ca767c9f35 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -1,5 +1,5 @@
let
- pkgs = (import <nixpkgs> { });
+ pkgs = (import ../../../nixpkgs.nix { });
pspkgs = import ../pspkgs.nix { inherit pkgs; };
# Separate helper programs so we can write as little perl inside a string
@@ -9,6 +9,14 @@ let
get-passes = ./get-passes.py;
exercise-storage = ./exercise-storage.py;
+ # The root URL of the Ristretto-flavored PrivacyPass issuer API.
+ issuerURL = "http://issuer:8081/";
+
+ # The issuer's signing key. Notionally, this is a secret key. This is only
+ # the value for this system test though so I don't care if it leaks to the
+ # world at large.
+ ristrettoSigningKey = "wumQAfSsJlQKDDSaFN/PZ3EbgBit8roVgfzllfCK2gQ=";
+
# Here are the preconstructed secrets which we can assign to the introducer.
# This is a lot easier than having the introducer generate them and then
# discovering and configuring the other nodes with them.
@@ -61,7 +69,8 @@ import <nixpkgs/nixos/tests/make-test.nix> {
services.private-storage.enable = true;
services.private-storage.publicIPv4 = "storage";
services.private-storage.introducerFURL = introducerFURL;
- services.private-storage.issuerRootURL = "http://issuer:8081/";
+ services.private-storage.issuerRootURL = issuerURL;
+ services.private-storage.ristrettoSigningKeyPath = pkgs.writeText "signing-key.private" ristrettoSigningKey;
} // networkConfig;
# Operate an issuer as well.
@@ -73,10 +82,7 @@ import <nixpkgs/nixos/tests/make-test.nix> {
services.private-storage-issuer = {
enable = true;
issuer = "Ristretto";
- # Notionally, this is a secret key. This is only the value for this
- # system test though so I don't care if it leaks to the world at
- # large.
- ristrettoSigningKey = "wumQAfSsJlQKDDSaFN/PZ3EbgBit8roVgfzllfCK2gQ=";
+ inherit ristrettoSigningKey;
};
} // networkConfig;
};
@@ -129,7 +135,7 @@ import <nixpkgs/nixos/tests/make-test.nix> {
#
# Storage appears to be working so try to get a client to speak with it.
#
- $client->succeed('set -eo pipefail; ${run-client} ${introducerFURL} | systemd-cat');
+ $client->succeed('set -eo pipefail; ${run-client} ${introducerFURL} ${issuerURL} | systemd-cat');
$client->waitForOpenPort(3456);
# Get some ZKAPs from the issuer.
diff --git a/nixos/modules/tests/run-client.py b/nixos/modules/tests/run-client.py
index a246a737232007c95cd364ce5f6566843050a882..bcbca050b5380f3b8f3aa9691a4f6dd62b198523 100755
--- a/nixos/modules/tests/run-client.py
+++ b/nixos/modules/tests/run-client.py
@@ -12,7 +12,7 @@ from subprocess import check_output
from configparser import ConfigParser
def main():
- (introducerFURL,) = argv[1:]
+ (introducerFURL, issuerURL) = argv[1:]
# PYTHONHOME set for Python 3 for this script breaks Python 2 used by
# Tahoe. :/ This is kind of a NixOS Python packaging bug.
@@ -36,6 +36,7 @@ def main():
config.set(u"client", u"storage.plugins", u"privatestorageio-zkapauthz-v1")
config.add_section(u"storageclient.plugins.privatestorageio-zkapauthz-v1")
config.set(u"storageclient.plugins.privatestorageio-zkapauthz-v1", u"redeemer", u"ristretto")
+ config.set(u"storageclient.plugins.privatestorageio-zkapauthz-v1", u"ristretto-issuer-root-url", issuerURL)
with open("/tmp/client/tahoe.cfg", "wt") as cfg:
config.write(cfg)
diff --git a/nixos/modules/zkap-overlay.nix b/nixos/modules/zkap-overlay.nix
index c606b47bcfa267fba29c23fb4577ea79fd2de03b..167a9b9fff0ba388951937cb12ff92eaf3d6477b 100644
--- a/nixos/modules/zkap-overlay.nix
+++ b/nixos/modules/zkap-overlay.nix
@@ -1,4 +1,4 @@
let
- zkapauthorizer = import ../pkgs/zkapauthorizer-repo.nix;
+ src = import ../pkgs/zkapauthorizer-repo.nix;
in
- import "${zkapauthorizer}/overlays.nix"
+ import "${src}/overlays.nix"
diff --git a/nixos/pkgs/zkapauthorizer-repo.nix b/nixos/pkgs/zkapauthorizer-repo.nix
index 44947fc2ba9c3e49c0f97d15a5a0b7b7b92ed45b..059c333c65e1f971be9b7ecfc266913b031077ef 100644
--- a/nixos/pkgs/zkapauthorizer-repo.nix
+++ b/nixos/pkgs/zkapauthorizer-repo.nix
@@ -2,8 +2,8 @@ let
pkgs = import <nixpkgs> {};
in
pkgs.fetchFromGitHub {
- owner = "PrivateStorageio";
- repo = "ZKAPAuthorizer";
- rev = "00387ea1d02a5800ff4480a3a177ecc87b34532f";
- sha256 = "053bzpq68fz1y0qzyryxjmbpvpzshhxhkp404pviqdi18xyqgzyc";
+ owner = "privatestorageio";
+ repo = "zkapauthorizer";
+ rev = "0ae5bb532b9dfd515c65852bdbe86bd85d70f0e8";
+ sha256 = "06vsy7lbn4j9rwgzb5qcjj6255x27q1a2z84xphr0675rdi27f4f";
}
\ No newline at end of file
diff --git a/nixos/pkgs/zkapauthorizer.nix b/nixos/pkgs/zkapauthorizer.nix
deleted file mode 100644
index 95fc177419e26a88cb0156e1ad32fe2127746ef9..0000000000000000000000000000000000000000
--- a/nixos/pkgs/zkapauthorizer.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ python27Packages }:
-let
- zkapauthorizer = import ./zkapauthorizer-repo.nix;
-in
- python27Packages.callPackage "${zkapauthorizer}/zkapauthorizer.nix" { }
diff --git a/nixos/pkgs/zkapissuer-repo.nix b/nixos/pkgs/zkapissuer-repo.nix
index 6130fc448dcc0993bd5d73b268ca8d02f72af266..481d30960ace0c12443b0b618d2a6d66cc541823 100644
--- a/nixos/pkgs/zkapissuer-repo.nix
+++ b/nixos/pkgs/zkapissuer-repo.nix
@@ -1,9 +1,9 @@
let
- pkgs = import <nixpkgs> {};
+ pkgs = import ../../nixpkgs.nix {};
in
pkgs.fetchFromGitHub {
owner = "PrivateStorageio";
repo = "PaymentServer";
rev = "94fb418962abee71fa97c09c76e85ccc13cf4c1e";
sha256 = "15v71hqhs3rd8c77igbzbi2lbvrb6yyshasq3ijs51w7pwp10dac";
- }
\ No newline at end of file
+ }
diff --git a/nixos/unit-tests.nix b/nixos/unit-tests.nix
index 75016a17d128fabe11f4ecaad65dba3471ed863d..f5419aa7fe491c4b0dcf511e028b95e7d64a4cd7 100644
--- a/nixos/unit-tests.nix
+++ b/nixos/unit-tests.nix
@@ -1,6 +1,6 @@
# The overall unit test suite for PrivateStorageio NixOS configuration.
let
- pkgs = import <nixpkgs> { };
+ pkgs = import ../nixpkgs.nix { };
# Total the numbers in a list.
sum = builtins.foldl' (a: b: a + b) 0;
diff --git a/nixpkgs.nix b/nixpkgs.nix
new file mode 100644
index 0000000000000000000000000000000000000000..ff369425e75e52f449c8899a31fc2b2feefc9ffa
--- /dev/null
+++ b/nixpkgs.nix
@@ -0,0 +1,9 @@
+# Pin the deployment package-set to a specific version of nixpkgs. This is
+# NixOS 19.09 as of Oct 2 2019. There's nothing special about it. It's just
+# recent at the time of development. It can be upgraded when there is value
+# in doing so. Meanwhile, our platform doesn't shift around beneath us in
+# surprising ways as time passes.
+import (builtins.fetchTarball {
+ url = "https://github.com/NixOS/nixpkgs-channels/archive/5d5cd70516001e79516d2ade8bcf31df208a4ef3.tar.gz";
+ sha256 = "042i081cfwdvcfp3q79219akypb53chf730wg0vwxlp21pzgns33";
+})