Merge branch '65.secrets-via-symlink' into 'develop'

Add symlink to secrets

Closes #65

See merge request !93

morph/README.rst

@@ -42,6 +42,19 @@ grid
 
 Specific grid definitions live in subdirectories beneath this directory.
 
+secrets
+~~~~~~~
+
+This must be created and populated before the grid can be built or deployed.
+
+This directory contains all of the secrets necessary to deploy the grid.
+Secrets beneath this directory are referenced by ``config.json`` and ``grid.nix``
+(and possibly elsewhere).
+Some of the paths are configurable and some are just convention.
+This path is **ignored** by git.
+The intended workflow is that the secrets will be maintained on secure storage and a symlink to the correct location created here.
+This keeps the secrets themselves out of the git working tree as an extra protection against unintentionally committing them.
+
 config.json
 ~~~~~~~~~~~
 

morph/grid/production/.gitignore

+secrets

morph/grid/production/config.json

 { "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "../../PrivateStorageSecrets/stripe.secret"
+, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
+, "stripeSecretKeyPath": "./secrets/stripe.secret"
 , "passValue": 1000000
 , "issuerDomain": "payments.privatestorage.io"
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"

morph/grid/production/grid.nix

@@ -6,7 +6,7 @@ import ../../lib/make-grid.nix {
   config = ./config.json;
   nodes = cfg:
     let
-      sshUsers = import ../../../../PrivateStorageSecrets/production-users.nix;
+      sshUsers = import ./users.nix;
     in {
     # Here are the hosts that are in this morph network.  This is sort of like
     # a server manifest.  We try to keep as many of the specific details as

morph/grid/production/users.nix

+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGN4VQm3BIQKEFTw6aPrEwNuShf640N+Py2LOKznFCRT exarkun@bottom";
+in { "root" = key; jcalderone = key; }

morph/grid/testing/.gitignore

+secrets

morph/grid/testing/config.json

 { "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "../../PrivateStorageSecrets/privatestorageio-testing-stripe.secret"
+, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
+, "stripeSecretKeyPath": "./secrets/stripe.secret"
 , "passValue": 1000000
 , "issuerDomain": "payments.privatestorage-staging.com"
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"

morph/grid/testing/grid.nix

@@ -6,15 +6,10 @@ import ../../lib/make-grid.nix {
   config = ./config.json;
   nodes = cfg:
   let
-    importDef = default: path: (
-      if builtins.pathExists path
-      then import path
-      else default
-    );
-    sshUsers = importDef {} ../../../../PrivateStorageSecrets/staging-users.nix;
+    sshUsers = import ./users.nix;
   in {
     "payments" = import ../../lib/make-issuer.nix ({
-      publicIPv4 = "18.197.42.120";
+      publicIPv4 = "18.194.183.13";
       inherit sshUsers;
       hardware = ../../lib/issuer-aws.nix;
       stateVersion = "19.03";

morph/grid/testing/users.nix

+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGN4VQm3BIQKEFTw6aPrEwNuShf640N+Py2LOKznFCRT exarkun@bottom";
+in { "root" = key; jcalderone = key; }

morph/lib/make-issuer.nix

@@ -10,6 +10,7 @@
 , ...
 }: rec {
   deployment = {
+    targetUser = "root";
     targetHost = publicIPv4;
 
     secrets = {

morph/lib/make-storage.nix

@@ -14,6 +14,7 @@
 , ...
 }: rec {
   deployment = {
+    targetUser = "root";
     targetHost = cfg.publicIPv4;
 
     secrets = {

morph/lib/make-testing.nix

 { publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, ... }: rec {
 
   deployment = {
+    targetUser = "root";
     targetHost = publicIPv4;
 
     secrets = {