diff --git a/morph/README.rst b/morph/README.rst
index d4a89a373a1bef767ad26859d495f1528a4fb7ca..1f48d5e0ad30b1f44a1a2cee8c5aa6f0669bcc75 100644
--- a/morph/README.rst
+++ b/morph/README.rst
@@ -42,6 +42,19 @@ grid
Specific grid definitions live in subdirectories beneath this directory.
+secrets
+~~~~~~~
+
+This must be created and populated before the grid can be built or deployed.
+
+This directory contains all of the secrets necessary to deploy the grid.
+Secrets beneath this directory are referenced by ``config.json`` and ``grid.nix``
+(and possibly elsewhere).
+Some of the paths are configurable and some are just convention.
+This path is **ignored** by git.
+The intended workflow is that the secrets will be maintained on secure storage and a symlink to the correct location created here.
+This keeps the secrets themselves out of the git working tree as an extra protection against unintentionally committing them.
+
config.json
~~~~~~~~~~~
diff --git a/morph/grid/production/.gitignore b/morph/grid/production/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..db2fc0de62d01d6d7eec83f8f3e8c3b13b20392a
--- /dev/null
+++ b/morph/grid/production/.gitignore
@@ -0,0 +1 @@
+secrets
diff --git a/morph/grid/production/config.json b/morph/grid/production/config.json
index 11ce70c07ebdbdfa0e28170d5017010cd5f55fa8..b91d7d2e74e4e3d2b30c5e9bea5b33fa4c6fdf1c 100644
--- a/morph/grid/production/config.json
+++ b/morph/grid/production/config.json
@@ -1,6 +1,6 @@
{ "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "../../PrivateStorageSecrets/stripe.secret"
+, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
+, "stripeSecretKeyPath": "./secrets/stripe.secret"
, "passValue": 1000000
, "issuerDomain": "payments.privatestorage.io"
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index 7c9abe142fa98a6ceeebb3c8dc6d53dec2622e8c..69a17602f0499acaa8b45adca5e45c8acc637110 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -6,7 +6,7 @@ import ../../lib/make-grid.nix {
config = ./config.json;
nodes = cfg:
let
- sshUsers = import ../../../../PrivateStorageSecrets/production-users.nix;
+ sshUsers = import ./users.nix;
in {
# Here are the hosts that are in this morph network. This is sort of like
# a server manifest. We try to keep as many of the specific details as
diff --git a/morph/grid/production/users.nix b/morph/grid/production/users.nix
new file mode 100644
index 0000000000000000000000000000000000000000..d3520076636b56c0b07055a135becaf6a77b798f
--- /dev/null
+++ b/morph/grid/production/users.nix
@@ -0,0 +1,2 @@
+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGN4VQm3BIQKEFTw6aPrEwNuShf640N+Py2LOKznFCRT exarkun@bottom";
+in { "root" = key; jcalderone = key; }
diff --git a/morph/grid/testing/.gitignore b/morph/grid/testing/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..db2fc0de62d01d6d7eec83f8f3e8c3b13b20392a
--- /dev/null
+++ b/morph/grid/testing/.gitignore
@@ -0,0 +1 @@
+secrets
diff --git a/morph/grid/testing/config.json b/morph/grid/testing/config.json
index e9b3b96940ab6cc73ef6b6f8dc2ec89a83a463d9..ca018157f4cf50acbc7b21e24c5b61a07524dba9 100644
--- a/morph/grid/testing/config.json
+++ b/morph/grid/testing/config.json
@@ -1,6 +1,6 @@
{ "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "../../PrivateStorageSecrets/privatestorageio-testing-stripe.secret"
+, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
+, "stripeSecretKeyPath": "./secrets/stripe.secret"
, "passValue": 1000000
, "issuerDomain": "payments.privatestorage-staging.com"
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index c1a9f60a0e4154b4bc208429c8f4ab5704c106d6..90acab60b7bf6a12f2c5ff3ff93cb93e479491aa 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -6,15 +6,10 @@ import ../../lib/make-grid.nix {
config = ./config.json;
nodes = cfg:
let
- importDef = default: path: (
- if builtins.pathExists path
- then import path
- else default
- );
- sshUsers = importDef {} ../../../../PrivateStorageSecrets/staging-users.nix;
+ sshUsers = import ./users.nix;
in {
"payments" = import ../../lib/make-issuer.nix ({
- publicIPv4 = "18.197.42.120";
+ publicIPv4 = "18.194.183.13";
inherit sshUsers;
hardware = ../../lib/issuer-aws.nix;
stateVersion = "19.03";
diff --git a/morph/grid/testing/users.nix b/morph/grid/testing/users.nix
new file mode 100644
index 0000000000000000000000000000000000000000..d3520076636b56c0b07055a135becaf6a77b798f
--- /dev/null
+++ b/morph/grid/testing/users.nix
@@ -0,0 +1,2 @@
+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGN4VQm3BIQKEFTw6aPrEwNuShf640N+Py2LOKznFCRT exarkun@bottom";
+in { "root" = key; jcalderone = key; }
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index e8a6333c19a742917b930164c26f43ac791c0d6d..d2fc1cade3e23363eb80a3e2f01b64c5675495ae 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -10,6 +10,7 @@
, ...
}: rec {
deployment = {
+ targetUser = "root";
targetHost = publicIPv4;
secrets = {
diff --git a/morph/lib/make-storage.nix b/morph/lib/make-storage.nix
index af0867c8b8342e31393f19a76a7cbfc4c95f86c9..25f3a95bfb5e66a4b42c5f2f82b4fdacbaed4b41 100644
--- a/morph/lib/make-storage.nix
+++ b/morph/lib/make-storage.nix
@@ -14,6 +14,7 @@
, ...
}: rec {
deployment = {
+ targetUser = "root";
targetHost = cfg.publicIPv4;
secrets = {
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index 1c0e1305ce6b2b83851df03d6d5b019e01604b95..ed6ba27e70726cb08c38850cd09f08b37897fcfa 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -1,6 +1,7 @@
{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, ... }: rec {
deployment = {
+ targetUser = "root";
targetHost = publicIPv4;
secrets = {