Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
P
PrivateStorageio
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
PrivateStorage
PrivateStorageio
Commits
1a6d0248
Commit
1a6d0248
authored
3 years ago
by
Jean-Paul Calderone
Browse files
Options
Downloads
Patches
Plain Diff
docs and minor cleanups to issuer configuration
parent
521426de
No related branches found
Branches containing commit
No related tags found
3 merge requests
!140
Merge staging into production
,
!118
Merge develop into staging
,
!109
Regularize (somewhat) the definition of grids for Morph
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
morph/lib/customize-issuer.nix
+37
-3
37 additions, 3 deletions
morph/lib/customize-issuer.nix
morph/lib/issuer.nix
+6
-18
6 additions, 18 deletions
morph/lib/issuer.nix
with
43 additions
and
21 deletions
morph/lib/customize-issuer.nix
+
37
−
3
View file @
1a6d0248
{
ristrettoSigningKeyPath
# Define a function which returns a value which fills in all the holes left by
# ``issuer.nix``.
{
# A path on the deployment system to a file containing the Ristretto signing
# key. This is used as the source of the Ristretto signing key morph
# secret.
ristrettoSigningKeyPath
# A path on the deployment system to a file containing the Stripe secret
# key. This is used as the source of the Stripe secret key morph secret.
,
stripeSecretKeyPath
# A path on the deployment system to a directory containing a number of
# VPN-related secrets. This is expected to contain a number of files named
# like ``<VPN IPv4 address>.key`` containing the VPN private key for the
# corresponding host. It must also contain ``server.pub`` and
# ``preshared.key`` holding the VPN server's public key and the pre-shared
# key, respectively. All of these things are used as the sources of various
# VPN-related morph secrets.
,
monitoringvpnKeyDir
# A string giving the IP address and port number (":"-separated) of the VPN
# server.
,
monitoringvpnEndpoint
# A string giving the VPN IPv4 address for this system.
,
monitoringvpnIPv4
# A set mapping usernames as strings to SSH public keys as strings. For
# each element of the site, the indicated user is configured on the system
# with the indicated SSH key as an authorized key.
,
sshUsers
# A string giving an email address to use for Let's Encrypt registration and
# certificate issuance.
,
letsEncryptAdminEmail
# A list of strings giving the domain names that point at this issuer
# system. These will all be included in Let's Encrypt certificate.
,
issuerDomains
# A list of strings giving CORS Origins will the issuer will be configured
# to allow.
,
allowedChargeOrigins
,
...
}:
{
...
...
@@ -25,9 +60,8 @@
};
services
.
private-storage-issuer
=
{
letsEncryptAdminEmail
=
letsEncryptAdminEmail
;
inherit
letsEncryptAdminEmail
allowedChargeOrigins
;
domains
=
issuerDomains
;
allowedChargeOrigins
=
allowedChargeOrigins
;
};
system
.
stateVersion
=
"19.03"
;
...
...
This diff is collapsed.
Click to expand it.
morph/lib/issuer.nix
+
6
−
18
View file @
1a6d0248
# This is all of the static NixOS system configuration necessary to specify an
# "issuer"-type system. The configuration has various holes in it which must
# be filled somehow. These holes correspond to configuration which is not
# statically known. This value is suitable for use as a module to be imported
# into a more complete system configuration. It is expected that the holes
# will be filled by a sibling module created by ``customize-issuer.nix``.
rec
{
deployment
=
{
secrets
=
{
"ristretto-signing-key"
=
{
# source = ... fill this in ...
destination
=
"/run/keys/ristretto.signing-key"
;
owner
.
user
=
"root"
;
owner
.
group
=
"root"
;
...
...
@@ -10,7 +15,6 @@ rec {
action
=
[
"sudo"
"systemctl"
"restart"
"zkapissuer.service"
];
};
"stripe-secret-key"
=
{
# source = ... fill this in ...
destination
=
"/run/keys/stripe.secret-key"
;
owner
.
user
=
"root"
;
owner
.
group
=
"root"
;
...
...
@@ -19,7 +23,6 @@ rec {
};
"monitoringvpn-secret-key"
=
{
# source = ... fill this in ...
destination
=
"/run/keys/monitoringvpn/client.key"
;
owner
.
user
=
"root"
;
owner
.
group
=
"root"
;
...
...
@@ -27,7 +30,6 @@ rec {
action
=
[
"sudo"
"systemctl"
"restart"
"wireguard-monitoringvpn.service"
];
};
"monitoringvpn-preshared-key"
=
{
# source = ... fill this in ...
destination
=
"/run/keys/monitoringvpn/preshared.key"
;
owner
.
user
=
"root"
;
owner
.
group
=
"root"
;
...
...
@@ -43,15 +45,6 @@ rec {
../../nixos/modules/monitoring/exporters/node.nix
];
services
.
private-storage
=
{
# sshUsers = ...
monitoring
.
vpn
.
client
=
{
# enable = ...
# ip = ...
# endpoint = ...
# endpointPublicKeyFile = ...
};
};
services
.
private-storage-issuer
=
{
enable
=
true
;
tls
=
true
;
...
...
@@ -59,10 +52,5 @@ rec {
stripeSecretKeyPath
=
deployment
.
secrets
.
stripe-secret-key
.
destination
;
database
=
"SQLite3"
;
databasePath
=
"/var/db/vouchers.sqlite3"
;
# letsEncryptAdminEmail = ...;
# domains = ...;
# allowedChargeOrigins = ...;
};
# system.stateVersion = ...
}
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment