Skip to content
Snippets Groups Projects
Commit 1a6d0248 authored by Jean-Paul Calderone's avatar Jean-Paul Calderone
Browse files

docs and minor cleanups to issuer configuration

parent 521426de
No related branches found
No related tags found
3 merge requests!140Merge staging into production,!118Merge develop into staging,!109Regularize (somewhat) the definition of grids for Morph
{ ristrettoSigningKeyPath
# Define a function which returns a value which fills in all the holes left by
# ``issuer.nix``.
{
# A path on the deployment system to a file containing the Ristretto signing
# key. This is used as the source of the Ristretto signing key morph
# secret.
ristrettoSigningKeyPath
# A path on the deployment system to a file containing the Stripe secret
# key. This is used as the source of the Stripe secret key morph secret.
, stripeSecretKeyPath
# A path on the deployment system to a directory containing a number of
# VPN-related secrets. This is expected to contain a number of files named
# like ``<VPN IPv4 address>.key`` containing the VPN private key for the
# corresponding host. It must also contain ``server.pub`` and
# ``preshared.key`` holding the VPN server's public key and the pre-shared
# key, respectively. All of these things are used as the sources of various
# VPN-related morph secrets.
, monitoringvpnKeyDir
# A string giving the IP address and port number (":"-separated) of the VPN
# server.
, monitoringvpnEndpoint
# A string giving the VPN IPv4 address for this system.
, monitoringvpnIPv4
# A set mapping usernames as strings to SSH public keys as strings. For
# each element of the site, the indicated user is configured on the system
# with the indicated SSH key as an authorized key.
, sshUsers
# A string giving an email address to use for Let's Encrypt registration and
# certificate issuance.
, letsEncryptAdminEmail
# A list of strings giving the domain names that point at this issuer
# system. These will all be included in Let's Encrypt certificate.
, issuerDomains
# A list of strings giving CORS Origins will the issuer will be configured
# to allow.
, allowedChargeOrigins
, ...
}: {
......@@ -25,9 +60,8 @@
};
services.private-storage-issuer = {
letsEncryptAdminEmail = letsEncryptAdminEmail;
inherit letsEncryptAdminEmail allowedChargeOrigins;
domains = issuerDomains;
allowedChargeOrigins = allowedChargeOrigins;
};
system.stateVersion = "19.03";
......
# This is all of the static NixOS system configuration necessary to specify an
# "issuer"-type system. The configuration has various holes in it which must
# be filled somehow. These holes correspond to configuration which is not
# statically known. This value is suitable for use as a module to be imported
# into a more complete system configuration. It is expected that the holes
# will be filled by a sibling module created by ``customize-issuer.nix``.
rec {
deployment = {
secrets = {
"ristretto-signing-key" = {
# source = ... fill this in ...
destination = "/run/keys/ristretto.signing-key";
owner.user = "root";
owner.group = "root";
......@@ -10,7 +15,6 @@ rec {
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
"stripe-secret-key" = {
# source = ... fill this in ...
destination = "/run/keys/stripe.secret-key";
owner.user = "root";
owner.group = "root";
......@@ -19,7 +23,6 @@ rec {
};
"monitoringvpn-secret-key" = {
# source = ... fill this in ...
destination = "/run/keys/monitoringvpn/client.key";
owner.user = "root";
owner.group = "root";
......@@ -27,7 +30,6 @@ rec {
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
"monitoringvpn-preshared-key" = {
# source = ... fill this in ...
destination = "/run/keys/monitoringvpn/preshared.key";
owner.user = "root";
owner.group = "root";
......@@ -43,15 +45,6 @@ rec {
../../nixos/modules/monitoring/exporters/node.nix
];
services.private-storage = {
# sshUsers = ...
monitoring.vpn.client = {
# enable = ...
# ip = ...
# endpoint = ...
# endpointPublicKeyFile = ...
};
};
services.private-storage-issuer = {
enable = true;
tls = true;
......@@ -59,10 +52,5 @@ rec {
stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
database = "SQLite3";
databasePath = "/var/db/vouchers.sqlite3";
# letsEncryptAdminEmail = ...;
# domains = ...;
# allowedChargeOrigins = ...;
};
# system.stateVersion = ...
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment