diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix index 7510b6b82e8b298387394e5ff8082445a2fe18e7..e8a6333c19a742917b930164c26f43ac791c0d6d 100644 --- a/morph/lib/make-issuer.nix +++ b/morph/lib/make-issuer.nix @@ -8,14 +8,14 @@ , stateVersion , publicIPv4 , ... -}: { +}: rec { deployment = { targetHost = publicIPv4; secrets = { "ristretto-signing-key" = { source = ristrettoSigningKeyPath; - destination = "/var/secrets/ristretto.signing-key"; + destination = "/run/keys/ristretto.signing-key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; @@ -23,7 +23,7 @@ }; "stripe-secret-key" = { source = stripeSecretKeyPath; - destination = "/var/secrets/stripe.secret-key"; + destination = "/run/keys/stripe.secret-key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; @@ -41,8 +41,8 @@ services.private-storage-issuer = { enable = true; tls = true; - ristrettoSigningKeyPath = "/var/secrets/ristretto.signing-key"; - stripeSecretKeyPath = "/var/secrets/stripe.secret-key"; + ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination; + stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination; database = "SQLite3"; databasePath = "/var/db/vouchers.sqlite3"; inherit letsEncryptAdminEmail; diff --git a/morph/lib/make-storage.nix b/morph/lib/make-storage.nix index c286106a18caca4a575305f0fa897aedaac60c55..af0867c8b8342e31393f19a76a7cbfc4c95f86c9 100644 --- a/morph/lib/make-storage.nix +++ b/morph/lib/make-storage.nix @@ -19,7 +19,7 @@ secrets = { "ristretto-signing-key" = { source = ristrettoSigningKeyPath; - destination = "/var/secrets/ristretto.signing-key"; + destination = "/run/keys/ristretto.signing-key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix index ee1e2db49ba337578312866f737e216f961dc152..1c0e1305ce6b2b83851df03d6d5b019e01604b95 100644 --- a/morph/lib/make-testing.nix +++ b/morph/lib/make-testing.nix @@ -6,7 +6,7 @@ secrets = { "ristretto-signing-key" = { source = ristrettoSigningKeyPath; - destination = "/var/secrets/ristretto.signing-key"; + destination = "/run/keys/ristretto.signing-key"; owner.user = "root"; owner.group = "root"; permissions = "0400";