diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix index 760826b8665f149742b6602288e153e209e00488..c1a9f60a0e4154b4bc208429c8f4ab5704c106d6 100644 --- a/morph/grid/testing/grid.nix +++ b/morph/grid/testing/grid.nix @@ -15,7 +15,6 @@ import ../../lib/make-grid.nix { in { "payments" = import ../../lib/make-issuer.nix ({ publicIPv4 = "18.197.42.120"; - monitoringvpnIPv4 = "172.23.23.11"; inherit sshUsers; hardware = ../../lib/issuer-aws.nix; stateVersion = "19.03"; @@ -23,7 +22,6 @@ import ../../lib/make-grid.nix { "storage001" = import ../../lib/make-testing.nix (cfg // { publicIPv4 = "3.120.26.190"; - monitoringvpnIPv4 = "172.23.23.11"; inherit sshUsers; hardware = ./testing001-hardware.nix; stateVersion = "19.03"; diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix index 912b022495166589ae3b13fa0da9a59ee694b38e..17382c4bed0e548baf49431cda493c4ca7305fee 100644 --- a/morph/lib/make-issuer.nix +++ b/morph/lib/make-issuer.nix @@ -1,16 +1,41 @@ { hardware , ristrettoSigningKeyPath , stripeSecretKeyPath -, monitoringvpnSecretKeyDir , issuerDomain , letsEncryptAdminEmail , allowedChargeOrigins , sshUsers , stateVersion , publicIPv4 -, monitoringvpnIPv4 +, monitoringvpnSecretKeyDir ? null +, monitoringvpnIPv4 ? null , ... -}: rec { +}: let + + enableVpn = if (monitoringvpnSecretKeyDir != null && + monitoringvpnIPv4 != null) + then true else false; + + vpnSecrets = if !enableVpn then {} else { + "monitoringvpn-secret-key" = { + source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key"; + destination = "/run/keys/monitoringvpn/client.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + "monitoringvpn-preshared-key" = { + source = monitoringvpnSecretKeyDir + "/preshared.key"; + destination = "/run/keys/monitoringvpn/preshared.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + }; + +in rec { deployment = { targetHost = publicIPv4; @@ -31,23 +56,7 @@ permissions = "0400"; action = ["sudo" "systemctl" "restart" "zkapissuer.service"]; }; - "monitoringvpn-secret-key" = { - source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key"; - destination = "/run/keys/monitoringvpn/client.key"; - owner.user = "root"; - owner.group = "root"; - permissions = "0400"; - action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; - }; - "monitoringvpn-preshared-key" = { - source = monitoringvpnSecretKeyDir + "/preshared.key"; - destination = "/run/keys/monitoringvpn/preshared.key"; - owner.user = "root"; - owner.group = "root"; - permissions = "0400"; - action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; - }; - }; + } // vpnSecrets; }; imports = [ @@ -71,7 +80,7 @@ system.stateVersion = stateVersion; - services.private-storage.monitoring.vpn.client = { + services.private-storage.monitoring.vpn.client = if !enableVpn then {} else { enable = true; ip = monitoringvpnIPv4; }; diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix index 050c4399731506738bb4bbee357ec218032e4964..149ae7409ee2604cfb21fe31b33157e75da95044 100644 --- a/morph/lib/make-testing.nix +++ b/morph/lib/make-testing.nix @@ -2,12 +2,37 @@ , hardware , publicStoragePort , ristrettoSigningKeyPath -, monitoringvpnSecretKeyDir , passValue , sshUsers , stateVersion -, monitoringvpnIPv4 -, ... }: rec { +, monitoringvpnSecretKeyDir ? null +, monitoringvpnIPv4 ? null +, ... }: let + + enableVpn = if (monitoringvpnSecretKeyDir != null && + monitoringvpnIPv4 != null) + then true else false; + + vpnSecrets = if !enableVpn then {} else { + "monitoringvpn-secret-key" = { + source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key"; + destination = "/run/keys/monitoringvpn/client.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + "monitoringvpn-preshared-key" = { + source = monitoringvpnSecretKeyDir + "/preshared.key"; + destination = "/run/keys/monitoringvpn/preshared.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + }; + +in rec { deployment = { targetHost = publicIPv4; @@ -24,23 +49,7 @@ # extract it from the tahoe-lafs nixos module somehow? action = ["sudo" "systemctl" "restart" "tahoe.storage.service"]; }; - "monitoringvpn-secret-key" = { - source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key"; - destination = "/run/keys/monitoringvpn/client.key"; - owner.user = "root"; - owner.group = "root"; - permissions = "0400"; - action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; - }; - "monitoringvpn-preshared-key" = { - source = monitoringvpnSecretKeyDir + "/preshared.key"; - destination = "/run/keys/monitoringvpn/preshared.key"; - owner.user = "root"; - owner.group = "root"; - permissions = "0400"; - action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; - }; - }; + } // vpnSecrets; }; imports = [ @@ -60,7 +69,7 @@ system.stateVersion = stateVersion; - services.private-storage.monitoring.vpn.client = { + services.private-storage.monitoring.vpn.client = if !enableVpn then {} else { enable = true; ip = monitoringvpnIPv4; };