From 671e9f0f3738203e2f6f518925fc937d2135541b Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Sun, 30 May 2021 18:48:52 +0000
Subject: [PATCH] Make VPN optional - fix testing and production grid configs
---
morph/grid/testing/grid.nix | 2 --
morph/lib/make-issuer.nix | 51 ++++++++++++++++++++++---------------
morph/lib/make-testing.nix | 51 ++++++++++++++++++++++---------------
3 files changed, 60 insertions(+), 44 deletions(-)
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index 760826b8..c1a9f60a 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -15,7 +15,6 @@ import ../../lib/make-grid.nix {
in {
"payments" = import ../../lib/make-issuer.nix ({
publicIPv4 = "18.197.42.120";
- monitoringvpnIPv4 = "172.23.23.11";
inherit sshUsers;
hardware = ../../lib/issuer-aws.nix;
stateVersion = "19.03";
@@ -23,7 +22,6 @@ import ../../lib/make-grid.nix {
"storage001" = import ../../lib/make-testing.nix (cfg // {
publicIPv4 = "3.120.26.190";
- monitoringvpnIPv4 = "172.23.23.11";
inherit sshUsers;
hardware = ./testing001-hardware.nix;
stateVersion = "19.03";
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 912b0224..17382c4b 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -1,16 +1,41 @@
{ hardware
, ristrettoSigningKeyPath
, stripeSecretKeyPath
-, monitoringvpnSecretKeyDir
, issuerDomain
, letsEncryptAdminEmail
, allowedChargeOrigins
, sshUsers
, stateVersion
, publicIPv4
-, monitoringvpnIPv4
+, monitoringvpnSecretKeyDir ? null
+, monitoringvpnIPv4 ? null
, ...
-}: rec {
+}: let
+
+ enableVpn = if (monitoringvpnSecretKeyDir != null &&
+ monitoringvpnIPv4 != null)
+ then true else false;
+
+ vpnSecrets = if !enableVpn then {} else {
+ "monitoringvpn-secret-key" = {
+ source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key";
+ destination = "/run/keys/monitoringvpn/client.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ "monitoringvpn-preshared-key" = {
+ source = monitoringvpnSecretKeyDir + "/preshared.key";
+ destination = "/run/keys/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ };
+
+in rec {
deployment = {
targetHost = publicIPv4;
@@ -31,23 +56,7 @@
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
- "monitoringvpn-secret-key" = {
- source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key";
- destination = "/run/keys/monitoringvpn/client.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- "monitoringvpn-preshared-key" = {
- source = monitoringvpnSecretKeyDir + "/preshared.key";
- destination = "/run/keys/monitoringvpn/preshared.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- };
+ } // vpnSecrets;
};
imports = [
@@ -71,7 +80,7 @@
system.stateVersion = stateVersion;
- services.private-storage.monitoring.vpn.client = {
+ services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
enable = true;
ip = monitoringvpnIPv4;
};
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index 050c4399..149ae740 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -2,12 +2,37 @@
, hardware
, publicStoragePort
, ristrettoSigningKeyPath
-, monitoringvpnSecretKeyDir
, passValue
, sshUsers
, stateVersion
-, monitoringvpnIPv4
-, ... }: rec {
+, monitoringvpnSecretKeyDir ? null
+, monitoringvpnIPv4 ? null
+, ... }: let
+
+ enableVpn = if (monitoringvpnSecretKeyDir != null &&
+ monitoringvpnIPv4 != null)
+ then true else false;
+
+ vpnSecrets = if !enableVpn then {} else {
+ "monitoringvpn-secret-key" = {
+ source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key";
+ destination = "/run/keys/monitoringvpn/client.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ "monitoringvpn-preshared-key" = {
+ source = monitoringvpnSecretKeyDir + "/preshared.key";
+ destination = "/run/keys/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ };
+
+in rec {
deployment = {
targetHost = publicIPv4;
@@ -24,23 +49,7 @@
# extract it from the tahoe-lafs nixos module somehow?
action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
};
- "monitoringvpn-secret-key" = {
- source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key";
- destination = "/run/keys/monitoringvpn/client.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- "monitoringvpn-preshared-key" = {
- source = monitoringvpnSecretKeyDir + "/preshared.key";
- destination = "/run/keys/monitoringvpn/preshared.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- };
+ } // vpnSecrets;
};
imports = [
@@ -60,7 +69,7 @@
system.stateVersion = stateVersion;
- services.private-storage.monitoring.vpn.client = {
+ services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
enable = true;
ip = monitoringvpnIPv4;
};
--
GitLab