diff --git a/morph/grid/local/README.rst b/morph/grid/local/README.rst
index ddccc67def0596516284b7a71189b2a50105ee38..1966be32c48498fad5a23e2f6fc5616d2095bf0d 100644
--- a/morph/grid/local/README.rst
+++ b/morph/grid/local/README.rst
@@ -36,13 +36,35 @@ If you run an older Nixpkgs, retrieve and use the latest Vagrant development ver
Use the local development environment
`````````````````````````````````````
-Build and start the VMs::
+1. Build and start the VMs::
- VAGRANT_DEFAULT_PROVIDER=virtualbox vagrant up
+ VAGRANT_DEFAULT_PROVIDER=virtualbox vagrant up
-Then::
+2. Then, once::
- morph build grid.nix
- morph push grid.nix
- morph deploy grid.nix switch
+ vagrant ssh-config > ./vagrant-ssh-config
+
+3. Edit the output: Add the IPs from ``grid.nix`` to the ``vagrant-ssh-config`` **Host match blocks** so the config reads like::
+
+ Host payments1 192.168.67.21
+ HostName 192.168.67.21
+ User vagrant
+ Port 22
+ [...]
+
+4. Then, make morph use this ssh config either - with newer morph [#]_ - by pointing it to it::
+
+ export SSH_CONFIG_FILE=./vagrant-ssh-config
+
+ Or, with older morph, adding the config to your user's ``~/.ssh/config`` file.
+
+ .. [#] Morph honors the ``SSH_CONFIG_FILE`` environment variable `since 3f90aa88 (March 2020, v 1.5.0) <https://github.com/DBCDK/morph/commit/3f90aa885fac1c29fce9242452fa7c0c505744ef#diff-d155ad793bd62e6ea4c44ba985049ecb13a4f4f32f799791b2bce695a16c0101>`_.
+
+5. Then, build and deploy our software to the Vagrant VMs::
+
+ morph build grid.nix
+ morph push grid.nix
+ morph deploy grid.nix switch
+
+ You will now be able to log in with the users and keys you set in your ``localdev-users.nix`` file.
diff --git a/morph/grid/local/Vagrantfile b/morph/grid/local/Vagrantfile
index 7c20fddda1516d31abd65c9850abaf7619ce8030..81dec21ee701d761b4347f11df43398d78d4b528 100644
--- a/morph/grid/local/Vagrantfile
+++ b/morph/grid/local/Vagrantfile
@@ -33,6 +33,7 @@ Vagrant.configure("2") do |config|
end
# To make the VMs assign the static IPs to the network interfaces we need a rebuild:
+ config.vm.provision "shell", inline: "echo '{nix.trustedUsers = [ \"@wheel\" \"root\" \"vagrant\" ];}' > /etc/nixos/custom-configuration.nix"
config.vm.provision "shell", inline: "nixos-rebuild switch"
config.trigger.after :up do |trigger|
diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
new file mode 100644
index 0000000000000000000000000000000000000000..56184fbcd854ba8120fd5a2062d4656fd0448db3
--- /dev/null
+++ b/morph/grid/local/config.json
@@ -0,0 +1,10 @@
+{ "publicStoragePort": 8898
+, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
+, "stripeSecretKeyPath": "../../PrivateStorageSecrets/privatestorageio-testing-stripe.secret"
+, "passValue": 1000000
+, "issuerDomain": "payments.localdev"
+, "letsEncryptAdminEmail": "florian@privatestorage.io"
+, "allowedChargeOrigins": [
+ "http://localhost:5000"
+ ]
+}
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
new file mode 100644
index 0000000000000000000000000000000000000000..fdda12e4537cd281a8d0768f0a95aa0608eca36b
--- /dev/null
+++ b/morph/grid/local/grid.nix
@@ -0,0 +1,32 @@
+# Load the helper function and call it with arguments tailored for the local
+# grid. It will make the morph configuration for us. We share this function
+# with the production grid and have one fewer possible point of divergence.
+import ../../lib/make-grid.nix {
+ name = "LocalDev";
+ config = ./config.json;
+ nodes = cfg:
+ let
+ sshUsers = import ../../../../PrivateStorageSecrets/localdev-users.nix;
+ in {
+ "payments1" = import ../../lib/make-issuer.nix (rec {
+ publicIPv4 = "192.168.67.21";
+ inherit sshUsers;
+ hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
+ stateVersion = "19.03";
+ } // cfg);
+
+ "storage1" = import ../../lib/make-testing.nix (rec {
+ publicIPv4 = "192.168.67.22";
+ inherit sshUsers;
+ hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
+ stateVersion = "19.09";
+ } // cfg);
+
+ "storage2" = import ../../lib/make-testing.nix (rec {
+ publicIPv4 = "192.168.67.23";
+ inherit sshUsers;
+ hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
+ stateVersion = "19.09";
+ } // cfg);
+ };
+}
diff --git a/morph/grid/local/vagrant-guest.nix b/morph/grid/local/vagrant-guest.nix
new file mode 100644
index 0000000000000000000000000000000000000000..8505b2f34dba067bf2c39a1645145bc626d30cf8
--- /dev/null
+++ b/morph/grid/local/vagrant-guest.nix
@@ -0,0 +1,86 @@
+# Minimal configuration that vagrant depends on
+
+{ config, pkgs, ... }:
+let
+ # Vagrant uses an insecure shared private key by default, but we
+ # don't use the authorizedKeys attribute under users because it should be
+ # removed on first boot and replaced with a random one. This script sets
+ # the correct permissions and installs the temporary key if no
+ # ~/.ssh/authorized_keys exists.
+ install-vagrant-ssh-key = pkgs.writeScriptBin "install-vagrant-ssh-key" ''
+ #!${pkgs.runtimeShell}
+ if [ ! -e ~/.ssh/authorized_keys ]; then
+ mkdir -m 0700 -p ~/.ssh
+ echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" >> ~/.ssh/authorized_keys
+ chmod 0600 ~/.ssh/authorized_keys
+ fi
+ '';
+in
+{
+ # Services to enable:
+
+ # Enable the OpenSSH daemon.
+ services.openssh.enable = true;
+
+ # Enable DBus
+ services.dbus.enable = true;
+
+ # Replace ntpd by timesyncd
+ services.timesyncd.enable = true;
+
+ # Packages for Vagrant
+ environment.systemPackages = with pkgs; [
+ findutils
+ gnumake
+ iputils
+ jq
+ nettools
+ netcat
+ nfs-utils
+ rsync
+ ];
+
+ users.users.root = { password = "vagrant"; };
+
+ # Creates a "vagrant" group & user with password-less sudo access
+ users.groups.vagrant = {
+ name = "vagrant";
+ members = [ "vagrant" ];
+ };
+ users.extraUsers.vagrant = {
+ isNormalUser = true;
+ createHome = true;
+ group = "vagrant";
+ extraGroups = [ "users" "wheel" ];
+ password = "vagrant";
+ home = "/home/vagrant";
+ useDefaultShell = true;
+ };
+
+ systemd.services.install-vagrant-ssh-key = {
+ description = "Vagrant SSH key install (if needed)";
+ after = [ "fs.target" ];
+ wants = [ "fs.target" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ ExecStart = "${install-vagrant-ssh-key}/bin/install-vagrant-ssh-key";
+ User = "vagrant";
+ # So it won't be (needlessly) restarted:
+ RemainAfterExit = true;
+ };
+ };
+
+ security.sudo.wheelNeedsPassword = false;
+
+ security.sudo.extraConfig =
+ ''
+ Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE
+ Defaults:root,%wheel env_keep+=NIX_PATH
+ Defaults:root,%wheel env_keep+=TERMINFO_DIRS
+ Defaults env_keep+=SSH_AUTH_SOCK
+ Defaults lecture = never
+ root ALL=(ALL) SETENV: ALL
+ %wheel ALL=(ALL) NOPASSWD: ALL, SETENV: ALL
+ '';
+}
+
diff --git a/morph/grid/local/virtual-hardware.nix b/morph/grid/local/virtual-hardware.nix
new file mode 100644
index 0000000000000000000000000000000000000000..d5e9067bd5f3b3ca2ea1bb46746253fa39b25cf6
--- /dev/null
+++ b/morph/grid/local/virtual-hardware.nix
@@ -0,0 +1,36 @@
+{ publicIPv4, ... }:
+{
+ imports = [ ./vagrant-guest.nix ];
+
+ virtualisation.virtualbox.guest.enable = true;
+
+ # Use the GRUB 2 boot loader.
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+ boot.loader.grub.device = "/dev/sda";
+
+ boot.initrd.availableKernelModules = [ "ata_piix" "sd_mod" "sr_mod" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
+
+ # remove the fsck that runs at startup. It will always fail to run, stopping
+ # your boot until you press *.
+ boot.initrd.checkJournalingFS = false;
+
+ networking.interfaces.enp0s8.ipv4.addresses = [{
+ address = publicIPv4;
+ prefixLength = 24;
+ }];
+
+ fileSystems."/storage" = { fsType = "tmpfs"; };
+ fileSystems."/" =
+ { device = "/dev/sda1";
+ fsType = "ext4";
+ };
+ swapDevices = [ ];
+
+ # We want to push packages with morph without having to sign them
+ nix.trustedUsers = [ "@wheel" "root" "vagrant" ];
+}
+