From 7e2345bfffc2032c831b7258f7a9412ed0701d76 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Mon, 21 Oct 2019 14:52:55 -0400
Subject: [PATCH] Add the necessary secrets configuration

---
 morph/grid.config.json |  1 +
 morph/storage000.nix   | 20 +++++++++++++++++++-
 morph/testing-grid.nix | 10 +++-------
 morph/testing000.nix   | 22 ++++++++++++++++++++--
 4 files changed, 43 insertions(+), 10 deletions(-)

diff --git a/morph/grid.config.json b/morph/grid.config.json
index 71d0fcd9..178f44d3 100644
--- a/morph/grid.config.json
+++ b/morph/grid.config.json
@@ -1,2 +1,3 @@
 { "publicStoragePort": 8898
+, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
 }
diff --git a/morph/storage000.nix b/morph/storage000.nix
index 540229b5..cd2b6c1f 100644
--- a/morph/storage000.nix
+++ b/morph/storage000.nix
@@ -5,7 +5,23 @@ in
 # Define the function that defines the node.  Accept the public storage server
 # port argument so we can configure Tahoe-LAFS with it.  Accept but ignore any
 # other arguments.
-{ publicStoragePort, ... }: {
+{ publicStoragePort, ristrettoSigningKeyPath, ... }: rec {
+
+  deployment = {
+    secrets = {
+      "ristretto-signing-key" = {
+        source = ristrettoSigningKeyPath;
+        destination = "/var/secrets/ristretto.signing-key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        # Service name here matches the name defined by our tahoe-lafs nixos
+        # module.  It would be nice to not have to hard-code it here.  Can we
+        # extract it from the tahoe-lafs nixos module somehow?
+        action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
+      };
+    };
+  };
 
   # Any extra NixOS modules to load on this server.
   imports = [
@@ -34,6 +50,8 @@ in
     inherit (cfg) publicIPv4;
     # And the port to operate on is specified via parameter.
     inherit publicStoragePort;
+    # Give it the Ristretto signing key, too, to support authorization.
+    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
   };
 
   # This value determines the NixOS release with which your system is to be
diff --git a/morph/testing-grid.nix b/morph/testing-grid.nix
index c58cefa4..5591827e 100644
--- a/morph/testing-grid.nix
+++ b/morph/testing-grid.nix
@@ -4,12 +4,8 @@
 import ./make-grid.nix {
   name = "Testing";
   nodes = cfg: {
-    "testing000" = import ./testing000.nix {
-      publicIPv4 = "3.123.26.90";
-      # Pass along some of the Tahoe-LAFS configuration.  If we have much more
-      # configuration than this we may want to keep it bundled up in one value
-      # instead of pulling individual values out to pass along.
-      inherit (cfg) publicStoragePort;
-    };
+    "testing000" = import ./testing000.nix (cfg // {
+      publicIPv4 = "35.157.216.200";
+    });
   };
 }
diff --git a/morph/testing000.nix b/morph/testing000.nix
index 3a5bd414..e5f9c3f3 100644
--- a/morph/testing000.nix
+++ b/morph/testing000.nix
@@ -1,5 +1,22 @@
-{ publicIPv4, publicStoragePort }:
-{ imports = [
+{ publicIPv4, publicStoragePort, ristrettoSigningKeyPath }: rec {
+
+  deployment = {
+    secrets = {
+      "ristretto-signing-key" = {
+        source = ristrettoSigningKeyPath;
+        destination = "/var/secrets/ristretto.signing-key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        # Service name here matches the name defined by our tahoe-lafs nixos
+        # module.  It would be nice to not have to hard-code it here.  Can we
+        # extract it from the tahoe-lafs nixos module somehow?
+        action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
+      };
+    };
+  };
+
+  imports = [
     ./testing000-hardware.nix
     ../nixos/modules/private-storage.nix
   ];
@@ -8,5 +25,6 @@
   { enable = true;
     inherit publicIPv4;
     inherit publicStoragePort;
+    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
   };
 }
-- 
GitLab