From 7e2345bfffc2032c831b7258f7a9412ed0701d76 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone <exarkun@twistedmatrix.com> Date: Mon, 21 Oct 2019 14:52:55 -0400 Subject: [PATCH] Add the necessary secrets configuration --- morph/grid.config.json | 1 + morph/storage000.nix | 20 +++++++++++++++++++- morph/testing-grid.nix | 10 +++------- morph/testing000.nix | 22 ++++++++++++++++++++-- 4 files changed, 43 insertions(+), 10 deletions(-) diff --git a/morph/grid.config.json b/morph/grid.config.json index 71d0fcd9..178f44d3 100644 --- a/morph/grid.config.json +++ b/morph/grid.config.json @@ -1,2 +1,3 @@ { "publicStoragePort": 8898 +, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key" } diff --git a/morph/storage000.nix b/morph/storage000.nix index 540229b5..cd2b6c1f 100644 --- a/morph/storage000.nix +++ b/morph/storage000.nix @@ -5,7 +5,23 @@ in # Define the function that defines the node. Accept the public storage server # port argument so we can configure Tahoe-LAFS with it. Accept but ignore any # other arguments. -{ publicStoragePort, ... }: { +{ publicStoragePort, ristrettoSigningKeyPath, ... }: rec { + + deployment = { + secrets = { + "ristretto-signing-key" = { + source = ristrettoSigningKeyPath; + destination = "/var/secrets/ristretto.signing-key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + # Service name here matches the name defined by our tahoe-lafs nixos + # module. It would be nice to not have to hard-code it here. Can we + # extract it from the tahoe-lafs nixos module somehow? + action = ["sudo" "systemctl" "restart" "tahoe.storage.service"]; + }; + }; + }; # Any extra NixOS modules to load on this server. imports = [ @@ -34,6 +50,8 @@ in inherit (cfg) publicIPv4; # And the port to operate on is specified via parameter. inherit publicStoragePort; + # Give it the Ristretto signing key, too, to support authorization. + ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination; }; # This value determines the NixOS release with which your system is to be diff --git a/morph/testing-grid.nix b/morph/testing-grid.nix index c58cefa4..5591827e 100644 --- a/morph/testing-grid.nix +++ b/morph/testing-grid.nix @@ -4,12 +4,8 @@ import ./make-grid.nix { name = "Testing"; nodes = cfg: { - "testing000" = import ./testing000.nix { - publicIPv4 = "3.123.26.90"; - # Pass along some of the Tahoe-LAFS configuration. If we have much more - # configuration than this we may want to keep it bundled up in one value - # instead of pulling individual values out to pass along. - inherit (cfg) publicStoragePort; - }; + "testing000" = import ./testing000.nix (cfg // { + publicIPv4 = "35.157.216.200"; + }); }; } diff --git a/morph/testing000.nix b/morph/testing000.nix index 3a5bd414..e5f9c3f3 100644 --- a/morph/testing000.nix +++ b/morph/testing000.nix @@ -1,5 +1,22 @@ -{ publicIPv4, publicStoragePort }: -{ imports = [ +{ publicIPv4, publicStoragePort, ristrettoSigningKeyPath }: rec { + + deployment = { + secrets = { + "ristretto-signing-key" = { + source = ristrettoSigningKeyPath; + destination = "/var/secrets/ristretto.signing-key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + # Service name here matches the name defined by our tahoe-lafs nixos + # module. It would be nice to not have to hard-code it here. Can we + # extract it from the tahoe-lafs nixos module somehow? + action = ["sudo" "systemctl" "restart" "tahoe.storage.service"]; + }; + }; + }; + + imports = [ ./testing000-hardware.nix ../nixos/modules/private-storage.nix ]; @@ -8,5 +25,6 @@ { enable = true; inherit publicIPv4; inherit publicStoragePort; + ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination; }; } -- GitLab