From 8725d655e05cd3e4e19f79431ab1e6122146733d Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone <exarkun@twistedmatrix.com> Date: Tue, 7 Apr 2020 20:28:29 -0400 Subject: [PATCH] Put the keys in the secrets directory instead of the nix store --- morph/lib/issuer.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix index b2ef90c1..6e1eca67 100644 --- a/morph/lib/issuer.nix +++ b/morph/lib/issuer.nix @@ -17,6 +17,14 @@ permissions = "0400"; action = ["sudo" "systemctl" "restart" "zkapissuer.service"]; }; + "stripe-secret-key" = { + source = stripeSecretKeyPath; + destination = "/var/secrets/stripe.secret-key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "zkapissuer.service"]; + }; }; }; @@ -28,8 +36,8 @@ services.private-storage-issuer = { enable = true; tls = true; - ristrettoSigningKeyPath = ./../.. + ristrettoSigningKeyPath; - stripeSecretKeyPath = ./../.. + stripeSecretKeyPath; + ristrettoSigningKeyPath = "/var/secrets/ristretto.signing-key"; + stripeSecretKeyPath = "/var/secrets/stripe.secret-key"; database = "SQLite3"; databasePath = "/var/db/vouchers.sqlite3"; inherit letsEncryptAdminEmail; -- GitLab