From 8725d655e05cd3e4e19f79431ab1e6122146733d Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Tue, 7 Apr 2020 20:28:29 -0400
Subject: [PATCH] Put the keys in the secrets directory instead of the nix
 store

---
 morph/lib/issuer.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index b2ef90c1..6e1eca67 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -17,6 +17,14 @@
         permissions = "0400";
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
+      "stripe-secret-key" = {
+        source = stripeSecretKeyPath;
+        destination = "/var/secrets/stripe.secret-key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
+      };
     };
   };
 
@@ -28,8 +36,8 @@
   services.private-storage-issuer = {
     enable = true;
     tls = true;
-    ristrettoSigningKeyPath = ./../.. + ristrettoSigningKeyPath;
-    stripeSecretKeyPath = ./../.. + stripeSecretKeyPath;
+    ristrettoSigningKeyPath = "/var/secrets/ristretto.signing-key";
+    stripeSecretKeyPath = "/var/secrets/stripe.secret-key";
     database = "SQLite3";
     databasePath = "/var/db/vouchers.sqlite3";
     inherit letsEncryptAdminEmail;
-- 
GitLab