Put the keys in the secrets directory instead of the nix store

8725d655 · Jean-Paul Calderone · 24c19c19 · 8725d655
Unverified Commit 8725d655 authored 5 years ago by Jean-Paul Calderone
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -17,6 +17,14 @@
        permissions = "0400";
        action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
      };
+      "stripe-secret-key" = {
+        source = stripeSecretKeyPath;
+        destination = "/var/secrets/stripe.secret-key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
+      };
    };
  };
@@ -28,8 +36,8 @@
  services.private-storage-issuer = {
    enable = true;
    tls = true;
-    ristrettoSigningKeyPath = ./../.. + ristrettoSigningKeyPath;
+    ristrettoSigningKeyPath = "/var/secrets/ristretto.signing-key";
-    stripeSecretKeyPath = ./../.. + stripeSecretKeyPath;
+    stripeSecretKeyPath = "/var/secrets/stripe.secret-key";
    database = "SQLite3";
    databasePath = "/var/db/vouchers.sqlite3";
    inherit letsEncryptAdminEmail;