From 9347bd64eabc9c70f2aafec57c403237b02e586d Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Wed, 30 Jun 2021 16:10:50 -0400
Subject: [PATCH] Configure the production grid with a deploy key

---
 morph/grid/production/grid.nix                   | 13 +++++++++++++
 morph/grid/production/public-keys/deploy_key.pub |  1 +
 2 files changed, 14 insertions(+)
 create mode 100644 morph/grid/production/public-keys/deploy_key.pub

diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index fb680338..a7b8be20 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -13,6 +13,14 @@ let
     privateKeyPath = toString ./. + "/${rawConfig.privateKeyPath}";
   };
 
+  # Configure deployment management authorization for all systems in the grid.
+  deployment = {
+    services.private-storage.deployment = {
+      authorizedKey = builtins.readFile "${config.publicKeyPath}/deploy_key.pub";
+      gridName = "production";
+    };
+  };
+
   payments = {
     imports = [
       gridlib.issuer
@@ -20,6 +28,7 @@ let
       (gridlib.customize-issuer (config // {
         monitoringvpnIPv4 = "172.23.23.11";
       }))
+      deployment
     ];
   };
 
@@ -33,6 +42,7 @@ let
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
       })
+      deployment
     ];
   };
 
@@ -58,6 +68,9 @@ let
         monitoringvpnIPv4 = vpnIP;
         inherit stateVersion;
       }))
+
+      # Also configure deployment management authorization
+      deployment
     ];
 
     # And supply configuration for those hardware / network / bootloader
diff --git a/morph/grid/production/public-keys/deploy_key.pub b/morph/grid/production/public-keys/deploy_key.pub
new file mode 100644
index 00000000..3d9ea022
--- /dev/null
+++ b/morph/grid/production/public-keys/deploy_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK50RwXncelNB4JAazoXEhCxXbJZ79qWcQMAWeX14H+W exarkun@baryon
-- 
GitLab