Follow suit in testing and production grids

morph/grid/production/grid.nix

@@ -51,14 +51,13 @@ in lib.make-grid {
     # doesn't specify one.
     #
     # The names must be unique!
-    "payments.privatestorage.io" = lib.make-issuer (cfg // {
-      publicIPv4 = "18.184.142.208";
-      monitoringvpnIPv4 = "172.23.23.11";
-      inherit monitoringvpnKeyDir;
-      inherit sshUsers;
-      hardware = lib.hardware-aws;
-      stateVersion = "19.03";
-    });
+    "payments.privatestorage.io" = rec {
+      imports = [
+        lib.issuer
+        lib.hardware-aws
+        (lib.customize-issuer cfg sshUsers monitoringvpnKeyDir "172.23.23.11" "19.03")
+      ];
+    };
 
     "storage001" = lib.make-storage (cfg // {
         cfg = import ./storage001-config.nix;

morph/grid/testing/grid.nix

@@ -20,14 +20,13 @@ in lib.make-grid {
     nodeExporterTargets = [ "monitoring" "payments" "storage001" ];
 
   in {
-    "payments" = lib.make-issuer (cfg // {
-      publicIPv4 = "18.194.183.13";
-      monitoringvpnIPv4 = "172.23.23.11";
-      inherit monitoringvpnKeyDir;
-      inherit sshUsers;
-      hardware = lib.hardware-aws;
-      stateVersion = "19.03";
-    });
+    payments = rec {
+      imports = [
+        lib.issuer
+        lib.hardware-aws
+        (lib.customize-issuer cfg sshUsers monitoringvpnKeyDir "172.23.23.11" "19.03")
+      ];
+    };
 
     "storage001" = lib.make-testing (cfg // {
       publicIPv4 = "3.120.26.190";

morph/lib/default.nix

 rec {
   make-grid = import ./make-grid.nix;
-  make-issuer = import ./make-issuer.nix;
   make-testing = import ./make-testing.nix;
   make-storage = import ./make-storage.nix;
   make-monitoring = import ./make-monitoring.nix;

morph/lib/make-issuer.nix

-{ hardware
-, ristrettoSigningKeyPath
-, stripeSecretKeyPath
-, issuerDomains
-, letsEncryptAdminEmail
-, allowedChargeOrigins
-, sshUsers
-, stateVersion
-, publicIPv4
-, monitoringvpnKeyDir ? null
-, monitoringvpnIPv4 ? null
-, monitoringvpnEndpoint ? null
-, ...
-}: let
-
-  enableVpn = monitoringvpnKeyDir != null &&
-              monitoringvpnIPv4 != null &&
-              monitoringvpnEndpoint != null;
-
-  vpnSecrets = if !enableVpn then {} else {
-    "monitoringvpn-secret-key" = {
-      source = monitoringvpnKeyDir + "/${monitoringvpnIPv4}.key";
-      destination = "/run/keys/monitoringvpn/client.key";
-      owner.user = "root";
-      owner.group = "root";
-      permissions = "0400";
-      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-    };
-    "monitoringvpn-preshared-key" = {
-      source = monitoringvpnKeyDir + "/preshared.key";
-      destination = "/run/keys/monitoringvpn/preshared.key";
-      owner.user = "root";
-      owner.group = "root";
-      permissions = "0400";
-      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-    };
-  };
-
-in rec {
-  deployment = {
-    targetHost = publicIPv4;
-
-    secrets = {
-      "ristretto-signing-key" = {
-        source = ristrettoSigningKeyPath;
-        destination = "/run/keys/ristretto.signing-key";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
-      };
-      "stripe-secret-key" = {
-        source = stripeSecretKeyPath;
-        destination = "/run/keys/stripe.secret-key";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
-      };
-    } // vpnSecrets;
-  };
-
-  imports = [
-    hardware
-    ../../nixos/modules/issuer.nix
-    ../../nixos/modules/monitoring/vpn/client.nix
-    ../../nixos/modules/monitoring/exporters/node.nix
-  ];
-
-  services.private-storage.sshUsers = sshUsers;
-  services.private-storage-issuer = {
-    enable = true;
-    tls = true;
-    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
-    stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
-    database = "SQLite3";
-    databasePath = "/var/db/vouchers.sqlite3";
-    inherit letsEncryptAdminEmail;
-    domains = issuerDomains;
-    inherit allowedChargeOrigins;
-  };
-
-  system.stateVersion = stateVersion;
-
-  services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
-    enable = true;
-    ip = monitoringvpnIPv4;
-    endpoint = monitoringvpnEndpoint;
-    endpointPublicKeyFile = monitoringvpnKeyDir + "/server.pub";
-  };
-}