From 96e6e29106d618ece27200295151f318c8bf5042 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Wed, 19 May 2021 20:09:57 +0000
Subject: [PATCH] Place keys on tmpfs

  sed -i 's|var/secrets|run/keys|'

See Ops#193
---
 morph/lib/make-issuer.nix               |  4 ++--
 morph/lib/make-monitoring.nix           |  6 +++---
 morph/lib/make-testing.nix              |  4 ++--
 nixos/modules/monitoring/vpn/client.nix | 12 ++++++------
 nixos/modules/monitoring/vpn/server.nix | 12 ++++++------
 5 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 5e58f064..e241b917 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -32,7 +32,7 @@
       };
       "monitoringvpn-secret-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
-        destination = "/var/secrets/monitoringvpn/client.key";
+        destination = "/run/keys/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
@@ -40,7 +40,7 @@
       };
       "monitoringvpn-preshared-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
-        destination = "/var/secrets/monitoringvpn/preshared.key";
+        destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix
index ca8dfc91..2a2cde3d 100644
--- a/morph/lib/make-monitoring.nix
+++ b/morph/lib/make-monitoring.nix
@@ -6,7 +6,7 @@
     secrets = {
       "monitoringvpn-private-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/server.key";
-        destination = "/var/secrets/monitoringvpn/server.key";
+        destination = "/run/keys/monitoringvpn/server.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
@@ -14,7 +14,7 @@
       };
       "monitoringvpn-public-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/server.pub";
-        destination = "/var/secrets/monitoringvpn/server.pub";
+        destination = "/run/keys/monitoringvpn/server.pub";
         owner.user = "root";
         owner.group = "root";
         permissions = "0444";
@@ -22,7 +22,7 @@
       };
       "monitoringvpn-preshared-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
-        destination = "/var/secrets/monitoringvpn/preshared.key";
+        destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index 81b88ecc..c96a51c2 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -17,7 +17,7 @@
       };
       "monitoringvpn-secret-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
-        destination = "/var/secrets/monitoringvpn/client.key";
+        destination = "/run/keys/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
@@ -25,7 +25,7 @@
       };
       "monitoringvpn-preshared-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
-        destination = "/var/secrets/monitoringvpn/preshared.key";
+        destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 9c204743..1756221e 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -8,15 +8,15 @@ in {
     enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
     privateKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/host.key;
-      default = /var/secrets/monitoringvpn/client.key;
+      example = lib.literalExample /run/keys/monitoringvpn/host.key;
+      default = /run/keys/monitoringvpn/client.key;
       description = ''
         File with base64 private key generated by <command>wg genkey</command>.
       '';
     };
     publicKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/host.pub;
+      example = lib.literalExample /run/keys/monitoringvpn/host.pub;
       description = ''
         File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
         Cannot have white space or new lines.
@@ -28,8 +28,8 @@ in {
     };
     presharedKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/preshared.key;
-      default = /var/secrets/monitoringvpn/preshared.key;
+      example = lib.literalExample /run/keys/monitoringvpn/preshared.key;
+      default = /run/keys/monitoringvpn/preshared.key;
       description = ''
         File with base64 preshared key generated by <command>wg genpsk</command>.
       '';
@@ -59,7 +59,7 @@ in {
     };
     endpointPublicKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/server.pub;
+      example = lib.literalExample /run/keys/monitoringvpn/server.pub;
       default = ../../../../morph/PrivateStorageSecrets/monitoringvpn/server.pub;
       description = ''
         File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix
index 0ff1189b..8a1f560e 100644
--- a/nixos/modules/monitoring/vpn/server.nix
+++ b/nixos/modules/monitoring/vpn/server.nix
@@ -8,24 +8,24 @@ in {
     enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN server service";
     privateKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/server.key;
-      default = /var/secrets/monitoringvpn/server.key;
+      example = lib.literalExample /run/keys/monitoringvpn/server.key;
+      default = /run/keys/monitoringvpn/server.key;
       description = ''
         File with base64 private key generated by <command>wg genkey</command>.
       '';
     };
     publicKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/server.pub;
-      default = /var/secrets/monitoringvpn/server.pub;
+      example = lib.literalExample /run/keys/monitoringvpn/server.pub;
+      default = /run/keys/monitoringvpn/server.pub;
       description = ''
         File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
       '';
     };
     presharedKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/preshared.key;
-      default = /var/secrets/monitoringvpn/preshared.key;
+      example = lib.literalExample /run/keys/monitoringvpn/preshared.key;
+      default = /run/keys/monitoringvpn/preshared.key;
       description = ''
         File with base64 preshared key generated by <command>wg genpsk</command>.
       '';
-- 
GitLab