From 96e6e29106d618ece27200295151f318c8bf5042 Mon Sep 17 00:00:00 2001 From: Florian Sesser <florian@privatestorage.io> Date: Wed, 19 May 2021 20:09:57 +0000 Subject: [PATCH] Place keys on tmpfs sed -i 's|var/secrets|run/keys|' See Ops#193 --- morph/lib/make-issuer.nix | 4 ++-- morph/lib/make-monitoring.nix | 6 +++--- morph/lib/make-testing.nix | 4 ++-- nixos/modules/monitoring/vpn/client.nix | 12 ++++++------ nixos/modules/monitoring/vpn/server.nix | 12 ++++++------ 5 files changed, 19 insertions(+), 19 deletions(-) diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix index 5e58f064..e241b917 100644 --- a/morph/lib/make-issuer.nix +++ b/morph/lib/make-issuer.nix @@ -32,7 +32,7 @@ }; "monitoringvpn-secret-key" = { source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key"; - destination = "/var/secrets/monitoringvpn/client.key"; + destination = "/run/keys/monitoringvpn/client.key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; @@ -40,7 +40,7 @@ }; "monitoringvpn-preshared-key" = { source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key"; - destination = "/var/secrets/monitoringvpn/preshared.key"; + destination = "/run/keys/monitoringvpn/preshared.key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix index ca8dfc91..2a2cde3d 100644 --- a/morph/lib/make-monitoring.nix +++ b/morph/lib/make-monitoring.nix @@ -6,7 +6,7 @@ secrets = { "monitoringvpn-private-key" = { source = "../../PrivateStorageSecrets/monitoringvpn/server.key"; - destination = "/var/secrets/monitoringvpn/server.key"; + destination = "/run/keys/monitoringvpn/server.key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; @@ -14,7 +14,7 @@ }; "monitoringvpn-public-key" = { source = "../../PrivateStorageSecrets/monitoringvpn/server.pub"; - destination = "/var/secrets/monitoringvpn/server.pub"; + destination = "/run/keys/monitoringvpn/server.pub"; owner.user = "root"; owner.group = "root"; permissions = "0444"; @@ -22,7 +22,7 @@ }; "monitoringvpn-preshared-key" = { source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key"; - destination = "/var/secrets/monitoringvpn/preshared.key"; + destination = "/run/keys/monitoringvpn/preshared.key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix index 81b88ecc..c96a51c2 100644 --- a/morph/lib/make-testing.nix +++ b/morph/lib/make-testing.nix @@ -17,7 +17,7 @@ }; "monitoringvpn-secret-key" = { source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key"; - destination = "/var/secrets/monitoringvpn/client.key"; + destination = "/run/keys/monitoringvpn/client.key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; @@ -25,7 +25,7 @@ }; "monitoringvpn-preshared-key" = { source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key"; - destination = "/var/secrets/monitoringvpn/preshared.key"; + destination = "/run/keys/monitoringvpn/preshared.key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix index 9c204743..1756221e 100644 --- a/nixos/modules/monitoring/vpn/client.nix +++ b/nixos/modules/monitoring/vpn/client.nix @@ -8,15 +8,15 @@ in { enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service"; privateKeyFile = lib.mkOption { type = lib.types.path; - example = lib.literalExample /var/secrets/monitoringvpn/host.key; - default = /var/secrets/monitoringvpn/client.key; + example = lib.literalExample /run/keys/monitoringvpn/host.key; + default = /run/keys/monitoringvpn/client.key; description = '' File with base64 private key generated by <command>wg genkey</command>. ''; }; publicKeyFile = lib.mkOption { type = lib.types.path; - example = lib.literalExample /var/secrets/monitoringvpn/host.pub; + example = lib.literalExample /run/keys/monitoringvpn/host.pub; description = '' File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. Cannot have white space or new lines. @@ -28,8 +28,8 @@ in { }; presharedKeyFile = lib.mkOption { type = lib.types.path; - example = lib.literalExample /var/secrets/monitoringvpn/preshared.key; - default = /var/secrets/monitoringvpn/preshared.key; + example = lib.literalExample /run/keys/monitoringvpn/preshared.key; + default = /run/keys/monitoringvpn/preshared.key; description = '' File with base64 preshared key generated by <command>wg genpsk</command>. ''; @@ -59,7 +59,7 @@ in { }; endpointPublicKeyFile = lib.mkOption { type = lib.types.path; - example = lib.literalExample /var/secrets/monitoringvpn/server.pub; + example = lib.literalExample /run/keys/monitoringvpn/server.pub; default = ../../../../morph/PrivateStorageSecrets/monitoringvpn/server.pub; description = '' File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix index 0ff1189b..8a1f560e 100644 --- a/nixos/modules/monitoring/vpn/server.nix +++ b/nixos/modules/monitoring/vpn/server.nix @@ -8,24 +8,24 @@ in { enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN server service"; privateKeyFile = lib.mkOption { type = lib.types.path; - example = lib.literalExample /var/secrets/monitoringvpn/server.key; - default = /var/secrets/monitoringvpn/server.key; + example = lib.literalExample /run/keys/monitoringvpn/server.key; + default = /run/keys/monitoringvpn/server.key; description = '' File with base64 private key generated by <command>wg genkey</command>. ''; }; publicKeyFile = lib.mkOption { type = lib.types.path; - example = lib.literalExample /var/secrets/monitoringvpn/server.pub; - default = /var/secrets/monitoringvpn/server.pub; + example = lib.literalExample /run/keys/monitoringvpn/server.pub; + default = /run/keys/monitoringvpn/server.pub; description = '' File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. ''; }; presharedKeyFile = lib.mkOption { type = lib.types.path; - example = lib.literalExample /var/secrets/monitoringvpn/preshared.key; - default = /var/secrets/monitoringvpn/preshared.key; + example = lib.literalExample /run/keys/monitoringvpn/preshared.key; + default = /run/keys/monitoringvpn/preshared.key; description = '' File with base64 preshared key generated by <command>wg genpsk</command>. ''; -- GitLab