Skip to content
Snippets Groups Projects
Commit afdafb29 authored by Jean-Paul Calderone's avatar Jean-Paul Calderone
Browse files

More changes to follow the re-arranging of key paths

parent 95a60593
No related branches found
No related tags found
4 merge requests!140Merge staging into production,!122Merge develop into staging,!115Continuous deployment for the grid systems,!112Draft: Try having morph build everything it wants and then caching it
......@@ -62,7 +62,7 @@ morph-builds:
vulnerability-scan:
stage: "test"
script:
- "sed -i 's/undefined/\"unundefined\"/' morph/grid/local/secrets/users.nix"
- "sed -i 's/undefined/\"unundefined\"/' morph/grid/local/public-keys/users.nix"
- "ci-tools/vulnerability-scan security-report.json"
- "ci-tools/count-vulnerabilities <security-report.json"
artifacts:
......
Generating keys
===============
There's an example ``secrets`` repo in ``morph/grid/local/secrets``.
There are example ``public-keys`` and ``private-keys`` repos in ``morph/grid/local/``.
``<grid>/config.json`` has the paths for the key files for the respective grid.
Create a symlink named ``secrets`` to your secret key repository for the deployment you are working on.
Create symlinks named ``public-keys`` and ``private-keys`` to your secret key repositories for the deployment you are working on.
Stripe
......@@ -55,22 +55,6 @@ Move the three .pem files into the payment's server ``/var/lib/letsencrypt/live/
Monitoring VPN
``````````````
Create Wireguard VPN key pairs in ``secrets/monitoringvpn/`` or where you have them.
``tools/create-vpn-keys.sh`` holds a script to rotate all VPN keys at once::
Create all of the Wireguard VPN keys for a grid::
./tools/create-vpn-keys.sh morph/grid/testing/grid.nix
Or do it manually::
cd secrets/monitoringvpn
for i in 1 11 12 13 ; do
wg genkey | tee 172.23.23.${i}.key | wg pubkey > 172.23.23.${i}.pub
done
ln -s 172.23.23.1.key server.key
ln -s 172.23.23.1.pub server.pub
And a shared VPN key for "post-quantum resistance"::
wg genpsk > preshared.key
......@@ -42,8 +42,8 @@ grid
Specific grid definitions live in subdirectories beneath this directory.
secrets
~~~~~~~
private-keys
~~~~~~~~~~~~
This must be created and populated before the grid can be built or deployed.
......@@ -55,10 +55,18 @@ This path is **ignored** by git.
The intended workflow is that the secrets will be maintained on secure storage and a symlink to the correct location created here.
This keeps the secrets themselves out of the git working tree as an extra protection against unintentionally committing them.
An exception is the ``secrets`` directory in the ``local`` morph grid:
An exception is the ``private-keys`` directory in the ``local`` morph grid:
That directory is fully populated, provided as an example, and mostly: not very secret.
Do not deploy these keys to machines reachable via the internet.
public-keys
~~~~~~~~~~~
This must be created and populated before the grid can be built or deployed.
This directory contains any public key material necessary for operation of the grid.
This includes the public keys corresponding to any private keys held in ``private-keys``.
config.json
~~~~~~~~~~~
......
......@@ -37,7 +37,7 @@ Use the local development environment
6. Add your SSH key to ``users.nix`` so you'll be able to log in after deploying the new configuration::
$EDITOR secrets/users.nix
$EDITOR public-keys/users.nix
7. Then, build and deploy our software to the Vagrant VMs::
......
......@@ -15,7 +15,7 @@ Vagrant.configure("2") do |config|
config.vm.box_check_update = false
config.vm.network "private_network", ip: "192.168.67.21"
# Add self signed SSL key for zkap-issuer:
config.vm.provision "file", source: "secrets/payments-localdev-ssl", destination: "/tmp/payments-localdev-ssl"
config.vm.provision "file", source: "private-keys/payments-localdev-ssl", destination: "/tmp/payments-localdev-ssl"
config.vm.provision "shell", inline: "sudo mkdir -p /var/lib/letsencrypt/live/payments.localdev/"
config.vm.provision "shell", inline: "sudo mv /tmp/payments-localdev-ssl/* /var/lib/letsencrypt/live/payments.localdev/"
end
......
......@@ -4,7 +4,7 @@
# Parameters:
# file: path to grid.nix of morph deployment
#
# Output: Key files for all monitoring VPN hosts in secrets/monitoringvpn
# Output: Key files for all monitoring VPN hosts in {private,public}-keys/monitoringvpn
# relative to the grid.nix
#
# The server key will also be symlinked to server.{key,pub}.
......@@ -19,7 +19,8 @@ if [[ $# -ne 1 ]]; then
fi
SRC=$(dirname $0)
VPN_SECRETS=$(dirname $1)/secrets/monitoringvpn
VPN_SECRETS=$(dirname $1)/private-keys/monitoringvpn
VPN_PUBLIC=$(dirname $1)/public-keys/monitoringvpn
CONFIG=$(nix-instantiate --strict --json --eval "${SRC}"/get-vpn-config.nix --arg pathToGrid "${1}")
......@@ -27,14 +28,15 @@ MONITORING_IPS=$(echo $CONFIG | jp --unquoted "join(' ', clientIPs)")
VPNSERVER_IP=$(echo $CONFIG | jp --unquoted "serverIP")
mkdir -p "${VPN_SECRETS}"
mkdir -p "${VPN_PUBLIC}"
for i in $MONITORING_IPS $VPNSERVER_IP; do
wg genkey | tee "${VPN_SECRETS}"/${i}.key | wg pubkey > "${VPN_SECRETS}"/${i}.pub
wg genkey | tee "${VPN_SECRETS}"/${i}.key | wg pubkey > "${VPN_PUBLIC}"/${i}.pub
done
wg genpsk > "${VPN_SECRETS}"/preshared.key
ln -fs $VPNSERVER_IP.key "${VPN_SECRETS}"/server.key
ln -fs $VPNSERVER_IP.pub "${VPN_SECRETS}"/server.pub
ln -fs $VPNSERVER_IP.pub "${VPN_PUBLIC}"/server.pub
# EOF
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment