From b0ef52e80acabe362ae0493a28357ab5b86b42a8 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Wed, 10 Jun 2020 15:26:18 -0400
Subject: [PATCH] Have the storage functions (prod and testing) configure ssh
 users

---
 morph/grid/production/grid.nix | 12 ++++++++++--
 morph/grid/testing/grid.nix    |  8 ++++++--
 morph/lib/make-storage.nix     |  3 +++
 morph/lib/make-testing.nix     |  3 ++-
 4 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index cf8f7eb9..7b056146 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -4,7 +4,10 @@
 import ../../lib/make-grid.nix {
   name = "Production";
   config = ./config.json;
-  nodes = cfg: {
+  nodes = cfg:
+    let
+      sshUsers = import ../../../../PrivateStorageSecrets/production-users.nix;
+    in {
     # Here are the hosts that are in this morph network.  This is sort of like
     # a server manifest.  We try to keep as many of the specific details as
     # possible out of *this* file so that this file only grows as server count
@@ -18,33 +21,38 @@ import ../../lib/make-grid.nix {
     #
     # The names must be unique!
     "payments.privatestorage.io" = import ../../lib/issuer.nix ({
-      sshUsers = import ../../../../PrivateStorageSecrets/production-users.nix;
+      inherit sshUsers;
       hardware = ../../lib/issuer-aws.nix;
       stateVersion = "19.03";
     } // cfg);
 
     "storage001" = import ../../lib/make-storage.nix ({
         cfg = import ./storage001-config.nix;
+        inherit sshUsers;
         hardware = ./storage001-hardware.nix;
         stateVersion = "19.09";
     } // cfg);
     "storage002" = import ../../lib/make-storage.nix ({
         cfg = import ./storage002-config.nix;
+        inherit sshUsers;
         hardware = ./storage002-hardware.nix;
         stateVersion = "19.09";
     } // cfg);
     "storage003" = import ../../lib/make-storage.nix ({
         cfg = import ./storage003-config.nix;
+        inherit sshUsers;
         hardware = ./storage003-hardware.nix;
         stateVersion = "19.09";
     } // cfg);
     "storage004" = import ../../lib/make-storage.nix ({
         cfg = import ./storage004-config.nix;
+        inherit sshUsers;
         hardware = ./storage004-hardware.nix;
         stateVersion = "19.09";
     } // cfg);
     "storage005" = import ../../lib/make-storage.nix ({
         cfg = import ./storage005-config.nix;
+        inherit sshUsers;
         hardware = ./storage005-hardware.nix;
         stateVersion = "19.03";
     } // cfg);
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index b6161f5a..3a1c5f39 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -4,15 +4,19 @@
 import ../../lib/make-grid.nix {
   name = "Testing";
   config = ./config.json;
-  nodes = cfg: {
+  nodes = cfg:
+  let
+    sshUsers = import ../../../../PrivateStorageSecrets/staging-users.nix;
+  in {
     "payments.privatestorage-staging.com" = import ../../lib/issuer.nix ({
-      sshUsers = import ../../../../PrivateStorageSecrets/staging-users.nix;
+      inherit sshUsers;
       hardware = ../../lib/issuer-aws.nix;
       stateVersion = "19.03";
     } // cfg);
 
     "3.120.26.190" = import ../../lib/make-testing.nix (cfg // {
       publicIPv4 = "3.120.26.190";
+      inherit sshUsers;
       hardware = ./testing001-hardware.nix;
       stateVersion = "19.03";
     });
diff --git a/morph/lib/make-storage.nix b/morph/lib/make-storage.nix
index da206572..0c556bef 100644
--- a/morph/lib/make-storage.nix
+++ b/morph/lib/make-storage.nix
@@ -3,6 +3,7 @@
 , hardware                   # The path to the hardware configuration for this node.
 , publicStoragePort          # The storage port number on which to accept connections.
 , ristrettoSigningKeyPath    # The *local* path to the Ristretto signing key file.
+, sshUsers                   # Users for which to configure SSH access to this node.
 , stateVersion               # The value for system.stateVersion on this node.
                              # This value determines the NixOS release with
                              # which your system is to be compatible, in order
@@ -56,6 +57,8 @@
     inherit publicStoragePort;
     # Give it the Ristretto signing key, too, to support authorization.
     ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
+    # It gets the users, too.
+    inherit sshUsers;
   };
 
   system.stateVersion = stateVersion;
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index 24de7ea4..df8eb006 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -1,4 +1,4 @@
-{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, stateVersion, ... }: rec {
+{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, sshUsers, stateVersion, ... }: rec {
 
   deployment = {
     secrets = {
@@ -26,6 +26,7 @@
     inherit publicIPv4;
     inherit publicStoragePort;
     ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
+    inherit sshUsers;
   };
 
   system.stateVersion = stateVersion;
-- 
GitLab