From b312ec6e49113bd9229421f48b125376ff050de5 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Thu, 17 Jun 2021 13:15:54 +0000
Subject: [PATCH] Update key generation documentation and add script to rotate
 all VPN keys

---
 docs/source/ops/generating-keys.rst | 55 ++++++++++++++++++++++-------
 tools/create-vpn-keys.sh            | 31 ++++++++++++++++
 2 files changed, 73 insertions(+), 13 deletions(-)
 create mode 100755 tools/create-vpn-keys.sh

diff --git a/docs/source/ops/generating-keys.rst b/docs/source/ops/generating-keys.rst
index afe2ece4..ce7e14e4 100644
--- a/docs/source/ops/generating-keys.rst
+++ b/docs/source/ops/generating-keys.rst
@@ -1,7 +1,28 @@
 Generating keys
 ===============
 
-``config.json`` has the paths for the Ristretto and the Stripe secret key files.
+There's an example ``secrets`` repo in ``morph/grid/local/secrets``.
+``<grid>/config.json`` has the paths for the key files for the respective grid.
+Create a symlink named ``secrets`` to your secret key repository for the deployment you are working on.
+
+
+Stripe
+``````
+
+For the Stripe key any random bytes with a little light formatting "work" - at least to make our software happy - but if you want to be able to interact with Stripe and have payments (even pretend payments) move all the way through the system you should get a Stripe account and generate a key w/ them.
+Lauri can get you added to our "dev" Stripe account, too, though I forget how important that is for ad hoc dev/testing.
+
+I think this will work for generating random Stripe secret keys (that our software will load, I think, but Stripe will reject)::
+
+  >>> import base64, os
+  >>> print((b"sk_test_" + base64.b64encode(os.urandom(25)).strip(b"=")).decode("ascii"))
+  sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw
+
+Public keys are the same but "pk_test" instead of "sk_test" ("test" is for "test mode" key that can only process pretend txns; for real txns there are keys with "live" embedded).
+
+
+ZKAP-Issuer Ristretto
+`````````````````````
 
 Here is a Ristretto key you can use, randomly generated just now::
 
@@ -19,16 +40,9 @@ For example::
 
   echo -n "SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=" > ristretto.signing-key
 
-For the Stripe key any random bytes with a little light formatting "work" - at least to make our software happy - but if you want to be able to interact with Stripe and have payments (even pretend payments) move all the way through the system you should get a Stripe account and generate a key w/ them.
-Lauri can get you added to our "dev" Stripe account, too, though I forget how important that is for ad hoc dev/testing.
-
-I think this will work for generating random Stripe secret keys (that our software will load, I think, but Stripe will reject)::
 
-  >>> import base64, os
-  >>> print((b"sk_test_" + base64.b64encode(os.urandom(25)).strip(b"=")).decode("ascii"))
-  sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw
-
-Public keys are the same but "pk_test" instead of "sk_test" ("test" is for "test mode" key that can only process pretend txns; for real txns there are keys with "live" embedded).
+ZKAP-Issuer TLS
+```````````````
 
 The ZKAPIssuer.service needs a working TLS certificate and expects it in the certbot directory for the domain you configured, in my case::
 
@@ -37,12 +51,27 @@ The ZKAPIssuer.service needs a working TLS certificate and expects it in the cer
 
 Move the three .pem files into the payment's server ``/var/lib/letsencrypt/live/payments.localdev/`` directory and issue a ``sudo systemctl restart zkapissuer.service``.
 
-Create Wireguard VPN key pairs in ``PrivateStorageSecrets/monitoringvpn/`` or where you have them::
 
-  for i in "172.23.23.11" "172.23.23.12" "172.23.23.13" "server"; do
-    wg genkey | tee ${i}.key | wg pubkey > ${i}.pub
+Monitoring VPN
+``````````````
+
+Create Wireguard VPN key pairs in ``secrets/monitoringvpn/`` or where you have them.
+
+``tools/create-vpn-keys.sh`` holds a script to rotate all VPN keys at once::
+
+  cd secrets/monitoringvpn
+  ../../../tools/create-vpn-keys.sh morph/grid/testing/grid.nix
+  ../../../../../tools/create-vpn-keys.sh 
+
+Or do it manually::
+
+  for i in 1 11 12 13 ; do
+    wg genkey | tee 172.23.23.${i}.key | wg pubkey > 172.23.23.${i}.pub
   done
 
+  ln -s 172.23.23.1.key server.key
+  ln -s 172.23.23.1.pub server.pub
+
 And a shared VPN key for "post-quantum resistance"::
 
   wg genpsk > preshared.key
diff --git a/tools/create-vpn-keys.sh b/tools/create-vpn-keys.sh
new file mode 100755
index 00000000..90eae2c2
--- /dev/null
+++ b/tools/create-vpn-keys.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+# Scope: Create wireguard keys for all monitoringVPN hosts
+# Parameters:
+#   file: path to grid.nix of morph deployment
+# Output: Key files for all monitoring VPN hosts _in_the_current_directory_
+# Convention: the IP ending in ".1" will be symlinked to server.{key,pub}
+
+set -euo pipefail
+
+umask 077
+
+if [[ $# -ne 1 ]]; then
+    echo "Illegal number of parameters. Expected: file (path of grid.nix)"
+    exit 2
+fi
+
+MONITORING_IPS=$(fgrep monitoringvpnIPv4 ${1} | egrep -o "[0-9\.]{7,15}")
+VPNSERVER_IP=$(fgrep monitoringvpnIPv4 ${1} | egrep -o -m1 "[0-9\.]{5,13}\.1")
+
+for i in $MONITORING_IPS; do
+  wg genkey | tee ${i}.key | wg pubkey > ${i}.pub
+done
+
+ln -fs $VPNSERVER_IP.key server.key
+ln -fs $VPNSERVER_IP.pub server.pub
+
+wg genpsk > preshared.key
+
+# EOF
+
-- 
GitLab