Split the secrets directory into public and private halves

update the localdev grid's secrets and other configuration to reflect this

testing and production are broken by this commit since they have not been
updated similarly

morph/grid/local/config.json

 { "domain": "localdev"
 , "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "./secrets/stripe.secret"
-, "monitoringvpnKeyDir": "./secrets/monitoringvpn"
+, "publicKeyPath": "./public-keys"
+, "privateKeyPath": "./private-keys"
 , "monitoringvpnEndpoint": "192.168.67.24:51820"
 , "passValue": 1000000
 , "issuerDomains": ["payments.localdev"]

morph/grid/local/grid.nix

@@ -4,10 +4,12 @@ let
   gridlib = import ../../lib;
   rawConfig = pkgs.lib.trivial.importJSON ./config.json;
   config = rawConfig // {
-    sshUsers = import ./secrets/users.nix;
+    sshUsers = import ./public-keys/users.nix;
 
-    # Get absolute vpn key directory path, as a string:
-    monitoringvpnKeyDir = toString ./. + "/${rawConfig.monitoringvpnKeyDir}";
+    # Convert relative paths to absolute so library code can resolve names
+    # correctly.
+    publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
+    privateKeyPath = toString ./. + "/${rawConfig.privateKeyPath}";
   };
 
   payments = {
@@ -48,7 +50,7 @@ let
       (gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; }))
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets;
-        inherit (config) domain monitoringvpnKeyDir;
+        inherit (config) domain publicKeyPath privateKeyPath;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
       })

morph/grid/local/secrets/users.nix → morph/grid/local/public-keys/users.nix

-# Add your public key. Example: 
+# Add your public key. Example:
 # let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
-let key = undefined;
+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon";
 in { "root" = key; "vagrant" = key; }

morph/lib/customize-issuer.nix

 # Define a function which returns a value which fills in all the holes left by
 # ``issuer.nix``.
 {
-  # A path on the deployment system to a file containing the Ristretto signing
-  # key.  This is used as the source of the Ristretto signing key morph
-  # secret.
-  ristrettoSigningKeyPath
+  # A path on the deployment system of a directory containing all of the
+  # public keys for the system.  For example, this holds Wireguard public keys
+  # for the VPN configuration and SSH public keys to configure SSH
+  # authentication.
+  publicKeyPath
 
-  # A path on the deployment system to a file containing the Stripe secret
-  # key.  This is used as the source of the Stripe secret key morph secret.
-, stripeSecretKeyPath
-
-  # A path on the deployment system to a directory containing a number of
-  # VPN-related secrets.  This is expected to contain a number of files named
-  # like ``<VPN IPv4 address>.key`` containing the VPN private key for the
-  # corresponding host.  It must also contain ``server.pub`` and
-  # ``preshared.key`` holding the VPN server's public key and the pre-shared
-  # key, respectively.  All of these things are used as the sources of various
-  # VPN-related morph secrets.
-, monitoringvpnKeyDir
+  # A path on the deployment system of a directory containing all of the
+  # corresponding private keys for the system.
+, privateKeyPath
 
   # A string giving the IP address and port number (":"-separated) of the VPN
   # server.
@@ -63,10 +55,24 @@
   deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
 
   deployment.secrets = {
-    "ristretto-signing-key".source = ristrettoSigningKeyPath;
-    "stripe-secret-key".source = stripeSecretKeyPath;
-    "monitoringvpn-secret-key".source = "${monitoringvpnKeyDir}/${monitoringvpnIPv4}.key";
-    "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
+    # A path on the deployment system to a file containing the Ristretto
+    # signing key.  This is used as the source of the Ristretto signing key
+    # morph secret.
+    "ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";
+
+    # A path on the deployment system to a file containing the Stripe secret
+    # key.  This is used as the source of the Stripe secret key morph secret.
+    "stripe-secret-key".source = "${privateKeyPath}/stripe.secret";
+
+    # ``.../monitoringvpn`` is a path on the deployment system of a directory
+    # containing a number of VPN-related secrets.  This is expected to contain
+    # a number of files named like ``<VPN IPv4 address>.key`` containing the
+    # VPN private key for the corresponding host.  It must also contain
+    # ``server.pub`` and ``preshared.key`` holding the VPN server's public key
+    # and the pre-shared key, respectively.  All of these things are used as
+    # the sources of various VPN-related morph secrets.
+    "monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
+    "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
   };
 
   networking.domain = domain;
@@ -76,7 +82,7 @@
     enable = true;
     ip = monitoringvpnIPv4;
     endpoint = monitoringvpnEndpoint;
-    endpointPublicKeyFile = "${monitoringvpnKeyDir}/server.pub";
+    endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
   };
 
   services.private-storage-issuer = {

morph/lib/customize-monitoring.nix

@@ -9,7 +9,8 @@
   hostsMap
 
   # See ``customize-issuer.nix``.
-, monitoringvpnKeyDir
+, publicKeyPath
+, privateKeyPath
 , monitoringvpnIPv4
 , domain
 
@@ -34,8 +35,8 @@
   deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
 
   deployment.secrets = {
-    "monitoringvpn-private-key".source = "${monitoringvpnKeyDir}/server.key";
-    "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
+    "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
+    "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
   };
 
   networking.domain = domain;
@@ -45,7 +46,7 @@
     enable = true;
     ip = monitoringvpnIPv4;
     inherit vpnClientIPs;
-    pubKeysPath = monitoringvpnKeyDir;
+    pubKeysPath = "${publicKeyPath}/monitoringvpn";
   };
 
   services.private-storage.monitoring.prometheus = {

morph/lib/customize-storage.nix

@@ -2,8 +2,8 @@
 # ``storage.nix``.
 {
   # See ``customize-issuer.nix``
-  ristrettoSigningKeyPath
-, monitoringvpnKeyDir
+  privateKeyPath
+, publicKeyPath
 , monitoringvpnEndpoint
 , monitoringvpnIPv4
 , sshUsers
@@ -25,9 +25,9 @@
   deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
 
   deployment.secrets = {
-    "ristretto-signing-key".source = ristrettoSigningKeyPath;
-    "monitoringvpn-secret-key".source = "${monitoringvpnKeyDir}/${monitoringvpnIPv4}.key";
-    "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
+    "ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";
+    "monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
+    "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
   };
 
   networking.domain = domain;
@@ -40,7 +40,7 @@
     enable = true;
     ip = monitoringvpnIPv4;
     endpoint = monitoringvpnEndpoint;
-    endpointPublicKeyFile = "${monitoringvpnKeyDir}/server.pub";
+    endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
   };
 
   system.stateVersion = stateVersion;