From bb13663e35b8732d8fc1ae3a3c6b9a1086eb8512 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Mon, 28 Jun 2021 12:33:31 -0400
Subject: [PATCH] Split the secrets directory into public and private halves
update the localdev grid's secrets and other configuration to reflect this
testing and production are broken by this commit since they have not been
updated similarly
---
morph/grid/local/config.json | 5 +-
morph/grid/local/grid.nix | 10 ++--
.../monitoringvpn/172.23.23.11.key | 0
.../monitoringvpn/172.23.23.12.key | 0
.../monitoringvpn/172.23.23.13.key | 0
.../monitoringvpn/preshared.key | 0
.../monitoringvpn/server.key | 0
.../payments-localdev-ssl/cert.pem | 0
.../payments-localdev-ssl/chain.pem | 0
.../payments-localdev-ssl/privkey.pem | 0
.../ristretto.signing-key | 0
.../{secrets => private-keys}/stripe.secret | 0
.../monitoringvpn/172.23.23.11.pub | 0
.../monitoringvpn/172.23.23.12.pub | 0
.../monitoringvpn/172.23.23.13.pub | 0
.../monitoringvpn/server.pub | 0
.../local/{secrets => public-keys}/users.nix | 4 +-
morph/lib/customize-issuer.nix | 48 +++++++++++--------
morph/lib/customize-monitoring.nix | 9 ++--
morph/lib/customize-storage.nix | 12 ++---
20 files changed, 48 insertions(+), 40 deletions(-)
rename morph/grid/local/{secrets => private-keys}/monitoringvpn/172.23.23.11.key (100%)
rename morph/grid/local/{secrets => private-keys}/monitoringvpn/172.23.23.12.key (100%)
rename morph/grid/local/{secrets => private-keys}/monitoringvpn/172.23.23.13.key (100%)
rename morph/grid/local/{secrets => private-keys}/monitoringvpn/preshared.key (100%)
rename morph/grid/local/{secrets => private-keys}/monitoringvpn/server.key (100%)
rename morph/grid/local/{secrets => private-keys}/payments-localdev-ssl/cert.pem (100%)
rename morph/grid/local/{secrets => private-keys}/payments-localdev-ssl/chain.pem (100%)
rename morph/grid/local/{secrets => private-keys}/payments-localdev-ssl/privkey.pem (100%)
rename morph/grid/local/{secrets => private-keys}/ristretto.signing-key (100%)
rename morph/grid/local/{secrets => private-keys}/stripe.secret (100%)
rename morph/grid/local/{secrets => public-keys}/monitoringvpn/172.23.23.11.pub (100%)
rename morph/grid/local/{secrets => public-keys}/monitoringvpn/172.23.23.12.pub (100%)
rename morph/grid/local/{secrets => public-keys}/monitoringvpn/172.23.23.13.pub (100%)
rename morph/grid/local/{secrets => public-keys}/monitoringvpn/server.pub (100%)
rename morph/grid/local/{secrets => public-keys}/users.nix (50%)
diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 3d377cc0..9a929d2c 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -1,8 +1,7 @@
{ "domain": "localdev"
, "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "./secrets/stripe.secret"
-, "monitoringvpnKeyDir": "./secrets/monitoringvpn"
+, "publicKeyPath": "./public-keys"
+, "privateKeyPath": "./private-keys"
, "monitoringvpnEndpoint": "192.168.67.24:51820"
, "passValue": 1000000
, "issuerDomains": ["payments.localdev"]
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 5345a161..55b7587c 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -4,10 +4,12 @@ let
gridlib = import ../../lib;
rawConfig = pkgs.lib.trivial.importJSON ./config.json;
config = rawConfig // {
- sshUsers = import ./secrets/users.nix;
+ sshUsers = import ./public-keys/users.nix;
- # Get absolute vpn key directory path, as a string:
- monitoringvpnKeyDir = toString ./. + "/${rawConfig.monitoringvpnKeyDir}";
+ # Convert relative paths to absolute so library code can resolve names
+ # correctly.
+ publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
+ privateKeyPath = toString ./. + "/${rawConfig.privateKeyPath}";
};
payments = {
@@ -48,7 +50,7 @@ let
(gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; }))
(gridlib.customize-monitoring {
inherit hostsMap vpnClientIPs nodeExporterTargets;
- inherit (config) domain monitoringvpnKeyDir;
+ inherit (config) domain publicKeyPath privateKeyPath;
monitoringvpnIPv4 = "172.23.23.1";
stateVersion = "19.09";
})
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.11.key b/morph/grid/local/private-keys/monitoringvpn/172.23.23.11.key
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.11.key
rename to morph/grid/local/private-keys/monitoringvpn/172.23.23.11.key
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.12.key b/morph/grid/local/private-keys/monitoringvpn/172.23.23.12.key
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.12.key
rename to morph/grid/local/private-keys/monitoringvpn/172.23.23.12.key
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.13.key b/morph/grid/local/private-keys/monitoringvpn/172.23.23.13.key
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.13.key
rename to morph/grid/local/private-keys/monitoringvpn/172.23.23.13.key
diff --git a/morph/grid/local/secrets/monitoringvpn/preshared.key b/morph/grid/local/private-keys/monitoringvpn/preshared.key
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/preshared.key
rename to morph/grid/local/private-keys/monitoringvpn/preshared.key
diff --git a/morph/grid/local/secrets/monitoringvpn/server.key b/morph/grid/local/private-keys/monitoringvpn/server.key
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/server.key
rename to morph/grid/local/private-keys/monitoringvpn/server.key
diff --git a/morph/grid/local/secrets/payments-localdev-ssl/cert.pem b/morph/grid/local/private-keys/payments-localdev-ssl/cert.pem
similarity index 100%
rename from morph/grid/local/secrets/payments-localdev-ssl/cert.pem
rename to morph/grid/local/private-keys/payments-localdev-ssl/cert.pem
diff --git a/morph/grid/local/secrets/payments-localdev-ssl/chain.pem b/morph/grid/local/private-keys/payments-localdev-ssl/chain.pem
similarity index 100%
rename from morph/grid/local/secrets/payments-localdev-ssl/chain.pem
rename to morph/grid/local/private-keys/payments-localdev-ssl/chain.pem
diff --git a/morph/grid/local/secrets/payments-localdev-ssl/privkey.pem b/morph/grid/local/private-keys/payments-localdev-ssl/privkey.pem
similarity index 100%
rename from morph/grid/local/secrets/payments-localdev-ssl/privkey.pem
rename to morph/grid/local/private-keys/payments-localdev-ssl/privkey.pem
diff --git a/morph/grid/local/secrets/ristretto.signing-key b/morph/grid/local/private-keys/ristretto.signing-key
similarity index 100%
rename from morph/grid/local/secrets/ristretto.signing-key
rename to morph/grid/local/private-keys/ristretto.signing-key
diff --git a/morph/grid/local/secrets/stripe.secret b/morph/grid/local/private-keys/stripe.secret
similarity index 100%
rename from morph/grid/local/secrets/stripe.secret
rename to morph/grid/local/private-keys/stripe.secret
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.11.pub b/morph/grid/local/public-keys/monitoringvpn/172.23.23.11.pub
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.11.pub
rename to morph/grid/local/public-keys/monitoringvpn/172.23.23.11.pub
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.12.pub b/morph/grid/local/public-keys/monitoringvpn/172.23.23.12.pub
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.12.pub
rename to morph/grid/local/public-keys/monitoringvpn/172.23.23.12.pub
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.13.pub b/morph/grid/local/public-keys/monitoringvpn/172.23.23.13.pub
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.13.pub
rename to morph/grid/local/public-keys/monitoringvpn/172.23.23.13.pub
diff --git a/morph/grid/local/secrets/monitoringvpn/server.pub b/morph/grid/local/public-keys/monitoringvpn/server.pub
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/server.pub
rename to morph/grid/local/public-keys/monitoringvpn/server.pub
diff --git a/morph/grid/local/secrets/users.nix b/morph/grid/local/public-keys/users.nix
similarity index 50%
rename from morph/grid/local/secrets/users.nix
rename to morph/grid/local/public-keys/users.nix
index 93a8b660..e6135d04 100644
--- a/morph/grid/local/secrets/users.nix
+++ b/morph/grid/local/public-keys/users.nix
@@ -1,4 +1,4 @@
-# Add your public key. Example:
+# Add your public key. Example:
# let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
-let key = undefined;
+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon";
in { "root" = key; "vagrant" = key; }
diff --git a/morph/lib/customize-issuer.nix b/morph/lib/customize-issuer.nix
index 28edb72e..1c0d668f 100644
--- a/morph/lib/customize-issuer.nix
+++ b/morph/lib/customize-issuer.nix
@@ -1,23 +1,15 @@
# Define a function which returns a value which fills in all the holes left by
# ``issuer.nix``.
{
- # A path on the deployment system to a file containing the Ristretto signing
- # key. This is used as the source of the Ristretto signing key morph
- # secret.
- ristrettoSigningKeyPath
+ # A path on the deployment system of a directory containing all of the
+ # public keys for the system. For example, this holds Wireguard public keys
+ # for the VPN configuration and SSH public keys to configure SSH
+ # authentication.
+ publicKeyPath
- # A path on the deployment system to a file containing the Stripe secret
- # key. This is used as the source of the Stripe secret key morph secret.
-, stripeSecretKeyPath
-
- # A path on the deployment system to a directory containing a number of
- # VPN-related secrets. This is expected to contain a number of files named
- # like ``<VPN IPv4 address>.key`` containing the VPN private key for the
- # corresponding host. It must also contain ``server.pub`` and
- # ``preshared.key`` holding the VPN server's public key and the pre-shared
- # key, respectively. All of these things are used as the sources of various
- # VPN-related morph secrets.
-, monitoringvpnKeyDir
+ # A path on the deployment system of a directory containing all of the
+ # corresponding private keys for the system.
+, privateKeyPath
# A string giving the IP address and port number (":"-separated) of the VPN
# server.
@@ -63,10 +55,24 @@
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
deployment.secrets = {
- "ristretto-signing-key".source = ristrettoSigningKeyPath;
- "stripe-secret-key".source = stripeSecretKeyPath;
- "monitoringvpn-secret-key".source = "${monitoringvpnKeyDir}/${monitoringvpnIPv4}.key";
- "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
+ # A path on the deployment system to a file containing the Ristretto
+ # signing key. This is used as the source of the Ristretto signing key
+ # morph secret.
+ "ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";
+
+ # A path on the deployment system to a file containing the Stripe secret
+ # key. This is used as the source of the Stripe secret key morph secret.
+ "stripe-secret-key".source = "${privateKeyPath}/stripe.secret";
+
+ # ``.../monitoringvpn`` is a path on the deployment system of a directory
+ # containing a number of VPN-related secrets. This is expected to contain
+ # a number of files named like ``<VPN IPv4 address>.key`` containing the
+ # VPN private key for the corresponding host. It must also contain
+ # ``server.pub`` and ``preshared.key`` holding the VPN server's public key
+ # and the pre-shared key, respectively. All of these things are used as
+ # the sources of various VPN-related morph secrets.
+ "monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
+ "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
};
networking.domain = domain;
@@ -76,7 +82,7 @@
enable = true;
ip = monitoringvpnIPv4;
endpoint = monitoringvpnEndpoint;
- endpointPublicKeyFile = "${monitoringvpnKeyDir}/server.pub";
+ endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
};
services.private-storage-issuer = {
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index c50eb506..f77d26bd 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -9,7 +9,8 @@
hostsMap
# See ``customize-issuer.nix``.
-, monitoringvpnKeyDir
+, publicKeyPath
+, privateKeyPath
, monitoringvpnIPv4
, domain
@@ -34,8 +35,8 @@
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
deployment.secrets = {
- "monitoringvpn-private-key".source = "${monitoringvpnKeyDir}/server.key";
- "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
+ "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
+ "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
};
networking.domain = domain;
@@ -45,7 +46,7 @@
enable = true;
ip = monitoringvpnIPv4;
inherit vpnClientIPs;
- pubKeysPath = monitoringvpnKeyDir;
+ pubKeysPath = "${publicKeyPath}/monitoringvpn";
};
services.private-storage.monitoring.prometheus = {
diff --git a/morph/lib/customize-storage.nix b/morph/lib/customize-storage.nix
index 0a087436..68655874 100644
--- a/morph/lib/customize-storage.nix
+++ b/morph/lib/customize-storage.nix
@@ -2,8 +2,8 @@
# ``storage.nix``.
{
# See ``customize-issuer.nix``
- ristrettoSigningKeyPath
-, monitoringvpnKeyDir
+ privateKeyPath
+, publicKeyPath
, monitoringvpnEndpoint
, monitoringvpnIPv4
, sshUsers
@@ -25,9 +25,9 @@
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
deployment.secrets = {
- "ristretto-signing-key".source = ristrettoSigningKeyPath;
- "monitoringvpn-secret-key".source = "${monitoringvpnKeyDir}/${monitoringvpnIPv4}.key";
- "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
+ "ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";
+ "monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
+ "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
};
networking.domain = domain;
@@ -40,7 +40,7 @@
enable = true;
ip = monitoringvpnIPv4;
endpoint = monitoringvpnEndpoint;
- endpointPublicKeyFile = "${monitoringvpnKeyDir}/server.pub";
+ endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
};
system.stateVersion = stateVersion;
--
GitLab