diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 3d377cc0e1ebbdec0dff421c806c901e2e5ce06d..9a929d2cf4613874379fdcc7a52f241c10f63f18 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -1,8 +1,7 @@
{ "domain": "localdev"
, "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "./secrets/stripe.secret"
-, "monitoringvpnKeyDir": "./secrets/monitoringvpn"
+, "publicKeyPath": "./public-keys"
+, "privateKeyPath": "./private-keys"
, "monitoringvpnEndpoint": "192.168.67.24:51820"
, "passValue": 1000000
, "issuerDomains": ["payments.localdev"]
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 5345a16198e79dd8c91c8566fb62480ce5cea51a..55b7587c5bbfb6169b8cc1fda506a8d6c07d4dcd 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -4,10 +4,12 @@ let
gridlib = import ../../lib;
rawConfig = pkgs.lib.trivial.importJSON ./config.json;
config = rawConfig // {
- sshUsers = import ./secrets/users.nix;
+ sshUsers = import ./public-keys/users.nix;
- # Get absolute vpn key directory path, as a string:
- monitoringvpnKeyDir = toString ./. + "/${rawConfig.monitoringvpnKeyDir}";
+ # Convert relative paths to absolute so library code can resolve names
+ # correctly.
+ publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
+ privateKeyPath = toString ./. + "/${rawConfig.privateKeyPath}";
};
payments = {
@@ -48,7 +50,7 @@ let
(gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; }))
(gridlib.customize-monitoring {
inherit hostsMap vpnClientIPs nodeExporterTargets;
- inherit (config) domain monitoringvpnKeyDir;
+ inherit (config) domain publicKeyPath privateKeyPath;
monitoringvpnIPv4 = "172.23.23.1";
stateVersion = "19.09";
})
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.11.key b/morph/grid/local/private-keys/monitoringvpn/172.23.23.11.key
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.11.key
rename to morph/grid/local/private-keys/monitoringvpn/172.23.23.11.key
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.12.key b/morph/grid/local/private-keys/monitoringvpn/172.23.23.12.key
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.12.key
rename to morph/grid/local/private-keys/monitoringvpn/172.23.23.12.key
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.13.key b/morph/grid/local/private-keys/monitoringvpn/172.23.23.13.key
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.13.key
rename to morph/grid/local/private-keys/monitoringvpn/172.23.23.13.key
diff --git a/morph/grid/local/secrets/monitoringvpn/preshared.key b/morph/grid/local/private-keys/monitoringvpn/preshared.key
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/preshared.key
rename to morph/grid/local/private-keys/monitoringvpn/preshared.key
diff --git a/morph/grid/local/secrets/monitoringvpn/server.key b/morph/grid/local/private-keys/monitoringvpn/server.key
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/server.key
rename to morph/grid/local/private-keys/monitoringvpn/server.key
diff --git a/morph/grid/local/secrets/payments-localdev-ssl/cert.pem b/morph/grid/local/private-keys/payments-localdev-ssl/cert.pem
similarity index 100%
rename from morph/grid/local/secrets/payments-localdev-ssl/cert.pem
rename to morph/grid/local/private-keys/payments-localdev-ssl/cert.pem
diff --git a/morph/grid/local/secrets/payments-localdev-ssl/chain.pem b/morph/grid/local/private-keys/payments-localdev-ssl/chain.pem
similarity index 100%
rename from morph/grid/local/secrets/payments-localdev-ssl/chain.pem
rename to morph/grid/local/private-keys/payments-localdev-ssl/chain.pem
diff --git a/morph/grid/local/secrets/payments-localdev-ssl/privkey.pem b/morph/grid/local/private-keys/payments-localdev-ssl/privkey.pem
similarity index 100%
rename from morph/grid/local/secrets/payments-localdev-ssl/privkey.pem
rename to morph/grid/local/private-keys/payments-localdev-ssl/privkey.pem
diff --git a/morph/grid/local/secrets/ristretto.signing-key b/morph/grid/local/private-keys/ristretto.signing-key
similarity index 100%
rename from morph/grid/local/secrets/ristretto.signing-key
rename to morph/grid/local/private-keys/ristretto.signing-key
diff --git a/morph/grid/local/secrets/stripe.secret b/morph/grid/local/private-keys/stripe.secret
similarity index 100%
rename from morph/grid/local/secrets/stripe.secret
rename to morph/grid/local/private-keys/stripe.secret
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.11.pub b/morph/grid/local/public-keys/monitoringvpn/172.23.23.11.pub
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.11.pub
rename to morph/grid/local/public-keys/monitoringvpn/172.23.23.11.pub
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.12.pub b/morph/grid/local/public-keys/monitoringvpn/172.23.23.12.pub
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.12.pub
rename to morph/grid/local/public-keys/monitoringvpn/172.23.23.12.pub
diff --git a/morph/grid/local/secrets/monitoringvpn/172.23.23.13.pub b/morph/grid/local/public-keys/monitoringvpn/172.23.23.13.pub
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/172.23.23.13.pub
rename to morph/grid/local/public-keys/monitoringvpn/172.23.23.13.pub
diff --git a/morph/grid/local/secrets/monitoringvpn/server.pub b/morph/grid/local/public-keys/monitoringvpn/server.pub
similarity index 100%
rename from morph/grid/local/secrets/monitoringvpn/server.pub
rename to morph/grid/local/public-keys/monitoringvpn/server.pub
diff --git a/morph/grid/local/secrets/users.nix b/morph/grid/local/public-keys/users.nix
similarity index 50%
rename from morph/grid/local/secrets/users.nix
rename to morph/grid/local/public-keys/users.nix
index 93a8b660c78fa12b1e20c6d560f78efb1b5684c7..e6135d041688c97065dde110855d5871bc51c43f 100644
--- a/morph/grid/local/secrets/users.nix
+++ b/morph/grid/local/public-keys/users.nix
@@ -1,4 +1,4 @@
-# Add your public key. Example:
+# Add your public key. Example:
# let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
-let key = undefined;
+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon";
in { "root" = key; "vagrant" = key; }
diff --git a/morph/lib/customize-issuer.nix b/morph/lib/customize-issuer.nix
index 28edb72e7e0b74879e9e676113c327f50b040d40..1c0d668fbd4ae59bab115c2116b7fa377395dcfc 100644
--- a/morph/lib/customize-issuer.nix
+++ b/morph/lib/customize-issuer.nix
@@ -1,23 +1,15 @@
# Define a function which returns a value which fills in all the holes left by
# ``issuer.nix``.
{
- # A path on the deployment system to a file containing the Ristretto signing
- # key. This is used as the source of the Ristretto signing key morph
- # secret.
- ristrettoSigningKeyPath
+ # A path on the deployment system of a directory containing all of the
+ # public keys for the system. For example, this holds Wireguard public keys
+ # for the VPN configuration and SSH public keys to configure SSH
+ # authentication.
+ publicKeyPath
- # A path on the deployment system to a file containing the Stripe secret
- # key. This is used as the source of the Stripe secret key morph secret.
-, stripeSecretKeyPath
-
- # A path on the deployment system to a directory containing a number of
- # VPN-related secrets. This is expected to contain a number of files named
- # like ``<VPN IPv4 address>.key`` containing the VPN private key for the
- # corresponding host. It must also contain ``server.pub`` and
- # ``preshared.key`` holding the VPN server's public key and the pre-shared
- # key, respectively. All of these things are used as the sources of various
- # VPN-related morph secrets.
-, monitoringvpnKeyDir
+ # A path on the deployment system of a directory containing all of the
+ # corresponding private keys for the system.
+, privateKeyPath
# A string giving the IP address and port number (":"-separated) of the VPN
# server.
@@ -63,10 +55,24 @@
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
deployment.secrets = {
- "ristretto-signing-key".source = ristrettoSigningKeyPath;
- "stripe-secret-key".source = stripeSecretKeyPath;
- "monitoringvpn-secret-key".source = "${monitoringvpnKeyDir}/${monitoringvpnIPv4}.key";
- "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
+ # A path on the deployment system to a file containing the Ristretto
+ # signing key. This is used as the source of the Ristretto signing key
+ # morph secret.
+ "ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";
+
+ # A path on the deployment system to a file containing the Stripe secret
+ # key. This is used as the source of the Stripe secret key morph secret.
+ "stripe-secret-key".source = "${privateKeyPath}/stripe.secret";
+
+ # ``.../monitoringvpn`` is a path on the deployment system of a directory
+ # containing a number of VPN-related secrets. This is expected to contain
+ # a number of files named like ``<VPN IPv4 address>.key`` containing the
+ # VPN private key for the corresponding host. It must also contain
+ # ``server.pub`` and ``preshared.key`` holding the VPN server's public key
+ # and the pre-shared key, respectively. All of these things are used as
+ # the sources of various VPN-related morph secrets.
+ "monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
+ "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
};
networking.domain = domain;
@@ -76,7 +82,7 @@
enable = true;
ip = monitoringvpnIPv4;
endpoint = monitoringvpnEndpoint;
- endpointPublicKeyFile = "${monitoringvpnKeyDir}/server.pub";
+ endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
};
services.private-storage-issuer = {
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index c50eb5062b35480d0b3d296cfaea8abd999f36c5..f77d26bd817ebb556c1d22d01e290d2838ab9485 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -9,7 +9,8 @@
hostsMap
# See ``customize-issuer.nix``.
-, monitoringvpnKeyDir
+, publicKeyPath
+, privateKeyPath
, monitoringvpnIPv4
, domain
@@ -34,8 +35,8 @@
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
deployment.secrets = {
- "monitoringvpn-private-key".source = "${monitoringvpnKeyDir}/server.key";
- "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
+ "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
+ "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
};
networking.domain = domain;
@@ -45,7 +46,7 @@
enable = true;
ip = monitoringvpnIPv4;
inherit vpnClientIPs;
- pubKeysPath = monitoringvpnKeyDir;
+ pubKeysPath = "${publicKeyPath}/monitoringvpn";
};
services.private-storage.monitoring.prometheus = {
diff --git a/morph/lib/customize-storage.nix b/morph/lib/customize-storage.nix
index 0a08743633126b5898e61a877e62a7b58314b34e..68655874efd9ba39b52dacfdddaedb54863ed769 100644
--- a/morph/lib/customize-storage.nix
+++ b/morph/lib/customize-storage.nix
@@ -2,8 +2,8 @@
# ``storage.nix``.
{
# See ``customize-issuer.nix``
- ristrettoSigningKeyPath
-, monitoringvpnKeyDir
+ privateKeyPath
+, publicKeyPath
, monitoringvpnEndpoint
, monitoringvpnIPv4
, sshUsers
@@ -25,9 +25,9 @@
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
deployment.secrets = {
- "ristretto-signing-key".source = ristrettoSigningKeyPath;
- "monitoringvpn-secret-key".source = "${monitoringvpnKeyDir}/${monitoringvpnIPv4}.key";
- "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
+ "ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";
+ "monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
+ "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
};
networking.domain = domain;
@@ -40,7 +40,7 @@
enable = true;
ip = monitoringvpnIPv4;
endpoint = monitoringvpnEndpoint;
- endpointPublicKeyFile = "${monitoringvpnKeyDir}/server.pub";
+ endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
};
system.stateVersion = stateVersion;