From d39d3496055d631a347b5dd54f36bcf09739b645 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Wed, 19 May 2021 21:33:37 +0000
Subject: [PATCH] Move secret key file locations into config.json

---
 morph/grid/local/config.json  |  2 ++
 morph/lib/make-issuer.nix     |  6 ++++--
 morph/lib/make-monitoring.nix | 17 ++++++++++++++---
 morph/lib/make-testing.nix    | 16 +++++++++++++---
 4 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 56184fbc..f4273dc5 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -1,6 +1,8 @@
 { "publicStoragePort": 8898
 , "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
 , "stripeSecretKeyPath": "../../PrivateStorageSecrets/privatestorageio-testing-stripe.secret"
+, "monitoringvpnSecretKeyPath": "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key"
+, "monitoringvpnPresharedKeyPath" : "../../PrivateStorageSecrets/monitoringvpn/preshared.key"
 , "passValue": 1000000
 , "issuerDomain": "payments.localdev"
 , "letsEncryptAdminEmail": "florian@privatestorage.io"
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index e241b917..82b19484 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -1,6 +1,8 @@
 { hardware
 , ristrettoSigningKeyPath
 , stripeSecretKeyPath
+, monitoringvpnSecretKeyPath
+, monitoringvpnPresharedKeyPath
 , issuerDomain
 , letsEncryptAdminEmail
 , allowedChargeOrigins
@@ -31,7 +33,7 @@
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
       "monitoringvpn-secret-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
+        source = monitoringvpnSecretKeyPath;
         destination = "/run/keys/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
@@ -39,7 +41,7 @@
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
       "monitoringvpn-preshared-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+        source = monitoringvpnPresharedKeyPath;
         destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix
index 2a2cde3d..464b0218 100644
--- a/morph/lib/make-monitoring.nix
+++ b/morph/lib/make-monitoring.nix
@@ -1,11 +1,22 @@
-{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, monitoringvpnIPv4, vpnClientIPs, ... }: rec {
+{ publicIPv4
+, hardware
+, publicStoragePort
+, ristrettoSigningKeyPath
+, monitoringvpnSecretKeyPath
+, monitoringvpnPresharedKeyPath
+, passValue
+, sshUsers
+, stateVersion
+, monitoringvpnIPv4
+, vpnClientIPs
+, ... }: rec {
 
   deployment = {
     targetHost = publicIPv4;
 
     secrets = {
       "monitoringvpn-private-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/server.key";
+        source = monitoringvpnSecretKeyPath;
         destination = "/run/keys/monitoringvpn/server.key";
         owner.user = "root";
         owner.group = "root";
@@ -21,7 +32,7 @@
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
       "monitoringvpn-preshared-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+        source = monitoringvpnPresharedKeyPath;
         destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index c96a51c2..7cd3c80a 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -1,4 +1,14 @@
-{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, monitoringvpnIPv4, ... }: rec {
+{ publicIPv4
+, hardware
+, publicStoragePort
+, ristrettoSigningKeyPath
+, monitoringvpnSecretKeyPath
+, monitoringvpnPresharedKeyPath
+, passValue
+, sshUsers
+, stateVersion
+, monitoringvpnIPv4
+, ... }: rec {
 
   deployment = {
     targetHost = publicIPv4;
@@ -16,7 +26,7 @@
         action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
       };
       "monitoringvpn-secret-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
+        source = monitoringvpnSecretKeyPath;
         destination = "/run/keys/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
@@ -24,7 +34,7 @@
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
       "monitoringvpn-preshared-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+        source = monitoringvpnPresharedKeyPath;
         destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
-- 
GitLab