Skip to content

Move keys around

Jean-Paul Calderone requested to merge move-keys-around into develop

Pulled out of !112 (closed)

Every value referenced by our Nix expressions must be present in order to build our morph network. This includes public keys. Previously public keys and private keys were held in the same directory, "secrets". This made it difficult to give CI only the public keys. This splits public and private keys into separate directories.

Fortunately it is easy to keep the key generation script working even with this split as it already had to specify paths where every single key it generated would be written. Hopefully that means this split won't make things unreasonably difficult to maintain going forward. We'll see I guess!

For now what this does is clear the path for running morph build in a GitLab CI job which in turn populates our new nix binary cache which in turn makes it possible for all of our hosts to only download software when they are asked to update themselves (rather than having to compile any of it). That allows some of our smaller hosts to successfully update themselves which gets us one step closer to a system where CD just tells systems to update themselves at the appropriate time without creating and new obvious weaknesses in the security of our systems.

Merge request reports