# Define a function which returns a value which fills in all the holes left by
# ``issuer.nix``.
{
  # A path on the deployment system to a file containing the Ristretto signing
  # key.  This is used as the source of the Ristretto signing key morph
  # secret.
  ristrettoSigningKeyPath

  # A path on the deployment system to a file containing the Stripe secret
  # key.  This is used as the source of the Stripe secret key morph secret.
, stripeSecretKeyPath

  # A path on the deployment system to a directory containing a number of
  # VPN-related secrets.  This is expected to contain a number of files named
  # like ``<VPN IPv4 address>.key`` containing the VPN private key for the
  # corresponding host.  It must also contain ``server.pub`` and
  # ``preshared.key`` holding the VPN server's public key and the pre-shared
  # key, respectively.  All of these things are used as the sources of various
  # VPN-related morph secrets.
, monitoringvpnKeyDir

  # A string giving the IP address and port number (":"-separated) of the VPN
  # server.
, monitoringvpnEndpoint

  # A string giving the VPN IPv4 address for this system.
, monitoringvpnIPv4

  # A set mapping usernames as strings to SSH public keys as strings.  For
  # each element of the site, the indicated user is configured on the system
  # with the indicated SSH key as an authorized key.
, sshUsers

  # A string giving an email address to use for Let's Encrypt registration and
  # certificate issuance.
, letsEncryptAdminEmail

  # A list of strings giving the domain names that point at this issuer
  # system.  These will all be included in Let's Encrypt certificate.
, issuerDomains

  # A list of strings giving CORS Origins will the issuer will be configured
  # to allow.
, allowedChargeOrigins
, ...
}: {
  deployment.secrets = {
    "ristretto-signing-key".source = ristrettoSigningKeyPath;
    "stripe-secret-key".source = stripeSecretKeyPath;
    "monitoringvpn-secret-key".source = "${monitoringvpnKeyDir}/${monitoringvpnIPv4}.key";
    "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
  };

  services.private-storage.sshUsers = sshUsers;
  services.private-storage.monitoring.vpn.client = {
    enable = true;
    ip = monitoringvpnIPv4;
    endpoint = monitoringvpnEndpoint;
    endpointPublicKeyFile = "${monitoringvpnKeyDir}/server.pub";
  };

  services.private-storage-issuer = {
    inherit letsEncryptAdminEmail allowedChargeOrigins;
    domains = issuerDomains;
  };

  system.stateVersion = "19.03";
}