# This contains all of the NixOS system configuration necessary to specify an
# "issuer"-type system.
{ lib, config, ...}:
let
inherit (config.grid) privateKeyPath;
inherit (config.grid.issuer) issuerDomains allowedChargeOrigins;
in {
imports = [
./monitored-node.nix
];
options.grid.issuer = {
issuerDomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
A list of strings giving the domain names that point at this issuer
system. These will all be included in Let's Encrypt certificate.
'';
};
allowedChargeOrigins = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
A list of strings giving CORS Origins will the issuer will be configured
to allow.
'';
};
};
config = {
deployment = {
secrets = {
"ristretto-signing-key" = {
destination = "/run/keys/ristretto.signing-key";
source = "${privateKeyPath}/ristretto.signing-key";
owner.user = "zkapissuer";
owner.group = "zkapissuer";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
"stripe-secret-key" = {
destination = "/run/keys/stripe.secret-key";
source = "${privateKeyPath}/stripe.secret";
owner.user = "zkapissuer";
owner.group = "zkapissuer";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
};
};
services.private-storage-issuer = {
enable = true;
tls = true;
ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
stripeSecretKeyPath = config.deployment.secrets.stripe-secret-key.destination;
database = "SQLite3";
databasePath = "${config.fileSystems."zkapissuer-data".mountPoint}/vouchers.sqlite3";
inherit (config.grid) letsEncryptAdminEmail;
inherit allowedChargeOrigins;
domains = issuerDomains;
};
system.stateVersion = "19.03";
};
}