Add morph for the PaymentServer deployment

0c7c27ac · Jean-Paul Calderone · 3ce91e7f · 0c7c27ac · 0c7c27ac · 0c7c27ac
Commit 0c7c27ac authored 5 years ago by Jean-Paul Calderone
--- a/morph/grid.nix
+++ b/morph/grid.nix
@@ -16,6 +16,11 @@ import ./make-grid.nix {
    # doesn't specify one.
    #
    # The names must be unique!
+    "issuer" = import ./issuer.nix ({
+      hardware = ./issuer-aws.nix;
+      stateVersion = "19.03";
+    } // cfg);
+
    "storage001" = import ./make-storage.nix ({
        cfg = import ./storage001-config.nix;
        hardware = ./storage001-hardware.nix;

--- a/morph/issuer-aws.nix
+++ b/morph/issuer-aws.nix
+{
+  imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ];
+  ec2.hvm = true;
+}
--- a/morph/issuer.nix
+++ b/morph/issuer.nix
+{ hardware
+, ristrettoSigningKeyPath
+, stateVersion
+, ...
+}: {
+  deployment = {
+    secrets = {
+      "ristretto-signing-key" = {
+        source = ristrettoSigningKeyPath;
+        destination = "/var/secrets/ristretto.signing-key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
+      };
+    };
+  };
+
+  imports = [
+    hardware
+    ../nixos/modules/issuer.nix
+  ];
+
+  services.private-storage-issuer = {
+    enable = true;
+    # XXX This should be passed as a path.
+    ristrettoSigningKey = builtins.readFile (./.. + ristrettoSigningKeyPath);
+    database = "SQLite3";
+    databasePath = "/var/db/vouchers.sqlite3";
+  };
+
+  system.stateVersion = stateVersion;
+}
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -17,7 +17,7 @@ in {
    };
    services.private-storage-issuer.issuer = lib.mkOption {
      default = "Ristretto";
-      type = lib.types.str;
+      type = lib.types.enum [ " Trivial" "Ristretto" ];
      example = lib.literalExample "Trivial";
      description = ''
        The issuer algorithm to use.  Either Trivial for a fake no-crypto
@@ -32,6 +32,21 @@ in {
        ``Ristretto``.
      '';
    };
+    services.private-storage-issuer.database = lib.mkOption {
+      default = "Memory";
+      type = lib.types.enum [ "Memory" "SQLite3" ];
+      description = ''
+        The kind of voucher database to use.
+      '';
+    };
+    services.private-storage-issuer.databasePath = lib.mkOption {
+      default = null;
+      type = lib.types.str;
+      description = ''
+        The path to a database file in the filesystem, if the SQLite3 database
+        type is being used.
+      '';
+    };
  };

  config = lib.mkIf cfg.enable {
@@ -47,12 +62,16 @@ in {
          let
            # Compute the right command line arguments to pass to it.  The
            # signing key is only supplied when using the Ristretto issuer.
-            args =
+            issuerArgs =
              if cfg.issuer == "Trivial"
                then "--issuer Trivial"
                else "--issuer Ristretto --signing-key ${cfg.ristrettoSigningKey}";
+            databaseArgs =
+              if cfg.database == "Memory"
+                then "--database Memory"
+                else "--database SQLite3 --database-path ${cfg.databasePath}";
          in
-            "${cfg.package}/bin/PaymentServer-exe ${args}";
+            "${cfg.package}/bin/PaymentServer-exe ${issuerArgs} ${databaseArgs}";
        Type = "simple";
        # It really shouldn't ever exit on its own!  If it does, it's a bug
        # we'll have to fix.  Restart it and hope it doesn't happen too much