From 4de9d2f317c196f0794d9283648ab455a7896d7e Mon Sep 17 00:00:00 2001
From: Tom Prince <tom.prince@private.storage>
Date: Thu, 2 Sep 2021 22:23:59 -0600
Subject: [PATCH] Make `publicKeyPath`/`privateKeyPath` into settings.
---
morph/grid/local/grid.nix | 29 +++++++++++++++--------------
morph/grid/production/grid.nix | 27 ++++++++++++++-------------
morph/grid/testing/grid.nix | 27 ++++++++++++++-------------
morph/lib/base.nix | 21 +++++++++++++++++++++
morph/lib/customize-issuer.nix | 26 +++++---------------------
morph/lib/customize-monitoring.nix | 7 ++++---
morph/lib/customize-storage.nix | 10 +++++-----
morph/lib/default.nix | 4 ++++
morph/lib/issuer.nix | 6 +++++-
morph/lib/storage.nix | 5 ++++-
10 files changed, 91 insertions(+), 71 deletions(-)
create mode 100644 morph/lib/base.nix
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 19fc3cfd..c8c27477 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -2,26 +2,27 @@ let
pkgs = import <nixpkgs> { };
gridlib = import ../../lib;
- rawConfig = pkgs.lib.trivial.importJSON ./config.json;
- config = rawConfig // {
- # Convert relative paths to absolute so library code can resolve names
- # correctly.
- publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
- privateKeyPath = toString ./. + "/${rawConfig.privateKeyPath}";
- };
+ grid-config = pkgs.lib.trivial.importJSON ./config.json;
# Module with per-grid configuration
- grid-module = {
+ grid-module = {config, ...}: {
imports = [
+ gridlib.base
# Allow us to remotely trigger updates to this system.
../../../nixos/modules/deployment.nix
# Give it a good SSH configuration.
../../../nixos/modules/ssh.nix
];
services.private-storage.sshUsers = import ./public-keys/users.nix;
+ # Convert relative paths to absolute so library code can resolve names
+ # correctly.
+ grid = {
+ publicKeyPath = toString ./. + "/${grid-config.publicKeyPath}";
+ privateKeyPath = toString ./. + "/${grid-config.privateKeyPath}";
+ };
# Configure deployment management authorization for all systems in the grid.
services.private-storage.deployment = {
- authorizedKey = builtins.readFile "${config.publicKeyPath}/deploy_key.pub";
+ authorizedKey = builtins.readFile "${config.grid.publicKeyPath}/deploy_key.pub";
gridName = "local";
};
};
@@ -30,7 +31,7 @@ let
imports = [
gridlib.issuer
(gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.21"; }))
- (gridlib.customize-issuer (config // {
+ (gridlib.customize-issuer (grid-config // {
monitoringvpnIPv4 = "172.23.23.11";
}))
grid-module
@@ -41,7 +42,7 @@ let
imports = [
gridlib.storage
(gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.22"; }))
- (gridlib.customize-storage (config // {
+ (gridlib.customize-storage (grid-config // {
monitoringvpnIPv4 = "172.23.23.12";
stateVersion = "19.09";
}))
@@ -53,7 +54,7 @@ let
imports = [
gridlib.storage
(gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.23"; }))
- (gridlib.customize-storage (config // {
+ (gridlib.customize-storage (grid-config // {
monitoringvpnIPv4 = "172.23.23.13";
stateVersion = "19.09";
}))
@@ -67,8 +68,8 @@ let
(gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; }))
(gridlib.customize-monitoring {
inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
- inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
- googleOAuthClientID = config.monitoringGoogleOAuthClientID;
+ inherit (grid-config) domain letsEncryptAdminEmail;
+ googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
monitoringvpnIPv4 = "172.23.23.1";
stateVersion = "19.09";
})
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index 4578218b..91eec738 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -3,26 +3,27 @@ let
pkgs = import <nixpkgs> { };
gridlib = import ../../lib;
- rawConfig = pkgs.lib.trivial.importJSON ./config.json;
- config = rawConfig // {
- # Convert relative paths to absolute so library code can resolve names
- # correctly.
- publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
- privateKeyPath = toString ./. + "/${rawConfig.privateKeyPath}";
- };
+ grid-config = pkgs.lib.trivial.importJSON ./config.json;
# Module with per-grid configuration
- grid-module = {
+ grid-module = {config, ...}: {
imports = [
+ gridlib.base
# Allow us to remotely trigger updates to this system.
../../../nixos/modules/deployment.nix
# Give it a good SSH configuration.
../../../nixos/modules/ssh.nix
];
services.private-storage.sshUsers = import ./public-keys/users.nix;
+ # Convert relative paths to absolute so library code can resolve names
+ # correctly.
+ grid = {
+ publicKeyPath = toString ./. + "/${grid-config.publicKeyPath}";
+ privateKeyPath = toString ./. + "/${grid-config.privateKeyPath}";
+ };
# Configure deployment management authorization for all systems in the grid.
services.private-storage.deployment = {
- authorizedKey = builtins.readFile "${config.publicKeyPath}/deploy_key.pub";
+ authorizedKey = builtins.readFile "${config.grid.publicKeyPath}/deploy_key.pub";
gridName = "production";
};
};
@@ -31,7 +32,7 @@ let
imports = [
gridlib.issuer
gridlib.hardware-aws
- (gridlib.customize-issuer (config // {
+ (gridlib.customize-issuer (grid-config // {
monitoringvpnIPv4 = "172.23.23.11";
}))
grid-module
@@ -44,8 +45,8 @@ let
gridlib.hardware-aws
(gridlib.customize-monitoring {
inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
- inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
- googleOAuthClientID = config.monitoringGoogleOAuthClientID;
+ inherit (grid-config) domain letsEncryptAdminEmail;
+ googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
monitoringvpnIPv4 = "172.23.23.1";
stateVersion = "19.09";
})
@@ -71,7 +72,7 @@ let
gridlib.storage
# Then customize the storage system a little bit based on this node's particulars.
- (gridlib.customize-storage (config // nodecfg // {
+ (gridlib.customize-storage (grid-config // nodecfg // {
monitoringvpnIPv4 = vpnIP;
inherit stateVersion;
}))
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index 9997463f..3e15e513 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -3,26 +3,27 @@ let
pkgs = import <nixpkgs> { };
gridlib = import ../../lib;
- rawConfig = pkgs.lib.trivial.importJSON ./config.json;
- config = rawConfig // {
- # Convert relative paths to absolute so library code can resolve names
- # correctly.
- publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
- privateKeyPath = toString ./. + "/${rawConfig.privateKeyPath}";
- };
+ grid-config = pkgs.lib.trivial.importJSON ./config.json;
# Module with per-grid configuration
- grid-module = {
+ grid-module = {config, ...}: {
imports = [
+ gridlib.base
# Allow us to remotely trigger updates to this system.
../../../nixos/modules/deployment.nix
# Give it a good SSH configuration.
../../../nixos/modules/ssh.nix
];
services.private-storage.sshUsers = import ./public-keys/users.nix;
+ # Convert relative paths to absolute so library code can resolve names
+ # correctly.
+ grid = {
+ publicKeyPath = toString ./. + "/${grid-config.publicKeyPath}";
+ privateKeyPath = toString ./. + "/${grid-config.privateKeyPath}";
+ };
# Configure deployment management authorization for all systems in the grid.
services.private-storage.deployment = {
- authorizedKey = builtins.readFile "${config.publicKeyPath}/deploy_key.pub";
+ authorizedKey = builtins.readFile "${config.grid.publicKeyPath}/deploy_key.pub";
gridName = "testing";
};
};
@@ -31,7 +32,7 @@ let
imports = [
gridlib.issuer
gridlib.hardware-aws
- (gridlib.customize-issuer (config // {
+ (gridlib.customize-issuer (grid-config // {
monitoringvpnIPv4 = "172.23.23.11";
}))
grid-module
@@ -43,7 +44,7 @@ let
gridlib.storage
gridlib.hardware-aws
./testing001-hardware.nix
- (gridlib.customize-storage (config // {
+ (gridlib.customize-storage (grid-config // {
monitoringvpnIPv4 = "172.23.23.12";
stateVersion = "19.03";
}))
@@ -57,8 +58,8 @@ let
gridlib.hardware-aws
(gridlib.customize-monitoring {
inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
- inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
- googleOAuthClientID = config.monitoringGoogleOAuthClientID;
+ inherit (grid-config) domain letsEncryptAdminEmail;
+ googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
monitoringvpnIPv4 = "172.23.23.1";
stateVersion = "19.09";
})
diff --git a/morph/lib/base.nix b/morph/lib/base.nix
new file mode 100644
index 00000000..35f1182b
--- /dev/null
+++ b/morph/lib/base.nix
@@ -0,0 +1,21 @@
+{ lib, config, ...}:
+{
+ options.grid = {
+ publicKeyPath = lib.mkOption {
+ type = lib.types.path;
+ description = ''
+ A path on the deployment system of a directory containing all of the
+ public keys for the system. For example, this holds Wireguard public keys
+ for the VPN configuration and SSH public keys to configure SSH
+ authentication.
+ '';
+ };
+ privateKeyPath = lib.mkOption {
+ type = lib.types.path;
+ description = ''
+ A path on the deployment system of a directory containing all of the
+ corresponding private keys for the system.
+ '';
+ };
+ };
+}
diff --git a/morph/lib/customize-issuer.nix b/morph/lib/customize-issuer.nix
index ea5b31fe..4e0872b1 100644
--- a/morph/lib/customize-issuer.nix
+++ b/morph/lib/customize-issuer.nix
@@ -1,19 +1,9 @@
# Define a function which returns a value which fills in all the holes left by
# ``issuer.nix``.
{
- # A path on the deployment system of a directory containing all of the
- # public keys for the system. For example, this holds Wireguard public keys
- # for the VPN configuration and SSH public keys to configure SSH
- # authentication.
- publicKeyPath
-
- # A path on the deployment system of a directory containing all of the
- # corresponding private keys for the system.
-, privateKeyPath
-
# A string giving the IP address and port number (":"-separated) of the VPN
# server.
-, monitoringvpnEndpoint
+ monitoringvpnEndpoint
# A string giving the VPN IPv4 address for this system.
, monitoringvpnIPv4
@@ -39,7 +29,10 @@
, allowedChargeOrigins
, ...
}:
-{ config, ... }: {
+{ config, ... }:
+let
+ inherit (config.grid) publicKeyPath privateKeyPath;
+in {
# The morph default deployment target the name of the node in the network
# attrset. We don't always want to give the node its proper public address
# there (because it depends on which domain is associated with the grid
@@ -49,15 +42,6 @@
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
deployment.secrets = {
- # A path on the deployment system to a file containing the Ristretto
- # signing key. This is used as the source of the Ristretto signing key
- # morph secret.
- "ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";
-
- # A path on the deployment system to a file containing the Stripe secret
- # key. This is used as the source of the Stripe secret key morph secret.
- "stripe-secret-key".source = "${privateKeyPath}/stripe.secret";
-
# ``.../monitoringvpn`` is a path on the deployment system of a directory
# containing a number of VPN-related secrets. This is expected to contain
# a number of files named like ``<VPN IPv4 address>.key`` containing the
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index f5b820a2..324f99f2 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -9,8 +9,6 @@
hostsMap
# See ``customize-issuer.nix``.
-, publicKeyPath
-, privateKeyPath
, monitoringvpnIPv4
, domain
, letsEncryptAdminEmail
@@ -39,7 +37,10 @@
, stateVersion
, ...
}:
-{ config, ... }: {
+{ config, ... }:
+let
+ inherit (config.grid) publicKeyPath privateKeyPath;
+in {
# See customize-issuer.nix for an explanatoin of targetHost value.
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
diff --git a/morph/lib/customize-storage.nix b/morph/lib/customize-storage.nix
index 6ec84316..be4c2a93 100644
--- a/morph/lib/customize-storage.nix
+++ b/morph/lib/customize-storage.nix
@@ -2,9 +2,7 @@
# ``storage.nix``.
{
# See ``customize-issuer.nix``
- privateKeyPath
-, publicKeyPath
-, monitoringvpnEndpoint
+ monitoringvpnEndpoint
, monitoringvpnIPv4
, domain
@@ -19,12 +17,14 @@
, stateVersion
, ...
}:
-{ config, ... }: {
+{ config, ... }:
+let
+ inherit (config.grid) publicKeyPath privateKeyPath;
+in {
# See customize-issuer.nix for an explanatoin of targetHost value.
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
deployment.secrets = {
- "ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";
"monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
"monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
};
diff --git a/morph/lib/default.nix b/morph/lib/default.nix
index bdd92f4b..bf25e5a5 100644
--- a/morph/lib/default.nix
+++ b/morph/lib/default.nix
@@ -2,6 +2,8 @@
# coherent public interface. Application code should prefer these names over
# directly importing the source files in this directory.
{
+ base = import ./base.nix;
+
hardware-aws = import ./issuer-aws.nix;
hardware-virtual = import ./hardware-virtual.nix;
@@ -13,4 +15,6 @@
monitoring = import ./monitoring.nix;
customize-monitoring = import ./customize-monitoring.nix;
+
+ modules = builtins.toString ../../nixos/modules;
}
diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index 74db99bb..5c348280 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -5,11 +5,14 @@
# into a more complete system configuration. It is expected that the holes
# will be filled by a sibling module created by ``customize-issuer.nix``.
{ config, ...}:
-{
+let
+ inherit (config.grid) publicKeyPath privateKeyPath;
+in {
deployment = {
secrets = {
"ristretto-signing-key" = {
destination = "/run/keys/ristretto.signing-key";
+ source = "${privateKeyPath}/ristretto.signing-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
@@ -17,6 +20,7 @@
};
"stripe-secret-key" = {
destination = "/run/keys/stripe.secret-key";
+ source = "${privateKeyPath}/stripe.secret";
owner.user = "root";
owner.group = "root";
permissions = "0400";
diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix
index c437fcf6..86e14228 100644
--- a/morph/lib/storage.nix
+++ b/morph/lib/storage.nix
@@ -1,11 +1,14 @@
# Similar to ``issuer.nix`` but for a "storage"-type system. Holes are filled
# by ``customize-storage.nix``.
{ config, ...} :
-{
+let
+ inherit (config.grid) publicKeyPath privateKeyPath;
+in {
deployment = {
secrets = {
"ristretto-signing-key" = {
destination = "/run/keys/ristretto.signing-key";
+ source = "${privateKeyPath}/ristretto.signing-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
--
GitLab