Merge branch 'develop' into 341.monitoring-vpn

morph/grid/local/README.rst

@@ -74,32 +74,36 @@ Move the three .pem files into the payment's server ``/var/lib/letsencrypt/live/
 Use the local development environment
 `````````````````````````````````````
 
-Build and start the VMs::
+1. Build and start the VMs::
 
-  VAGRANT_DEFAULT_PROVIDER=virtualbox vagrant up
+    VAGRANT_DEFAULT_PROVIDER=virtualbox vagrant up
 
-Then, once::
+2. Then, once::
 
-  vagrant ssh-config > ./vagrant-ssh-config
+    vagrant ssh-config > ./vagrant-ssh-config
 
-Add the IPs from ``grid.nix`` to the vagrant-ssh-config Host match blocks so the config reads like::
+3. Edit the output: Add the IPs from ``grid.nix`` to the ``vagrant-ssh-config`` **Host match blocks** so the config reads like::
 
-  Host payments1 192.168.67.21
-    HostName 192.168.67.21
-    User vagrant
-    [...]
+    Host payments1 192.168.67.21
+      HostName 192.168.67.21
+      User vagrant
+      Port 22
+      [...]
 
-Then, make morph use this ssh config either - with newer morph [#]_ - by pointing it to it::
+4.  Then, make morph use this ssh config either - with newer morph [#]_ - by pointing it to it::
 
-  export SSH_CONFIG_FILE=./vagrant-ssh-config
+     export SSH_CONFIG_FILE=./vagrant-ssh-config
 
-Or, with older morph, adding the config to your user's ``~/.ssh/config`` file.
+  Or, with older morph, adding the config to your user's ``~/.ssh/config`` file.
 
-Then, build and deploy our software to the Vagrant VMs::
+  .. [#]  Morph honors the ``SSH_CONFIG_FILE`` environment variable `since 3f90aa88 (March 2020, v 1.5.0) <https://github.com/DBCDK/morph/commit/3f90aa885fac1c29fce9242452fa7c0c505744ef#diff-d155ad793bd62e6ea4c44ba985049ecb13a4f4f32f799791b2bce695a16c0101>`_.
 
-  morph build grid.nix
-  morph push grid.nix
-  morph upload-secrets grid.nix
-  morph deploy grid.nix switch
+5. Then, build and deploy our software to the Vagrant VMs::
+
+    morph build grid.nix
+    morph push grid.nix
+    morph upload-secrets grid.nix
+    morph deploy grid.nix switch
+
+  You will now be able to log in with the users and keys you set in your ``localdev-users.nix`` file.
 
-.. [#]  Morph honors the ``SSH_CONFIG_FILE`` environment variable `since 3f90aa88 (March 2020, v 1.5.0) <https://github.com/DBCDK/morph/commit/3f90aa885fac1c29fce9242452fa7c0c505744ef#diff-d155ad793bd62e6ea4c44ba985049ecb13a4f4f32f799791b2bce695a16c0101>`_.

morph/lib/make-issuer.nix

@@ -9,14 +9,14 @@
 , publicIPv4
 , monitoringvpnIPv4
 , ...
-}: {
+}: rec {
   deployment = {
     targetHost = publicIPv4;
 
     secrets = {
       "ristretto-signing-key" = {
         source = ristrettoSigningKeyPath;
-        destination = "/var/secrets/ristretto.signing-key";
+        destination = "/run/keys/ristretto.signing-key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
@@ -24,7 +24,7 @@
       };
       "stripe-secret-key" = {
         source = stripeSecretKeyPath;
-        destination = "/var/secrets/stripe.secret-key";
+        destination = "/run/keys/stripe.secret-key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
@@ -59,8 +59,8 @@
   services.private-storage-issuer = {
     enable = true;
     tls = true;
-    ristrettoSigningKeyPath = "/var/secrets/ristretto.signing-key";
-    stripeSecretKeyPath = "/var/secrets/stripe.secret-key";
+    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
+    stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
     database = "SQLite3";
     databasePath = "/var/db/vouchers.sqlite3";
     inherit letsEncryptAdminEmail;

morph/lib/make-storage.nix

@@ -19,7 +19,7 @@
     secrets = {
       "ristretto-signing-key" = {
         source = ristrettoSigningKeyPath;
-        destination = "/var/secrets/ristretto.signing-key";
+        destination = "/run/keys/ristretto.signing-key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";

morph/lib/make-testing.nix

@@ -6,7 +6,7 @@
     secrets = {
       "ristretto-signing-key" = {
         source = ristrettoSigningKeyPath;
-        destination = "/var/secrets/ristretto.signing-key";
+        destination = "/run/keys/ristretto.signing-key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";