From 73d379a6007b844173a4d2b7cc96dd0d88023be1 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Tue, 25 May 2021 22:23:41 +0000
Subject: [PATCH] Move key generating docs into operations documentation
---
docs/source/ops/README.rst | 2 ++
docs/source/ops/generating-keys.rst | 50 +++++++++++++++++++++++++++++
morph/grid/local/README.rst | 50 -----------------------------
3 files changed, 52 insertions(+), 50 deletions(-)
create mode 100644 docs/source/ops/generating-keys.rst
diff --git a/docs/source/ops/README.rst b/docs/source/ops/README.rst
index 8007d8df..b78e5ef8 100644
--- a/docs/source/ops/README.rst
+++ b/docs/source/ops/README.rst
@@ -9,3 +9,5 @@ This contains documentation regarding running PrivateStorageio.
.. include::
monitoring.rst
+.. include::
+ generating-keys.rst
diff --git a/docs/source/ops/generating-keys.rst b/docs/source/ops/generating-keys.rst
new file mode 100644
index 00000000..afe2ece4
--- /dev/null
+++ b/docs/source/ops/generating-keys.rst
@@ -0,0 +1,50 @@
+Generating keys
+===============
+
+``config.json`` has the paths for the Ristretto and the Stripe secret key files.
+
+Here is a Ristretto key you can use, randomly generated just now::
+
+ SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=
+
+Generate your own like this::
+
+ [flo@la:~/PrivateStorageio]$ nix-shell
+ [nix-shell:~/PrivateStorageio]$ nix-shell -p zkapissuer.components.exes.PaymentServer-generate-key
+ [nix-shell:~/PrivateStorageio]$ PaymentServer-generate-key
+ SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=
+
+Make sure you write it into the key file `without any leading or trailing white space, also without newlines <https://github.com/LeastAuthority/python-challenge-bypass-ristretto/issues/37>`_.
+For example::
+
+ echo -n "SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=" > ristretto.signing-key
+
+For the Stripe key any random bytes with a little light formatting "work" - at least to make our software happy - but if you want to be able to interact with Stripe and have payments (even pretend payments) move all the way through the system you should get a Stripe account and generate a key w/ them.
+Lauri can get you added to our "dev" Stripe account, too, though I forget how important that is for ad hoc dev/testing.
+
+I think this will work for generating random Stripe secret keys (that our software will load, I think, but Stripe will reject)::
+
+ >>> import base64, os
+ >>> print((b"sk_test_" + base64.b64encode(os.urandom(25)).strip(b"=")).decode("ascii"))
+ sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw
+
+Public keys are the same but "pk_test" instead of "sk_test" ("test" is for "test mode" key that can only process pretend txns; for real txns there are keys with "live" embedded).
+
+The ZKAPIssuer.service needs a working TLS certificate and expects it in the certbot directory for the domain you configured, in my case::
+
+ openssl req -x509 -newkey rsa:4096 -nodes -keyout privkey.pem -out cert.pem -days 3650
+ touch chain.pem
+
+Move the three .pem files into the payment's server ``/var/lib/letsencrypt/live/payments.localdev/`` directory and issue a ``sudo systemctl restart zkapissuer.service``.
+
+Create Wireguard VPN key pairs in ``PrivateStorageSecrets/monitoringvpn/`` or where you have them::
+
+ for i in "172.23.23.11" "172.23.23.12" "172.23.23.13" "server"; do
+ wg genkey | tee ${i}.key | wg pubkey > ${i}.pub
+ done
+
+And a shared VPN key for "post-quantum resistance"::
+
+ wg genpsk > preshared.key
+
+
diff --git a/morph/grid/local/README.rst b/morph/grid/local/README.rst
index 0fda5809..38981f75 100644
--- a/morph/grid/local/README.rst
+++ b/morph/grid/local/README.rst
@@ -33,56 +33,6 @@ If you run an older Nixpkgs, retrieve and use the latest Vagrant development ver
NIX_PATH=nixpkgs=https://github.com/NixOS/nixpkgs/archive/refs/heads/master.tar.gz nix-shell -p vagrant
-Generating keys
-```````````````
-
-``config.json`` has the paths for the Ristretto and the Stripe secret key files.
-
-Here is a Ristretto key you can use, randomly generated just now::
-
- SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=
-
-Generate your own like this::
-
- [flo@la:~/PrivateStorageio]$ nix-shell
- [nix-shell:~/PrivateStorageio]$ nix-shell -p zkapissuer.components.exes.PaymentServer-generate-key
- [nix-shell:~/PrivateStorageio]$ PaymentServer-generate-key
- SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=
-
-Make sure you write it into the key file `without any leading or trailing white space, also without newlines <https://github.com/LeastAuthority/python-challenge-bypass-ristretto/issues/37>`_.
-For example::
-
- echo -n "SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=" > ristretto.signing-key
-
-For the Stripe key any random bytes with a little light formatting "work" - at least to make our software happy - but if you want to be able to interact with Stripe and have payments (even pretend payments) move all the way through the system you should get a Stripe account and generate a key w/ them.
-Lauri can get you added to our "dev" Stripe account, too, though I forget how important that is for ad hoc dev/testing.
-
-I think this will work for generating random Stripe secret keys (that our software will load, I think, but Stripe will reject)::
-
- >>> import base64, os
- >>> print((b"sk_test_" + base64.b64encode(os.urandom(25)).strip(b"=")).decode("ascii"))
- sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw
-
-Public keys are the same but "pk_test" instead of "sk_test" ("test" is for "test mode" key that can only process pretend txns; for real txns there are keys with "live" embedded).
-
-The ZKAPIssuer.service needs a working TLS certificate and expects it in the certbot directory for the domain you configured, in my case::
-
- openssl req -x509 -newkey rsa:4096 -nodes -keyout privkey.pem -out cert.pem -days 3650
- touch chain.pem
-
-Move the three .pem files into the payment's server ``/var/lib/letsencrypt/live/payments.localdev/`` directory and issue a ``sudo systemctl restart zkapissuer.service``.
-
-Create Wireguard VPN key pairs in ``PrivateStorageSecrets/monitoringvpn/`` or where you have them::
-
- for i in "172.23.23.11" "172.23.23.12" "172.23.23.13" "server"; do
- wg genkey | tee ${i}.key | wg pubkey > ${i}.pub
- done
-
-And a shared VPN key for "post-quantum resistance"::
-
- wg genpsk > preshared.key
-
-
Use the local development environment
`````````````````````````````````````
--
GitLab