Add the necessary secrets configuration

7e2345bf · Jean-Paul Calderone · 5e022988 · 7e2345bf · 7e2345bf · 7e2345bf
Commit 7e2345bf authored Oct 21, 2019 by Jean-Paul Calderone
--- a/morph/grid.config.json
+++ b/morph/grid.config.json
 { "publicStoragePort": 8898
+, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
 }
--- a/morph/storage000.nix
+++ b/morph/storage000.nix
@@ -5,7 +5,23 @@ in
 # Define the function that defines the node.  Accept the public storage server
 # port argument so we can configure Tahoe-LAFS with it.  Accept but ignore any
 # other arguments.
-{ publicStoragePort, ... }: {
+{ publicStoragePort, ristrettoSigningKeyPath, ... }: rec {
+
+  deployment = {
+    secrets = {
+      "ristretto-signing-key" = {
+        source = ristrettoSigningKeyPath;
+        destination = "/var/secrets/ristretto.signing-key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        # Service name here matches the name defined by our tahoe-lafs nixos
+        # module.  It would be nice to not have to hard-code it here.  Can we
+        # extract it from the tahoe-lafs nixos module somehow?
+        action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
+      };
+    };
+  };

  # Any extra NixOS modules to load on this server.
  imports = [
@@ -34,6 +50,8 @@ in
    inherit (cfg) publicIPv4;
    # And the port to operate on is specified via parameter.
    inherit publicStoragePort;
+    # Give it the Ristretto signing key, too, to support authorization.
+    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
  };

  # This value determines the NixOS release with which your system is to be

--- a/morph/testing-grid.nix
+++ b/morph/testing-grid.nix
@@ -4,12 +4,8 @@
 import ./make-grid.nix {
  name = "Testing";
  nodes = cfg: {
-    "testing000" = import ./testing000.nix {
-      publicIPv4 = "3.123.26.90";
-      # Pass along some of the Tahoe-LAFS configuration.  If we have much more
-      # configuration than this we may want to keep it bundled up in one value
-      # instead of pulling individual values out to pass along.
-      inherit (cfg) publicStoragePort;
-    };
+    "testing000" = import ./testing000.nix (cfg // {
+      publicIPv4 = "35.157.216.200";
+    });
  };
 }
--- a/morph/testing000.nix
+++ b/morph/testing000.nix
-{ publicIPv4, publicStoragePort }:
-{ imports = [
+{ publicIPv4, publicStoragePort, ristrettoSigningKeyPath }: rec {
+
+  deployment = {
+    secrets = {
+      "ristretto-signing-key" = {
+        source = ristrettoSigningKeyPath;
+        destination = "/var/secrets/ristretto.signing-key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        # Service name here matches the name defined by our tahoe-lafs nixos
+        # module.  It would be nice to not have to hard-code it here.  Can we
+        # extract it from the tahoe-lafs nixos module somehow?
+        action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
+      };
+    };
+  };
+
+  imports = [
    ./testing000-hardware.nix
    ../nixos/modules/private-storage.nix
  ];
@@ -8,5 +25,6 @@
  { enable = true;
    inherit publicIPv4;
    inherit publicStoragePort;
+    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
  };
 }