Skip to content
Snippets Groups Projects
Commit 7e2345bf authored by Jean-Paul Calderone's avatar Jean-Paul Calderone
Browse files

Add the necessary secrets configuration

parent 5e022988
Branches
No related tags found
No related merge requests found
{ "publicStoragePort": 8898
, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
}
......@@ -5,7 +5,23 @@ in
# Define the function that defines the node. Accept the public storage server
# port argument so we can configure Tahoe-LAFS with it. Accept but ignore any
# other arguments.
{ publicStoragePort, ... }: {
{ publicStoragePort, ristrettoSigningKeyPath, ... }: rec {
deployment = {
secrets = {
"ristretto-signing-key" = {
source = ristrettoSigningKeyPath;
destination = "/var/secrets/ristretto.signing-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
# Service name here matches the name defined by our tahoe-lafs nixos
# module. It would be nice to not have to hard-code it here. Can we
# extract it from the tahoe-lafs nixos module somehow?
action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
};
};
};
# Any extra NixOS modules to load on this server.
imports = [
......@@ -34,6 +50,8 @@ in
inherit (cfg) publicIPv4;
# And the port to operate on is specified via parameter.
inherit publicStoragePort;
# Give it the Ristretto signing key, too, to support authorization.
ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
};
# This value determines the NixOS release with which your system is to be
......
......@@ -4,12 +4,8 @@
import ./make-grid.nix {
name = "Testing";
nodes = cfg: {
"testing000" = import ./testing000.nix {
publicIPv4 = "3.123.26.90";
# Pass along some of the Tahoe-LAFS configuration. If we have much more
# configuration than this we may want to keep it bundled up in one value
# instead of pulling individual values out to pass along.
inherit (cfg) publicStoragePort;
};
"testing000" = import ./testing000.nix (cfg // {
publicIPv4 = "35.157.216.200";
});
};
}
{ publicIPv4, publicStoragePort }:
{ imports = [
{ publicIPv4, publicStoragePort, ristrettoSigningKeyPath }: rec {
deployment = {
secrets = {
"ristretto-signing-key" = {
source = ristrettoSigningKeyPath;
destination = "/var/secrets/ristretto.signing-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
# Service name here matches the name defined by our tahoe-lafs nixos
# module. It would be nice to not have to hard-code it here. Can we
# extract it from the tahoe-lafs nixos module somehow?
action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
};
};
};
imports = [
./testing000-hardware.nix
../nixos/modules/private-storage.nix
];
......@@ -8,5 +25,6 @@
{ enable = true;
inherit publicIPv4;
inherit publicStoragePort;
ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
};
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment