Place keys on tmpfs

  sed -i 's|var/secrets|run/keys|'

See Ops#193

morph/lib/make-issuer.nix

@@ -32,7 +32,7 @@
       };
       "monitoringvpn-secret-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
-        destination = "/var/secrets/monitoringvpn/client.key";
+        destination = "/run/keys/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
@@ -40,7 +40,7 @@
       };
       "monitoringvpn-preshared-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
-        destination = "/var/secrets/monitoringvpn/preshared.key";
+        destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";

morph/lib/make-monitoring.nix

@@ -6,7 +6,7 @@
     secrets = {
       "monitoringvpn-private-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/server.key";
-        destination = "/var/secrets/monitoringvpn/server.key";
+        destination = "/run/keys/monitoringvpn/server.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
@@ -14,7 +14,7 @@
       };
       "monitoringvpn-public-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/server.pub";
-        destination = "/var/secrets/monitoringvpn/server.pub";
+        destination = "/run/keys/monitoringvpn/server.pub";
         owner.user = "root";
         owner.group = "root";
         permissions = "0444";
@@ -22,7 +22,7 @@
       };
       "monitoringvpn-preshared-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
-        destination = "/var/secrets/monitoringvpn/preshared.key";
+        destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";

morph/lib/make-testing.nix

@@ -17,7 +17,7 @@
       };
       "monitoringvpn-secret-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
-        destination = "/var/secrets/monitoringvpn/client.key";
+        destination = "/run/keys/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
@@ -25,7 +25,7 @@
       };
       "monitoringvpn-preshared-key" = {
         source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
-        destination = "/var/secrets/monitoringvpn/preshared.key";
+        destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";

nixos/modules/monitoring/vpn/client.nix

@@ -8,15 +8,15 @@ in {
     enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
     privateKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/host.key;
-      default = /var/secrets/monitoringvpn/client.key;
+      example = lib.literalExample /run/keys/monitoringvpn/host.key;
+      default = /run/keys/monitoringvpn/client.key;
       description = ''
         File with base64 private key generated by <command>wg genkey</command>.
       '';
     };
     publicKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/host.pub;
+      example = lib.literalExample /run/keys/monitoringvpn/host.pub;
       description = ''
         File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
         Cannot have white space or new lines.
@@ -28,8 +28,8 @@ in {
     };
     presharedKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/preshared.key;
-      default = /var/secrets/monitoringvpn/preshared.key;
+      example = lib.literalExample /run/keys/monitoringvpn/preshared.key;
+      default = /run/keys/monitoringvpn/preshared.key;
       description = ''
         File with base64 preshared key generated by <command>wg genpsk</command>.
       '';
@@ -59,7 +59,7 @@ in {
     };
     endpointPublicKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/server.pub;
+      example = lib.literalExample /run/keys/monitoringvpn/server.pub;
       default = ../../../../morph/PrivateStorageSecrets/monitoringvpn/server.pub;
       description = ''
         File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.

nixos/modules/monitoring/vpn/server.nix

@@ -8,24 +8,24 @@ in {
     enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN server service";
     privateKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/server.key;
-      default = /var/secrets/monitoringvpn/server.key;
+      example = lib.literalExample /run/keys/monitoringvpn/server.key;
+      default = /run/keys/monitoringvpn/server.key;
       description = ''
         File with base64 private key generated by <command>wg genkey</command>.
       '';
     };
     publicKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/server.pub;
-      default = /var/secrets/monitoringvpn/server.pub;
+      example = lib.literalExample /run/keys/monitoringvpn/server.pub;
+      default = /run/keys/monitoringvpn/server.pub;
       description = ''
         File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
       '';
     };
     presharedKeyFile = lib.mkOption {
       type = lib.types.path;
-      example = lib.literalExample /var/secrets/monitoringvpn/preshared.key;
-      default = /var/secrets/monitoringvpn/preshared.key;
+      example = lib.literalExample /run/keys/monitoringvpn/preshared.key;
+      default = /run/keys/monitoringvpn/preshared.key;
       description = ''
         File with base64 preshared key generated by <command>wg genpsk</command>.
       '';