{ hardware , ristrettoSigningKeyPath , stripeSecretKeyPath , issuerDomain , letsEncryptAdminEmail , allowedChargeOrigins , sshUsers , stateVersion , publicIPv4 , ... }: { deployment = { targetHost = publicIPv4; secrets = { "ristretto-signing-key" = { source = ristrettoSigningKeyPath; destination = "/var/secrets/ristretto.signing-key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; action = ["sudo" "systemctl" "restart" "zkapissuer.service"]; }; "stripe-secret-key" = { source = stripeSecretKeyPath; destination = "/var/secrets/stripe.secret-key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; action = ["sudo" "systemctl" "restart" "zkapissuer.service"]; }; "monitoringvpn-secret-key" = { source = "../../PrivateStorageSecrets/monitoringvpn/storage1.key"; destination = "/var/secrets/monitoringvpn/client.key"; owner.user = "root"; owner.group = "root"; permissions = "0400"; action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; }; }; }; imports = [ hardware ../../nixos/modules/issuer.nix ../../nixos/modules/monitoring/vpn/client.nix ]; services.private-storage.sshUsers = sshUsers; services.private-storage-issuer = { enable = true; tls = true; ristrettoSigningKeyPath = "/var/secrets/ristretto.signing-key"; stripeSecretKeyPath = "/var/secrets/stripe.secret-key"; database = "SQLite3"; databasePath = "/var/db/vouchers.sqlite3"; inherit letsEncryptAdminEmail; domain = issuerDomain; inherit allowedChargeOrigins; }; system.stateVersion = stateVersion; services.private-storage.monitoring.vpn.client = { enable = true; privateKeyFile = /var/secrets/monitoringvpn/client.key; ips = ["172.23.23.11/24"]; endpointPublicKeyFile = /home/flo/Repositories/PrivateStorageio/morph/PrivateStorageSecrets/monitoringvpn/server.pub; }; }