storage.nix

# This contains all of the NixOS system configuration necessary to specify an
# "storage"-type system.
{ lib, config, ...} :
let
  inherit (config.grid) privateKeyPath;
in {
  # Any extra NixOS modules to load on this server.
  imports = [
    # Configure the node to be monitored.
    ./monitored-node.nix
  ];

  options.grid.storage = {
    passValue = lib.mkOption {
      type = lib.types.int;
      description = ''
        An integer giving the value of a single pass in byte×months.
      '';
    };

    publicStoragePort = lib.mkOption {
      type = lib.types.port;
      description = ''
        An integer giving the port number to include in Tahoe storage service
        advertisements and on which to listen for storage connections.
      '';
    };
  };

  config = {
    deployment = {
      secrets = {
        "ristretto-signing-key" = {
          destination = "/run/keys/ristretto.signing-key";
          source = "${privateKeyPath}/ristretto.signing-key";
          owner.user = "root";
          owner.group = "root";
          permissions = "0400";
          # Service name here matches the name defined by our tahoe-lafs nixos
          # module.  It would be nice to not have to hard-code it here.  Can we
          # extract it from the tahoe-lafs nixos module somehow?
          action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
        };
      };
    };

    services.private-storage.monitoring.exporters.tahoe.enable = true;

    # Turn on the Private Storage (Tahoe-LAFS) service.
    services.private-storage = {
      # Yep.  Turn it on.
      enable = true;
      # Give it the Ristretto signing key to support authorization.
      ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
      inherit (config.grid.storage) passValue publicStoragePort;
    };
  };
}