Skip to content
Snippets Groups Projects
Normal view Permalink
storage.nix 2.64 KiB
Newer Older
  • Learn to ignore specific revisions
    • Jean-Paul Calderone's avatar
    Adapt storage nodes to value-based approach
    Jean-Paul Calderone committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 
    { config, ... }:
rec {
  deployment = {
    secrets = {
      "ristretto-signing-key" = {
        # source = ...;
        destination = "/run/keys/ristretto.signing-key";
        owner.user = "root";
        owner.group = "root";
        permissions = "0400";
        # Service name here matches the name defined by our tahoe-lafs nixos
        # module.  It would be nice to not have to hard-code it here.  Can we
        # extract it from the tahoe-lafs nixos module somehow?
        action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
      };
      "monitoringvpn-secret-key" = {
        # source = ...;
        destination = "/run/keys/monitoringvpn/client.key";
        owner.user = "root";
        owner.group = "root";
        permissions = "0400";
        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
      };
      "monitoringvpn-preshared-key" = {
        # source = ...;
        destination = "/run/keys/monitoringvpn/preshared.key";
        owner.user = "root";
        owner.group = "root";
        permissions = "0400";
        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
      };
    };
  };

  # Any extra NixOS modules to load on this server.
  imports = [
    # Bring in our module for configuring the Tahoe-LAFS service and other
    # Private Storage-specific things.
    ../../nixos/modules/private-storage.nix
    # Connect to the monitoringvpn.
    ../../nixos/modules/monitoring/vpn/client.nix
    # Expose base system metrics over the monitoringvpn.
    ../../nixos/modules/monitoring/exporters/node.nix
  ];

  # Pass the configuration specific to this host to the 100TB module to be
  # expanded into a complete system configuration.  See the 100tb module for
  # handling of this value.
  #
  # The module name is quoted because `1` makes `100tb` look an awful lot like
  # it should be a number.
  # "100tb".config = cfg;

  # Turn on the Private Storage (Tahoe-LAFS) service.
  services.private-storage = {
    # Yep.  Turn it on.
    enable = true;
    # Get the public IPv4 address from the node configuration.
    # inherit (cfg) publicIPv4;
    # And the port to operate on is specified via parameter.
    # inherit publicStoragePort;
    # Give it the Ristretto signing key, too, to support authorization.
    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
    # Assign the configured pass value.
    # inherit passValue;
    # It gets the users, too.
    # sshUsers = ...;
  };

  # system.stateVersion = ...'

  services.private-storage.monitoring.vpn.client = {
    # enable = ...;
    # ip = ...;
    # endpoint = ...;
    # endpointPublicKeyFile = ...;
  };
}