storage.nix

# This contains all of the NixOS system configuration necessary to specify an
# "storage"-type system.
{ lib, config, ...} :
let
  inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnIPv4 monitoringvpnEndpoint;
in {
  # Any extra NixOS modules to load on this server.
  imports = [
    # Bring in our module for configuring the Tahoe-LAFS service and other
    # Private Storage-specific things.
    ../../nixos/modules/private-storage.nix
    # Connect to the monitoringvpn.
    ../../nixos/modules/monitoring/vpn/client.nix
    # Expose base system metrics over the monitoringvpn.
    ../../nixos/modules/monitoring/exporters/node.nix
    # Collect Tahoe OpenMetrics statistics.
    ../../nixos/modules/monitoring/exporters/tahoe.nix
  ];

  options.grid.storage = {
    passValue = lib.mkOption {
      type = lib.types.int;
      description = ''
        An integer giving the value of a single pass in byte×months.
      '';
    };

    publicStoragePort = lib.mkOption {
      type = lib.types.port;
      description = ''
        An integer giving the port number to include in Tahoe storage service
        advertisements and on which to listen for storage connections.
      '';
    };
  };

  config = {
    deployment = {
      secrets = {
        "ristretto-signing-key" = {
          destination = "/run/keys/ristretto.signing-key";
          source = "${privateKeyPath}/ristretto.signing-key";
          owner.user = "root";
          owner.group = "root";
          permissions = "0400";
          # Service name here matches the name defined by our tahoe-lafs nixos
          # module.  It would be nice to not have to hard-code it here.  Can we
          # extract it from the tahoe-lafs nixos module somehow?
          action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
        };
        "monitoringvpn-secret-key" = {
          destination = "/run/keys/monitoringvpn/client.key";
          source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
          owner.user = "root";
          owner.group = "root";
          permissions = "0400";
          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
        };
        "monitoringvpn-preshared-key" = {
          destination = "/run/keys/monitoringvpn/preshared.key";
          source = "${privateKeyPath}/monitoringvpn/preshared.key";
          owner.user = "root";
          owner.group = "root";
          permissions = "0400";
          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
        };
      };
    };

    services.private-storage.monitoring.exporters.tahoe.enable = true;

    # Turn on the Private Storage (Tahoe-LAFS) service.
    services.private-storage = {
      # Yep.  Turn it on.
      enable = true;
      # Give it the Ristretto signing key to support authorization.
      ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
      inherit (config.grid.storage) passValue publicStoragePort;
    };

    services.private-storage.monitoring.vpn.client = {
      enable = true;
      ip = monitoringvpnIPv4;
      endpoint = monitoringvpnEndpoint;
      endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
    };
  };
}