diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix index 3def2d77556e8b82b5fd0dbd2513f3d08b7ea2c7..51f41832ded8fe18290c47b5b3ad85fb58c2a511 100644 --- a/morph/grid/local/grid.nix +++ b/morph/grid/local/grid.nix @@ -61,7 +61,7 @@ let (gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; })) (gridlib.customize-monitoring { inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets; - inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail; + inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail; googleOAuthClientID = config.monitoringGoogleOAuthClientID; monitoringvpnIPv4 = "172.23.23.1"; stateVersion = "19.09"; diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix index e663d2243e4aa6078260e41f07f807f606e64ef6..06eefdd28da57ad65ea99543ba8421bc934ef752 100644 --- a/morph/grid/production/grid.nix +++ b/morph/grid/production/grid.nix @@ -38,7 +38,7 @@ let gridlib.hardware-aws (gridlib.customize-monitoring { inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets; - inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail; + inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail; googleOAuthClientID = config.monitoringGoogleOAuthClientID; monitoringvpnIPv4 = "172.23.23.1"; stateVersion = "19.09"; diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix index fbbbd9f13e49cfdc7fd2f0687fa2fe12df91ea33..7b06c99e1f7a1b65b535f924a0a24aebe6753586 100644 --- a/morph/grid/testing/grid.nix +++ b/morph/grid/testing/grid.nix @@ -51,7 +51,7 @@ let gridlib.hardware-aws (gridlib.customize-monitoring { inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets; - inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail; + inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail; googleOAuthClientID = config.monitoringGoogleOAuthClientID; monitoringvpnIPv4 = "172.23.23.1"; stateVersion = "19.09"; diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix index f5b820a272fcfd4ea7106af32ad2fd0ac5c8ece3..391aa5602575100c8650d8e4fb6892e38fc95ebf 100644 --- a/morph/lib/customize-monitoring.nix +++ b/morph/lib/customize-monitoring.nix @@ -13,6 +13,7 @@ , privateKeyPath , monitoringvpnIPv4 , domain +, sshUsers , letsEncryptAdminEmail # A list of VPN IP addresses as strings indicating which clients will be @@ -84,6 +85,8 @@ networking.domain = domain; networking.hosts = hostsMap; + services.private-storage.sshUsers = sshUsers; + services.private-storage.monitoring.vpn.server = { enable = true; ip = monitoringvpnIPv4; diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix index d8af93b24119ba6dff5ce63a5b2d16fbd18edb71..f8810be2f7e878eeb979e82d2746895d6157212e 100644 --- a/morph/lib/monitoring.nix +++ b/morph/lib/monitoring.nix @@ -21,6 +21,8 @@ rec { }; imports = [ + # Give it a good SSH configuration. + ../../nixos/modules/ssh.nix # Allow us to remotely trigger updates to this system. ../../nixos/modules/deployment.nix diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix index da56a43012b7e53a6d5ced17123eb3d898b24f3e..ce1f928b2738066811425a3c7e3e3c85c03ac272 100644 --- a/nixos/modules/issuer.nix +++ b/nixos/modules/issuer.nix @@ -182,11 +182,17 @@ in { "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}"; }; - # Certificate renewal. We must declare that we *require* it in our - # service above. - systemd.services."${certServiceName}" = { - enable = true; + # Certificate renewal. A short-lived service meant to be repeatedly + # activated to request a new certificate be issued, if the current one is + # close to expiring. + systemd.services.${certServiceName} = { + enable = cfg.tls; description = "Certificate ${domain}"; + # Activate this unit periodically so that certbot can determine if the + # certificate expiration time is close enough to warrant a renewal + # request. + startAt = "weekly"; + serviceConfig = { ExecStart = let @@ -201,6 +207,7 @@ in { ''; }; }; + # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server. networking.firewall.allowedTCPPorts = [ 80