diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 96a61edf5e4286556a0dd6a15f614fe62a30ee02..ed3cda9e787ba567c5c5eed19557fc281a80ceb6 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -85,28 +85,30 @@ let
storage1 = {
imports = [
gridlib.storage
- (gridlib.customize-storage (grid-config // {
- stateVersion = "19.09";
- }))
grid-module
];
config = {
grid.monitoringvpnIPv4 = "172.23.23.12";
grid.publicIPv4 = "192.168.67.22";
+ grid.storage = {
+ inherit (grid-config) passValue publicStoragePort;
+ };
+ system.stateVersion = "19.09";
};
};
storage2 = {
imports = [
gridlib.storage
- (gridlib.customize-storage (grid-config // {
- stateVersion = "19.09";
- }))
grid-module
];
config = {
grid.monitoringvpnIPv4 = "172.23.23.13";
grid.publicIPv4 = "192.168.67.23";
+ grid.storage = {
+ inherit (grid-config) passValue publicStoragePort;
+ };
+ system.stateVersion = "19.09";
};
};
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index eaeba677f44ff3a6373950c0b615caff64fa0911..12873a4bc010887c54f522a01115061e9875726f 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -85,18 +85,16 @@ let
# Get all of the configuration that is common across all storage nodes.
gridlib.storage
-
- # Then customize the storage system a little bit based on this node's particulars.
- (gridlib.customize-storage (grid-config // nodecfg // {
- inherit stateVersion;
- }))
-
# Also configure deployment management authorization
grid-module
];
config = {
grid.monitoringvpnIPv4 = vpnIP;
+ grid.storage = {
+ inherit (grid-config) passValue publicStoragePort;
+ };
+ system.stateVersion = stateVersion;
# And supply configuration for those hardware / network / bootloader
# options. See the 100tb module for handling of this value. The module
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index a940b6716a710c692b8027dafa64bcd0fbc2bc97..7f7aeccbaba1f4e8d2c9576ece080791d03fd065 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -49,13 +49,14 @@ let
gridlib.storage
gridlib.hardware-aws
./testing001-hardware.nix
- (gridlib.customize-storage (grid-config // {
- stateVersion = "19.03";
- }))
grid-module
];
config = {
grid.monitoringvpnIPv4 = "172.23.23.12";
+ grid.storage = {
+ inherit (grid-config) passValue publicStoragePort;
+ };
+ system.stateVersion = "19.03";
};
};
diff --git a/morph/lib/customize-storage.nix b/morph/lib/customize-storage.nix
deleted file mode 100644
index e6b93fefdc735dfb08e3ce091ee1d125d7031b04..0000000000000000000000000000000000000000
--- a/morph/lib/customize-storage.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-# Define a function which returns a value which fills in all the holes left by
-# ``storage.nix``.
-{
- # An integer giving the value of a single pass in byte×months.
- passValue
-
- # An integer giving the port number to include in Tahoe storage service
- # advertisements and on which to listen for storage connections.
-, publicStoragePort
-
- # A string giving the NixOS state version for the system.
-, stateVersion
-, ...
-}:
-{ config, ... }:
-let
- inherit (config.grid) publicKeyPath privateKeyPath;
-in {
- services.private-storage = {
- inherit passValue publicStoragePort;
- };
-
- system.stateVersion = stateVersion;
-}
diff --git a/morph/lib/default.nix b/morph/lib/default.nix
index ca1ac9631a1eeb4cc98ac3660c837de5876f2524..766fda5102589fbdc32e26c17fbc94731ab71a73 100644
--- a/morph/lib/default.nix
+++ b/morph/lib/default.nix
@@ -8,9 +8,7 @@
hardware-vagrant = import ./hardware-vagrant.nix;
issuer = import ./issuer.nix;
-
storage = import ./storage.nix;
- customize-storage = import ./customize-storage.nix;
monitoring = import ./monitoring.nix;
customize-monitoring = import ./customize-monitoring.nix;
diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix
index 74ed448ac5e7d821cca0c09910a61343d2ec94af..71e3c22371ad042c4ddbc5d8cd87db5cb05923af 100644
--- a/morph/lib/storage.nix
+++ b/morph/lib/storage.nix
@@ -1,41 +1,9 @@
-# Similar to ``issuer.nix`` but for a "storage"-type system. Holes are filled
-# by ``customize-storage.nix``.
-{ config, ...} :
+# This contains all of the NixOS system configuration necessary to specify an
+# "storage"-type system.
+{ lib, config, ...} :
let
inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnIPv4 monitoringvpnEndpoint;
in {
- deployment = {
- secrets = {
- "ristretto-signing-key" = {
- destination = "/run/keys/ristretto.signing-key";
- source = "${privateKeyPath}/ristretto.signing-key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- # Service name here matches the name defined by our tahoe-lafs nixos
- # module. It would be nice to not have to hard-code it here. Can we
- # extract it from the tahoe-lafs nixos module somehow?
- action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
- };
- "monitoringvpn-secret-key" = {
- destination = "/run/keys/monitoringvpn/client.key";
- source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- "monitoringvpn-preshared-key" = {
- destination = "/run/keys/monitoringvpn/preshared.key";
- source = "${privateKeyPath}/monitoringvpn/preshared.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- };
- };
-
# Any extra NixOS modules to load on this server.
imports = [
# Bring in our module for configuring the Tahoe-LAFS service and other
@@ -49,20 +17,72 @@ in {
../../nixos/modules/monitoring/exporters/tahoe.nix
];
- services.private-storage.monitoring.tahoe.enable = true;
+ options.grid.storage = {
+ passValue = lib.mkOption {
+ type = lib.types.int;
+ description = ''
+ An integer giving the value of a single pass in byte×months.
+ '';
+ };
- # Turn on the Private Storage (Tahoe-LAFS) service.
- services.private-storage = {
- # Yep. Turn it on.
- enable = true;
- # Give it the Ristretto signing key to support authorization.
- ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
+ publicStoragePort = lib.mkOption {
+ type = lib.types.port;
+ description = ''
+ An integer giving the port number to include in Tahoe storage service
+ advertisements and on which to listen for storage connections.
+ '';
+ };
};
- services.private-storage.monitoring.vpn.client = {
- enable = true;
- ip = monitoringvpnIPv4;
- endpoint = monitoringvpnEndpoint;
- endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
+ config = {
+ deployment = {
+ secrets = {
+ "ristretto-signing-key" = {
+ destination = "/run/keys/ristretto.signing-key";
+ source = "${privateKeyPath}/ristretto.signing-key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ # Service name here matches the name defined by our tahoe-lafs nixos
+ # module. It would be nice to not have to hard-code it here. Can we
+ # extract it from the tahoe-lafs nixos module somehow?
+ action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
+ };
+ "monitoringvpn-secret-key" = {
+ destination = "/run/keys/monitoringvpn/client.key";
+ source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ "monitoringvpn-preshared-key" = {
+ destination = "/run/keys/monitoringvpn/preshared.key";
+ source = "${privateKeyPath}/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ };
+ };
+
+ services.private-storage.monitoring.tahoe.enable = true;
+
+ # Turn on the Private Storage (Tahoe-LAFS) service.
+ services.private-storage = {
+ # Yep. Turn it on.
+ enable = true;
+ # Give it the Ristretto signing key to support authorization.
+ ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
+ inherit (config.grid.storage) passValue publicStoragePort;
+ };
+
+ services.private-storage.monitoring.vpn.client = {
+ enable = true;
+ ip = monitoringvpnIPv4;
+ endpoint = monitoringvpnEndpoint;
+ endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
+ };
};
}