diff --git a/morph/grid/production/config.json b/morph/grid/production/config.json
index ec60acc70dcdc90409b84e0b19ce9c2cb3d27cfa..80cbfa237bc889ea051e816adb5e0cc8e36ca671 100644
--- a/morph/grid/production/config.json
+++ b/morph/grid/production/config.json
@@ -1,6 +1,7 @@
{ "publicStoragePort": 8898
, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
, "stripeSecretKeyPath": "../../PrivateStorageSecrets/stripe.secret"
+, "monitoringvpnSecretKeyDir": "../../PrivateStorageSecrets/monitoringvpn"
, "passValue": 1000000
, "issuerDomain": "payments.privatestorage.io"
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index 7c9abe142fa98a6ceeebb3c8dc6d53dec2622e8c..13d26eff6eef27cdd7f59393c5e19f8d245ae259 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -7,6 +7,35 @@ import ../../lib/make-grid.nix {
nodes = cfg:
let
sshUsers = import ../../../../PrivateStorageSecrets/production-users.nix;
+
+ # TBD: derive these automatically:
+ hostsMap = {
+ "172.23.23.1" = [ "monitoring" "monitoring.monitoringvpn" ];
+ "172.23.23.11" = [ "payments" "payments.monitoringvpn" ];
+ "172.23.23.21" = [ "storage001" "storage001.monitoringvpn" ];
+ "172.23.23.22" = [ "storage002" "storage002.monitoringvpn" ];
+ "172.23.23.23" = [ "storage003" "storage003.monitoringvpn" ];
+ "172.23.23.24" = [ "storage004" "storage004.monitoringvpn" ];
+ "172.23.23.25" = [ "storage005" "storage005.monitoringvpn" ];
+ };
+ vpnClientIPs = [
+ "172.23.23.11"
+ "172.23.23.21"
+ "172.23.23.22"
+ "172.23.23.23"
+ "172.23.23.24"
+ "172.23.23.25"
+ ];
+ nodeExporterTargets = [
+ "monitoring"
+ "payments"
+ "storage001"
+ "storage002"
+ "storage003"
+ "storage004"
+ "storage005"
+ ];
+
in {
# Here are the hosts that are in this morph network. This is sort of like
# a server manifest. We try to keep as many of the specific details as
@@ -22,6 +51,7 @@ import ../../lib/make-grid.nix {
# The names must be unique!
"payments.privatestorage.io" = import ../../lib/make-issuer.nix ({
publicIPv4 = "18.184.142.208";
+ monitoringvpnIPv4 = "172.23.23.11";
inherit sshUsers;
hardware = ../../lib/issuer-aws.nix;
stateVersion = "19.03";
@@ -32,30 +62,47 @@ import ../../lib/make-grid.nix {
inherit sshUsers;
hardware = ./storage001-hardware.nix;
stateVersion = "19.09";
+ monitoringvpnIPv4 = "172.23.23.21";
} // cfg);
"storage002" = import ../../lib/make-storage.nix ({
cfg = import ./storage002-config.nix;
inherit sshUsers;
hardware = ./storage002-hardware.nix;
stateVersion = "19.09";
+ monitoringvpnIPv4 = "172.23.23.22";
} // cfg);
"storage003" = import ../../lib/make-storage.nix ({
cfg = import ./storage003-config.nix;
inherit sshUsers;
hardware = ./storage003-hardware.nix;
stateVersion = "19.09";
+ monitoringvpnIPv4 = "172.23.23.23";
} // cfg);
"storage004" = import ../../lib/make-storage.nix ({
cfg = import ./storage004-config.nix;
inherit sshUsers;
hardware = ./storage004-hardware.nix;
stateVersion = "19.09";
+ monitoringvpnIPv4 = "172.23.23.24";
} // cfg);
"storage005" = import ../../lib/make-storage.nix ({
cfg = import ./storage005-config.nix;
inherit sshUsers;
hardware = ./storage005-hardware.nix;
stateVersion = "19.03";
+ monitoringvpnIPv4 = "172.23.23.25";
+ } // cfg);
+
+ "monitoring" = import ../../lib/make-monitoring.nix ({
+ publicIPv4 = "monitoring.private.storage"; # XXX TBD when the machine is online
+ monitoringvpnIPv4 = "172.23.23.1";
+ inherit vpnClientIPs;
+ inherit hostsMap;
+ inherit nodeExporterTargets;
+ nginxExporterTargets = [ ];
+ hardware = ../../lib/issuer-aws.nix;
+ stateVersion = "19.09";
+ inherit sshUsers;
} // cfg);
};
}
diff --git a/morph/lib/make-storage.nix b/morph/lib/make-storage.nix
index af0867c8b8342e31393f19a76a7cbfc4c95f86c9..1c000e11173ec200e395ae2305a4ba3ab49a8f62 100644
--- a/morph/lib/make-storage.nix
+++ b/morph/lib/make-storage.nix
@@ -3,6 +3,7 @@
, hardware # The path to the hardware configuration for this node.
, publicStoragePort # The storage port number on which to accept connections.
, ristrettoSigningKeyPath # The *local* path to the Ristretto signing key file.
+, monitoringvpnSecretKeyDir # The directory that holds the VPN keys.
, passValue # Bytes component of sizeĆtime value of passes.
, sshUsers # Users for which to configure SSH access to this node.
, stateVersion # The value for system.stateVersion on this node.
@@ -11,6 +12,7 @@
# to avoid breaking some software such as
# database servers. You should change this only
# after NixOS release notes say you should.
+, monitoringvpnIPv4 # This node's IP in the monitoring VPN.
, ...
}: rec {
deployment = {
@@ -40,6 +42,10 @@
# Bring in our module for configuring the Tahoe-LAFS service and other
# Private Storage-specific things.
../../nixos/modules/private-storage.nix
+ # Connect to the monitoringvpn.
+ ../../nixos/modules/monitoring/vpn/client.nix
+ # Expose base system metrics over the monitoringvpn.
+ ../../nixos/modules/monitoring/exporters/node.nix
];
# Pass the configuration specific to this host to the 100TB module to be
@@ -67,4 +73,10 @@
};
system.stateVersion = stateVersion;
+
+ services.private-storage.monitoring.vpn.client = {
+ enable = true;
+ ip = monitoringvpnIPv4;
+ endpoint = "monitoring.private.storage:51820"; # XXX TBD when the machine is online
+ };
}