diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index 00065052805eee80cd6302295ade199c08ac4d57..863426a5159d54ceb65a69bd04b04fb7941af570 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -2,23 +2,26 @@
# preferred configuration for the Private Storage grid.
{ pkgs, lib, config, ... }:
let
+ # Derive a brand new version of pkgs which has our overlay applied. The
+ # overlay defines a new version of Tahoe-LAFS and some of its dependencies
+ # and maybe other useful Private Storage customizations.
pspkgs = import pkgs.path
{ overlays = [ (import ./overlays.nix) ];
};
+ # Grab the configuration for this module for convenient access below.
cfg = config.services.private-storage;
in
{
-
# Upstream tahoe-lafs module conflicts with ours (since ours is a
- # copy/paste/edit of upstream's...). Disable
- # it.
+ # copy/paste/edit of upstream's...). Disable it.
#
# https://nixos.org/nixos/manual/#sec-replace-modules
disabledModules =
[ "services/network-filesystems/tahoe.nix"
];
- # Load our tahoe-lafs module.
+ # Load our tahoe-lafs module. It is configurable in the way I want it to be
+ # configurable.
imports =
[ ./tahoe.nix
];
@@ -33,24 +36,71 @@ in
The package to use for the Tahoe-LAFS daemon.
'';
};
+ services.private-storage.publicIPv4 = lib.mkOption
+ { default = "127.0.0.1";
+ type = lib.types.str;
+ example = lib.literalExample "192.0.2.0";
+ description = ''
+ An IPv4 address to advertise for this storage service.
+ '';
+ };
+ services.private-storage.publicStoragePort = lib.mkOption
+ { default = 8898;
+ type = lib.types.int;
+ example = lib.literalExample 8098;
+ description = ''
+ The port number on which to service storage clients.
+ '';
+ };
};
+
+ # Define configuration based on values given for our options - starting with
+ # the option that says whether this is even turned on.
config = lib.mkIf cfg.enable
{ services.tahoe.nodes."storage" =
{ package = config.services.private-storage.tahoe.package;
+ # Each attribute in this set corresponds to a section in the tahoe.cfg
+ # file. Attributes on those sets correspond to individual assignments
+ # in those sections.
+ #
+ # We just populate this according to policy/preference of Private
+ # Storage.
sections =
{ node =
# XXX Should try to name that is unique across the grid.
{ nickname = "storage";
+ # We have the web port active because the CLI uses it. We may
+ # eventually turn this off, or at least have it off by default (with
+ # an option to turn it on). I don't know how much we'll use the CLI
+ # on the nodes. Maybe very little? Or maybe it will be part of a
+ # health check for the node... In any case, we tell it to bind to
+ # localhost so no one *else* can use it. And the principle of the
+ # web interface is that merely having access to it doesn't grant
+ # access to any data. It does grant access to storage capabilities
+ # but with our plugin configuration you still need ZKAPs to use
+ # those...
"web.port" = "tcp:3456:interface=127.0.0.1";
+ # We have to tell Tahoe-LAFS where to listen for Foolscap
+ # connections for the storage protocol. We have to tell it twice.
+ # First, in the syntax which it uses to listen.
+ "tub.port" = "tcp:${toString cfg.publicStoragePort}";
+ # Second, in the syntax it advertises to in the fURL.
+ "tub.location" = "tcp:${cfg.publicIPv4}:${toString cfg.publicStoragePort}";
};
storage =
{ enabled = true;
+ # Turn on our plugin.
plugins = "privatestorageio-zkapauthz-v1";
};
+ # It doesn't have any configuration *yet*.
"storageserver.plugins.privatestorageio-zkapauthz-v1" =
{
};
};
};
+
+ # Let traffic destined for the storage node's Foolscap server through.
+ networking.firewall.allowedTCPPorts = [ cfg.publicStoragePort ];
+
};
}