diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index 69b0527cd74e0752ded6ffbe7513db126f0613f5..1f715171625d75175d9c962160e4773d9c6765d2 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -2,12 +2,11 @@
# "issuer"-type system.
{ lib, config, ...}:
let
- inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnEndpoint monitoringvpnIPv4;
+ inherit (config.grid) privateKeyPath;
inherit (config.grid.issuer) issuerDomains allowedChargeOrigins;
in {
imports = [
- ../../nixos/modules/monitoring/vpn/client.nix
- ../../nixos/modules/monitoring/exporters/node.nix
+ ./monitored-node.nix
];
options.grid.issuer = {
@@ -47,26 +46,8 @@ in {
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
-
- "monitoringvpn-secret-key" = {
- destination = "/run/keys/monitoringvpn/client.key";
- source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- "monitoringvpn-preshared-key" = {
- destination = "/run/keys/monitoringvpn/preshared.key";
- source = "${privateKeyPath}/monitoringvpn/preshared.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
};
};
-
services.private-storage-issuer = {
enable = true;
tls = true;
@@ -79,13 +60,6 @@ in {
domains = issuerDomains;
};
- services.private-storage.monitoring.vpn.client = {
- enable = true;
- ip = monitoringvpnIPv4;
- endpoint = monitoringvpnEndpoint;
- endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
- };
-
system.stateVersion = "19.03";
};
}
diff --git a/morph/lib/monitored-node.nix b/morph/lib/monitored-node.nix
new file mode 100644
index 0000000000000000000000000000000000000000..b4e1f47ea1cf192f9470e6ffc2316cfcf8ec8b0a
--- /dev/null
+++ b/morph/lib/monitored-node.nix
@@ -0,0 +1,35 @@
+{ lib, config, ...}:
+let
+ inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnEndpoint monitoringvpnIPv4;
+in {
+ config = {
+ deployment = {
+ secrets = {
+ "monitoringvpn-secret-key" = {
+ destination = "/run/keys/monitoringvpn/client.key";
+ source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ "monitoringvpn-preshared-key" = {
+ destination = "/run/keys/monitoringvpn/preshared.key";
+ source = "${privateKeyPath}/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ };
+ };
+
+ services.private-storage.monitoring.node.enable = true;
+ services.private-storage.monitoring.vpn.client = {
+ enable = true;
+ ip = monitoringvpnIPv4;
+ endpoint = monitoringvpnEndpoint;
+ endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
+ };
+ };
+}
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index d299d62ae7997511897517f9574e33c6de94b7a5..cc7db265b1673e596f510fae0e8bb9054b2bfd60 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -31,7 +31,6 @@ in {
../../nixos/modules/monitoring/server/grafana.nix
../../nixos/modules/monitoring/server/prometheus.nix
../../nixos/modules/monitoring/server/loki.nix
- ../../nixos/modules/monitoring/exporters/node.nix
../../nixos/modules/monitoring/exporters/blackbox.nix
];
@@ -161,5 +160,7 @@ in {
inherit letsEncryptAdminEmail;
domains = cfg.monitoringDomains;
};
+
+ services.private-storage.monitoring.node.enable = true;
};
}
diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix
index 9424784dcd33b8e12b9da9cc309a657be07f66b3..eba7f5f5841df3aedd3157707d8005142f778410 100644
--- a/morph/lib/storage.nix
+++ b/morph/lib/storage.nix
@@ -2,19 +2,12 @@
# "storage"-type system.
{ lib, config, ...} :
let
- inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnIPv4 monitoringvpnEndpoint;
+ inherit (config.grid) privateKeyPath;
in {
# Any extra NixOS modules to load on this server.
imports = [
- # Bring in our module for configuring the Tahoe-LAFS service and other
- # Private Storage-specific things.
- ../../nixos/modules/private-storage.nix
- # Connect to the monitoringvpn.
- ../../nixos/modules/monitoring/vpn/client.nix
- # Expose base system metrics over the monitoringvpn.
- ../../nixos/modules/monitoring/exporters/node.nix
- # Collect Tahoe OpenMetrics statistics.
- ../../nixos/modules/monitoring/exporters/tahoe.nix
+ # Configure the node to be monitored.
+ ./monitored-node.nix
];
options.grid.storage = {
@@ -48,22 +41,6 @@ in {
# extract it from the tahoe-lafs nixos module somehow?
action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
};
- "monitoringvpn-secret-key" = {
- destination = "/run/keys/monitoringvpn/client.key";
- source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- "monitoringvpn-preshared-key" = {
- destination = "/run/keys/monitoringvpn/preshared.key";
- source = "${privateKeyPath}/monitoringvpn/preshared.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
};
};
@@ -77,12 +54,5 @@ in {
ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
inherit (config.grid.storage) passValue publicStoragePort;
};
-
- services.private-storage.monitoring.vpn.client = {
- enable = true;
- ip = monitoringvpnIPv4;
- endpoint = monitoringvpnEndpoint;
- endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
- };
};
}
diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index f7e247f99406ad982c3b1e59d8248e2c80a3a658..c7dde9aa5e285aac58283d2ac2a44b0dec9bc566 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -10,8 +10,12 @@
# configuration. If PaymentServer hasn't been enabled then the
# configuration will just be ignored.
imports = [
- ./packages.nix
./issuer.nix
+ ./monitoring/exporters/node.nix
./monitoring/exporters/promtail.nix
+ ./monitoring/exporters/tahoe.nix
+ ./monitoring/vpn/client.nix
+ ./packages.nix
+ ./private-storage.nix
];
}
diff --git a/nixos/modules/monitoring/exporters/node.nix b/nixos/modules/monitoring/exporters/node.nix
index 6a84a31ce58859969e2fb08cff79abb957c6099e..dbf15fb5f4f27c57a86cb726637f0cbfe26e317b 100644
--- a/nixos/modules/monitoring/exporters/node.nix
+++ b/nixos/modules/monitoring/exporters/node.nix
@@ -16,13 +16,15 @@ let
in {
options.services.private-storage.monitoring.exporters.node = {
+ enable = lib.mkEnableOption "Base sytsem metrics collection";
textfiles-directory = lib.mkOption {
type = lib.types.str;
description = "Directory used by the textfiles collector.";
default = "/run/prometheus-node-exporter";
};
};
- config.services.prometheus.exporters.node = {
+
+ config.services.prometheus.exporters.node = lib.mkIf cfg.enable {
enable = true;
openFirewall = true;
firewallFilter = "-i monitoringvpn -p tcp -m tcp --dport 9100";
diff --git a/nixos/modules/monitoring/exporters/tahoe.nix b/nixos/modules/monitoring/exporters/tahoe.nix
index 087e6532e372b11bb2db826456957fa14dfa3c3d..a31505c257ddda0bd67fb5b321bbdcbcc32c0f90 100644
--- a/nixos/modules/monitoring/exporters/tahoe.nix
+++ b/nixos/modules/monitoring/exporters/tahoe.nix
@@ -39,6 +39,15 @@ in {
config =
lib.mkIf cfg.enable {
+ assertions = [
+ {
+ assertion = config.services.private-storage.monitoring.node.enable;
+ message = ''
+ services.private-storage.monitoring.tahoe requires services.private-storage.monitoring.node to provide the textfile prometheus collector.
+ '';
+ }
+ ];
+
environment.systemPackages = [ pkgs.curl ];
systemd.services.tahoe-metrics-collector = {