From 4012798e5e2b16fceb89054211008ae444e84130 Mon Sep 17 00:00:00 2001
From: Tom Prince <tom.prince@private.storage>
Date: Fri, 7 Jan 2022 12:35:06 -0700
Subject: [PATCH] Rebase: Factor out the configuration necessary for a
 monitored node into its own module.

This includes the host-based metrics collector, and the VPN client setup (including key deployment).
---
 morph/lib/issuer.nix                         | 30 ++--------------
 morph/lib/monitored-node.nix                 | 35 +++++++++++++++++++
 morph/lib/monitoring.nix                     |  3 +-
 morph/lib/storage.nix                        | 36 ++------------------
 nixos/modules/default.nix                    |  6 +++-
 nixos/modules/monitoring/exporters/node.nix  |  4 ++-
 nixos/modules/monitoring/exporters/tahoe.nix |  9 +++++
 7 files changed, 59 insertions(+), 64 deletions(-)
 create mode 100644 morph/lib/monitored-node.nix

diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index 69b0527c..1f715171 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -2,12 +2,11 @@
 # "issuer"-type system.
 { lib, config, ...}:
 let
-  inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnEndpoint monitoringvpnIPv4;
+  inherit (config.grid) privateKeyPath;
   inherit (config.grid.issuer) issuerDomains allowedChargeOrigins;
 in {
   imports = [
-    ../../nixos/modules/monitoring/vpn/client.nix
-    ../../nixos/modules/monitoring/exporters/node.nix
+    ./monitored-node.nix
   ];
 
   options.grid.issuer = {
@@ -47,26 +46,8 @@ in {
           permissions = "0400";
           action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
         };
-
-        "monitoringvpn-secret-key" = {
-          destination = "/run/keys/monitoringvpn/client.key";
-          source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
-          owner.user = "root";
-          owner.group = "root";
-          permissions = "0400";
-          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-        };
-        "monitoringvpn-preshared-key" = {
-          destination = "/run/keys/monitoringvpn/preshared.key";
-          source = "${privateKeyPath}/monitoringvpn/preshared.key";
-          owner.user = "root";
-          owner.group = "root";
-          permissions = "0400";
-          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-        };
       };
     };
-
     services.private-storage-issuer = {
       enable = true;
       tls = true;
@@ -79,13 +60,6 @@ in {
       domains = issuerDomains;
     };
 
-    services.private-storage.monitoring.vpn.client = {
-      enable = true;
-      ip = monitoringvpnIPv4;
-      endpoint = monitoringvpnEndpoint;
-      endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
-    };
-
     system.stateVersion = "19.03";
   };
 }
diff --git a/morph/lib/monitored-node.nix b/morph/lib/monitored-node.nix
new file mode 100644
index 00000000..b4e1f47e
--- /dev/null
+++ b/morph/lib/monitored-node.nix
@@ -0,0 +1,35 @@
+{ lib, config, ...}:
+let
+  inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnEndpoint monitoringvpnIPv4;
+in {
+  config = {
+    deployment = {
+      secrets = {
+        "monitoringvpn-secret-key" = {
+          destination = "/run/keys/monitoringvpn/client.key";
+          source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
+          owner.user = "root";
+          owner.group = "root";
+          permissions = "0400";
+          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+        };
+        "monitoringvpn-preshared-key" = {
+          destination = "/run/keys/monitoringvpn/preshared.key";
+          source = "${privateKeyPath}/monitoringvpn/preshared.key";
+          owner.user = "root";
+          owner.group = "root";
+          permissions = "0400";
+          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+        };
+      };
+    };
+
+    services.private-storage.monitoring.node.enable = true;
+    services.private-storage.monitoring.vpn.client = {
+      enable = true;
+      ip = monitoringvpnIPv4;
+      endpoint = monitoringvpnEndpoint;
+      endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
+    };
+  };
+}
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index d299d62a..cc7db265 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -31,7 +31,6 @@ in {
     ../../nixos/modules/monitoring/server/grafana.nix
     ../../nixos/modules/monitoring/server/prometheus.nix
     ../../nixos/modules/monitoring/server/loki.nix
-    ../../nixos/modules/monitoring/exporters/node.nix
     ../../nixos/modules/monitoring/exporters/blackbox.nix
   ];
 
@@ -161,5 +160,7 @@ in {
       inherit letsEncryptAdminEmail;
       domains = cfg.monitoringDomains;
     };
+
+    services.private-storage.monitoring.node.enable = true;
   };
 }
diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix
index 9424784d..eba7f5f5 100644
--- a/morph/lib/storage.nix
+++ b/morph/lib/storage.nix
@@ -2,19 +2,12 @@
 # "storage"-type system.
 { lib, config, ...} :
 let
-  inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnIPv4 monitoringvpnEndpoint;
+  inherit (config.grid) privateKeyPath;
 in {
   # Any extra NixOS modules to load on this server.
   imports = [
-    # Bring in our module for configuring the Tahoe-LAFS service and other
-    # Private Storage-specific things.
-    ../../nixos/modules/private-storage.nix
-    # Connect to the monitoringvpn.
-    ../../nixos/modules/monitoring/vpn/client.nix
-    # Expose base system metrics over the monitoringvpn.
-    ../../nixos/modules/monitoring/exporters/node.nix
-    # Collect Tahoe OpenMetrics statistics.
-    ../../nixos/modules/monitoring/exporters/tahoe.nix
+    # Configure the node to be monitored.
+    ./monitored-node.nix
   ];
 
   options.grid.storage = {
@@ -48,22 +41,6 @@ in {
           # extract it from the tahoe-lafs nixos module somehow?
           action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
         };
-        "monitoringvpn-secret-key" = {
-          destination = "/run/keys/monitoringvpn/client.key";
-          source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
-          owner.user = "root";
-          owner.group = "root";
-          permissions = "0400";
-          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-        };
-        "monitoringvpn-preshared-key" = {
-          destination = "/run/keys/monitoringvpn/preshared.key";
-          source = "${privateKeyPath}/monitoringvpn/preshared.key";
-          owner.user = "root";
-          owner.group = "root";
-          permissions = "0400";
-          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-        };
       };
     };
 
@@ -77,12 +54,5 @@ in {
       ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
       inherit (config.grid.storage) passValue publicStoragePort;
     };
-
-    services.private-storage.monitoring.vpn.client = {
-      enable = true;
-      ip = monitoringvpnIPv4;
-      endpoint = monitoringvpnEndpoint;
-      endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
-    };
   };
 }
diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index f7e247f9..c7dde9aa 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -10,8 +10,12 @@
   # configuration.  If PaymentServer hasn't been enabled then the
   # configuration will just be ignored.
   imports = [
-    ./packages.nix
     ./issuer.nix
+    ./monitoring/exporters/node.nix
     ./monitoring/exporters/promtail.nix
+    ./monitoring/exporters/tahoe.nix
+    ./monitoring/vpn/client.nix
+    ./packages.nix
+    ./private-storage.nix
   ];
 }
diff --git a/nixos/modules/monitoring/exporters/node.nix b/nixos/modules/monitoring/exporters/node.nix
index 6a84a31c..dbf15fb5 100644
--- a/nixos/modules/monitoring/exporters/node.nix
+++ b/nixos/modules/monitoring/exporters/node.nix
@@ -16,13 +16,15 @@ let
 
 in {
   options.services.private-storage.monitoring.exporters.node = {
+    enable = lib.mkEnableOption "Base sytsem metrics collection";
     textfiles-directory = lib.mkOption {
       type = lib.types.str;
       description = "Directory used by the textfiles collector.";
       default = "/run/prometheus-node-exporter";
     };
   };
-  config.services.prometheus.exporters.node = {
+
+  config.services.prometheus.exporters.node = lib.mkIf cfg.enable {
     enable = true;
     openFirewall = true;
     firewallFilter = "-i monitoringvpn -p tcp -m tcp --dport 9100";
diff --git a/nixos/modules/monitoring/exporters/tahoe.nix b/nixos/modules/monitoring/exporters/tahoe.nix
index 087e6532..a31505c2 100644
--- a/nixos/modules/monitoring/exporters/tahoe.nix
+++ b/nixos/modules/monitoring/exporters/tahoe.nix
@@ -39,6 +39,15 @@ in {
 
   config =
     lib.mkIf cfg.enable {
+      assertions = [
+        {
+          assertion = config.services.private-storage.monitoring.node.enable;
+          message = ''
+            services.private-storage.monitoring.tahoe requires services.private-storage.monitoring.node to provide the textfile prometheus collector.
+          '';
+        }
+      ];
+
       environment.systemPackages = [ pkgs.curl ];
 
       systemd.services.tahoe-metrics-collector = {
-- 
GitLab