From 4012798e5e2b16fceb89054211008ae444e84130 Mon Sep 17 00:00:00 2001 From: Tom Prince <tom.prince@private.storage> Date: Fri, 7 Jan 2022 12:35:06 -0700 Subject: [PATCH] Rebase: Factor out the configuration necessary for a monitored node into its own module. This includes the host-based metrics collector, and the VPN client setup (including key deployment). --- morph/lib/issuer.nix | 30 ++-------------- morph/lib/monitored-node.nix | 35 +++++++++++++++++++ morph/lib/monitoring.nix | 3 +- morph/lib/storage.nix | 36 ++------------------ nixos/modules/default.nix | 6 +++- nixos/modules/monitoring/exporters/node.nix | 4 ++- nixos/modules/monitoring/exporters/tahoe.nix | 9 +++++ 7 files changed, 59 insertions(+), 64 deletions(-) create mode 100644 morph/lib/monitored-node.nix diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix index 69b0527c..1f715171 100644 --- a/morph/lib/issuer.nix +++ b/morph/lib/issuer.nix @@ -2,12 +2,11 @@ # "issuer"-type system. { lib, config, ...}: let - inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnEndpoint monitoringvpnIPv4; + inherit (config.grid) privateKeyPath; inherit (config.grid.issuer) issuerDomains allowedChargeOrigins; in { imports = [ - ../../nixos/modules/monitoring/vpn/client.nix - ../../nixos/modules/monitoring/exporters/node.nix + ./monitored-node.nix ]; options.grid.issuer = { @@ -47,26 +46,8 @@ in { permissions = "0400"; action = ["sudo" "systemctl" "restart" "zkapissuer.service"]; }; - - "monitoringvpn-secret-key" = { - destination = "/run/keys/monitoringvpn/client.key"; - source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key"; - owner.user = "root"; - owner.group = "root"; - permissions = "0400"; - action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; - }; - "monitoringvpn-preshared-key" = { - destination = "/run/keys/monitoringvpn/preshared.key"; - source = "${privateKeyPath}/monitoringvpn/preshared.key"; - owner.user = "root"; - owner.group = "root"; - permissions = "0400"; - action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; - }; }; }; - services.private-storage-issuer = { enable = true; tls = true; @@ -79,13 +60,6 @@ in { domains = issuerDomains; }; - services.private-storage.monitoring.vpn.client = { - enable = true; - ip = monitoringvpnIPv4; - endpoint = monitoringvpnEndpoint; - endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub"; - }; - system.stateVersion = "19.03"; }; } diff --git a/morph/lib/monitored-node.nix b/morph/lib/monitored-node.nix new file mode 100644 index 00000000..b4e1f47e --- /dev/null +++ b/morph/lib/monitored-node.nix @@ -0,0 +1,35 @@ +{ lib, config, ...}: +let + inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnEndpoint monitoringvpnIPv4; +in { + config = { + deployment = { + secrets = { + "monitoringvpn-secret-key" = { + destination = "/run/keys/monitoringvpn/client.key"; + source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + "monitoringvpn-preshared-key" = { + destination = "/run/keys/monitoringvpn/preshared.key"; + source = "${privateKeyPath}/monitoringvpn/preshared.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + }; + }; + + services.private-storage.monitoring.node.enable = true; + services.private-storage.monitoring.vpn.client = { + enable = true; + ip = monitoringvpnIPv4; + endpoint = monitoringvpnEndpoint; + endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub"; + }; + }; +} diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix index d299d62a..cc7db265 100644 --- a/morph/lib/monitoring.nix +++ b/morph/lib/monitoring.nix @@ -31,7 +31,6 @@ in { ../../nixos/modules/monitoring/server/grafana.nix ../../nixos/modules/monitoring/server/prometheus.nix ../../nixos/modules/monitoring/server/loki.nix - ../../nixos/modules/monitoring/exporters/node.nix ../../nixos/modules/monitoring/exporters/blackbox.nix ]; @@ -161,5 +160,7 @@ in { inherit letsEncryptAdminEmail; domains = cfg.monitoringDomains; }; + + services.private-storage.monitoring.node.enable = true; }; } diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix index 9424784d..eba7f5f5 100644 --- a/morph/lib/storage.nix +++ b/morph/lib/storage.nix @@ -2,19 +2,12 @@ # "storage"-type system. { lib, config, ...} : let - inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnIPv4 monitoringvpnEndpoint; + inherit (config.grid) privateKeyPath; in { # Any extra NixOS modules to load on this server. imports = [ - # Bring in our module for configuring the Tahoe-LAFS service and other - # Private Storage-specific things. - ../../nixos/modules/private-storage.nix - # Connect to the monitoringvpn. - ../../nixos/modules/monitoring/vpn/client.nix - # Expose base system metrics over the monitoringvpn. - ../../nixos/modules/monitoring/exporters/node.nix - # Collect Tahoe OpenMetrics statistics. - ../../nixos/modules/monitoring/exporters/tahoe.nix + # Configure the node to be monitored. + ./monitored-node.nix ]; options.grid.storage = { @@ -48,22 +41,6 @@ in { # extract it from the tahoe-lafs nixos module somehow? action = ["sudo" "systemctl" "restart" "tahoe.storage.service"]; }; - "monitoringvpn-secret-key" = { - destination = "/run/keys/monitoringvpn/client.key"; - source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key"; - owner.user = "root"; - owner.group = "root"; - permissions = "0400"; - action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; - }; - "monitoringvpn-preshared-key" = { - destination = "/run/keys/monitoringvpn/preshared.key"; - source = "${privateKeyPath}/monitoringvpn/preshared.key"; - owner.user = "root"; - owner.group = "root"; - permissions = "0400"; - action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; - }; }; }; @@ -77,12 +54,5 @@ in { ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination; inherit (config.grid.storage) passValue publicStoragePort; }; - - services.private-storage.monitoring.vpn.client = { - enable = true; - ip = monitoringvpnIPv4; - endpoint = monitoringvpnEndpoint; - endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub"; - }; }; } diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index f7e247f9..c7dde9aa 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -10,8 +10,12 @@ # configuration. If PaymentServer hasn't been enabled then the # configuration will just be ignored. imports = [ - ./packages.nix ./issuer.nix + ./monitoring/exporters/node.nix ./monitoring/exporters/promtail.nix + ./monitoring/exporters/tahoe.nix + ./monitoring/vpn/client.nix + ./packages.nix + ./private-storage.nix ]; } diff --git a/nixos/modules/monitoring/exporters/node.nix b/nixos/modules/monitoring/exporters/node.nix index 6a84a31c..dbf15fb5 100644 --- a/nixos/modules/monitoring/exporters/node.nix +++ b/nixos/modules/monitoring/exporters/node.nix @@ -16,13 +16,15 @@ let in { options.services.private-storage.monitoring.exporters.node = { + enable = lib.mkEnableOption "Base sytsem metrics collection"; textfiles-directory = lib.mkOption { type = lib.types.str; description = "Directory used by the textfiles collector."; default = "/run/prometheus-node-exporter"; }; }; - config.services.prometheus.exporters.node = { + + config.services.prometheus.exporters.node = lib.mkIf cfg.enable { enable = true; openFirewall = true; firewallFilter = "-i monitoringvpn -p tcp -m tcp --dport 9100"; diff --git a/nixos/modules/monitoring/exporters/tahoe.nix b/nixos/modules/monitoring/exporters/tahoe.nix index 087e6532..a31505c2 100644 --- a/nixos/modules/monitoring/exporters/tahoe.nix +++ b/nixos/modules/monitoring/exporters/tahoe.nix @@ -39,6 +39,15 @@ in { config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = config.services.private-storage.monitoring.node.enable; + message = '' + services.private-storage.monitoring.tahoe requires services.private-storage.monitoring.node to provide the textfile prometheus collector. + ''; + } + ]; + environment.systemPackages = [ pkgs.curl ]; systemd.services.tahoe-metrics-collector = { -- GitLab