diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 8b23b6f1152be4fa94e8935342bf11f7706d036c..8bd686a023b704688c8708b2408d0c3df8287f13 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -5,6 +5,7 @@
, "monitoringvpnEndpoint": "192.168.67.24:51820"
, "passValue": 1000000
, "issuerDomains": ["payments.localdev"]
+, "monitoringDomains": ["monitoring.localdev"]
, "letsEncryptAdminEmail": "florian@privatestorage.io"
, "allowedChargeOrigins": [
"http://localhost:5000"
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 5502b8faa622b8af1e967978b714d4693961c603..4a1524c6b6b7f5e085766aec6a79af5b569e72ba 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -116,7 +116,7 @@ let
nodeExporterTargets
paymentExporterTargets
blackboxExporterHttpsTargets;
- inherit (grid-config) letsEncryptAdminEmail;
+ inherit (grid-config) letsEncryptAdminEmail monitoringDomains;
googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
enableSlackAlert = false;
monitoringvpnIPv4 = "172.23.23.1";
diff --git a/morph/grid/production/config.json b/morph/grid/production/config.json
index fcae1563a8fc0d3a8a11324fc6667105ae3179c8..1696b5fb3c45df94b8bf69aae9ca323e6bac2266 100644
--- a/morph/grid/production/config.json
+++ b/morph/grid/production/config.json
@@ -8,6 +8,10 @@
"payments.privatestorage.io"
, "payments.private.storage"
]
+, "monitoringDomains": [
+ "monitoring.privatestorage.io"
+ , "monitoring.private.storage"
+ ]
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
, "allowedChargeOrigins": [
"https://privatestorage.io"
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index b42f4a3e40f56bf3d1b9808b3e87d3f769c8e2a7..4f410abb2e53a1991f09f4fa30e377e252c5ca0d 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -49,7 +49,7 @@ let
nodeExporterTargets
paymentExporterTargets
blackboxExporterHttpsTargets;
- inherit (grid-config) letsEncryptAdminEmail;
+ inherit (grid-config) letsEncryptAdminEmail monitoringDomains;
googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
enableSlackAlert = true;
monitoringvpnIPv4 = "172.23.23.1";
diff --git a/morph/grid/testing/config.json b/morph/grid/testing/config.json
index a10840db52e8cd74bbac2a0ad38f4887c1a03258..7c3775df55ce76cf6048712e644a3f2669b6f07c 100644
--- a/morph/grid/testing/config.json
+++ b/morph/grid/testing/config.json
@@ -8,6 +8,10 @@
"payments.privatestorage-staging.com"
, "payments.extra.privatestorage-staging.com"
]
+, "monitoringDomains": [
+ "monitoring.privatestorage-staging.com"
+ , "monitoring.extra.privatestorage-staging.com"
+ ]
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
, "allowedChargeOrigins": [
"http://localhost:5000"
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index ea4cd56a0b7b17c168114579a287f57e03e96914..334518774851c22738c93b323223f255d871a394 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -62,7 +62,7 @@ let
nodeExporterTargets
paymentExporterTargets
blackboxExporterHttpsTargets;
- inherit (grid-config) letsEncryptAdminEmail;
+ inherit (grid-config) letsEncryptAdminEmail monitoringDomains;
googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
enableSlackAlert = true;
monitoringvpnIPv4 = "172.23.23.1";
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index ef89119f7f54d1b644c86f7a72129ebd6a79cae6..2899d9940d4309b81a31f96590f0d3df1d632dc4 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -11,6 +11,7 @@
# See ``customize-issuer.nix``.
, monitoringvpnIPv4
, letsEncryptAdminEmail
+, monitoringDomains
# A list of VPN IP addresses as strings indicating which clients will be
# allowed onto the VPN.
@@ -119,7 +120,7 @@ in {
inherit letsEncryptAdminEmail;
inherit googleOAuthClientID;
inherit enableSlackAlert;
- domain = "${config.networking.hostName}.${config.networking.domain}";
+ domains = monitoringDomains;
};
system.stateVersion = stateVersion;
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index da3eed73e59349b4faaf64ebb32c067e952917ae..98192fabd29ab6c2051c770a3398377e9df3e117 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -111,7 +111,6 @@ in {
# We'll refer to this collection of domains by the first domain in the
# list.
domain = builtins.head cfg.domains;
- certServiceName = "acme-${domain}";
# Payment server internal http port (arbitrary, non-priviledged):
internalHttpPort = "1061";
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index 1b51abd4b795a7d6dd8c4c4319beecae4162bb53..bbded5e99ebb578f0f2b7a930185951a35fe91b8 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -20,10 +20,10 @@ let
in {
options.services.private-storage.monitoring.grafana = {
- domain = lib.mkOption
- { type = lib.types.str;
- example = lib.literalExample "grafana.grid.private.storage";
- description = "The FQDN of the Grafana host";
+ domains = lib.mkOption
+ { type = lib.types.listOf lib.types.str;
+ example = [ "grafana.grid.private.storage" ];
+ description = "The domain names at which the server is reachable.";
};
prometheusUrl = lib.mkOption
{ type = lib.types.str;
@@ -79,13 +79,18 @@ in {
};
};
- config = {
+ config =
+ let
+ # We'll refer to this collection of domains by the first domain in the list.
+ domain = builtins.head cfg.domains;
+
+ in {
# Port 80 for ACME ssl retrieval only. 443 for nginx -> grafana.
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.grafana = {
enable = true;
- domain = cfg.domain;
+ domain = domain;
port = 2342;
addr = "127.0.0.1";
@@ -144,7 +149,7 @@ in {
is_default = true;
send_reminder = false;
settings = {
- username = "${cfg.domain}";
+ username = "${domain}";
uploadImage = true;
};
secure_settings = {
@@ -170,7 +175,8 @@ in {
# Only allow PFS-enabled ciphers with AES256:
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
- virtualHosts.${config.services.grafana.domain} = {
+ virtualHosts."${domain}" = {
+ serverAliases = builtins.tail cfg.domains;
enableACME = true;
forceSSL = true;
locations."/" = {