diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7e7348ffeeca9e8e39a16adabd7ce9b3eed0418f..3c24611a7b1619203c83730d65f65777400ecefa 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -88,6 +88,10 @@ morph-build-staging:
variables:
GRID: "testing"
+morph-build-hro-cloud:
+ <<: *MORPH_BUILD
+ variables:
+ GRID: "hro-cloud"
morph-build-production:
<<: *MORPH_BUILD
diff --git a/morph/grid/hro-cloud/config.json b/morph/grid/hro-cloud/config.json
new file mode 100644
index 0000000000000000000000000000000000000000..191e375166967d4f7d06833196fbac209615c940
--- /dev/null
+++ b/morph/grid/hro-cloud/config.json
@@ -0,0 +1,19 @@
+{ "domain": "deerfield.leastauthority.com"
+, "publicStoragePort": 8898
+, "privateKeyPath": "./private-keys"
+, "publicKeyPath": "./public-keys"
+, "monitoringvpnEndpoint": "monitoring.deerfield.leastauthority.com:51820"
+, "passValue": 1000000
+, "tokensPerVoucher": 150000
+, "issuerDomains": [
+ "payments.deerfield.leastauthority.com"
+ ]
+, "monitoringDomains": [
+ "monitoring.deerfield.leastauthority.com"
+]
+, "letsEncryptAdminEmail": "infrastructure@leastauthority.com"
+, "allowedChargeOrigins": [
+ "https://leastauthority.com"
+ ]
+, "monitoringGoogleOAuthClientID": ""
+}
diff --git a/morph/grid/hro-cloud/grid.nix b/morph/grid/hro-cloud/grid.nix
new file mode 100644
index 0000000000000000000000000000000000000000..7e0f92485bb018d0a720edb36fcc3c978870faeb
--- /dev/null
+++ b/morph/grid/hro-cloud/grid.nix
@@ -0,0 +1,130 @@
+# See morph/grid/local/grid.nix for additional commentary.
+let
+ gridlib = import ../../lib;
+ grid-config = builtins.fromJSON (builtins.readFile ./config.json);
+
+ # Module with per-grid configuration
+ grid-module = {config, ...}: {
+ imports = [
+ gridlib.base
+ # Allow us to remotely trigger updates to this system.
+ ../../../nixos/modules/deployment.nix
+ # Give it a good SSH configuration.
+ ../../../nixos/modules/ssh.nix
+ ];
+ services.private-storage.sshUsers = import ./public-keys/users.nix;
+ networking.domain = grid-config.domain;
+ # Convert relative paths to absolute so library code can resolve names
+ # correctly.
+ grid = {
+ publicKeyPath = toString ./. + "/${grid-config.publicKeyPath}";
+ privateKeyPath = toString ./. + "/${grid-config.privateKeyPath}";
+ inherit (grid-config) monitoringvpnEndpoint letsEncryptAdminEmail;
+ };
+ # Configure deployment management authorization for all systems in the grid.
+ services.private-storage.deployment = {
+ authorizedKey = builtins.readFile "${config.grid.publicKeyPath}/deploy_key.pub";
+ gridName = "production";
+ };
+ };
+ payments = {
+ imports = [
+ gridlib.issuer
+ gridlib.hardware-payments-ovh
+ grid-module
+ ];
+ config = {
+ grid.monitoringvpnIPv4 = "172.23.23.11";
+ grid.issuer = {
+ inherit (grid-config) issuerDomains allowedChargeOrigins;
+ };
+ };
+ };
+
+ monitoring = {
+ imports = [
+ gridlib.monitoring
+ gridlib.hardware-monitoring-ovh
+ grid-module
+ ];
+ config = {
+ grid.monitoringvpnIPv4 = "172.23.23.1";
+ grid.monitoring = {
+ inherit paymentExporterTargets blackboxExporterHttpsTargets;
+ inherit (grid-config) monitoringDomains;
+ googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
+ enableSlackAlert = false;
+ };
+ system.stateVersion = "19.09";
+ };
+ };
+
+ defineStorageNode = name: { vpnIP, stateVersion }:
+ let
+ nodecfg = import (./. + "/${name}-config.nix");
+ hardware = (./. + "/${name}-hardware.nix");
+ in {
+ imports = [
+ # Get some of the very lowest-level system configuration for this
+ # node. This isn't all *completely* hardware related. Maybe some
+ # more factoring is in order, someday.
+ hardware
+
+ # Slightly awkwardly, enable some of our hardware / network / bootloader options.
+ ../../../nixos/modules/100tb.nix
+
+ # At least some of our storage nodes utilize MegaRAID storage controllers.
+ # Monitor their array status.
+ ../../../nixos/modules/monitoring/exporters/megacli2prom.nix
+
+ # Get all of the configuration that is common across all storage nodes.
+ gridlib.storage
+ # Also configure deployment management authorization
+ grid-module
+ ];
+
+ config = {
+ grid.monitoringvpnIPv4 = vpnIP;
+ grid.storage = {
+ inherit (grid-config) passValue publicStoragePort;
+ };
+ system.stateVersion = stateVersion;
+
+ # And supply configuration for those hardware / network / bootloader
+ # options. See the 100tb module for handling of this value. The module
+ # name is quoted because `1` makes `100tb` look an awful lot like a
+ # number.
+ "100tb".config = nodecfg;
+
+ # Enable statistics gathering for MegaRAID cards.
+ # TODO would be nice to enable only on machines that have such a device.
+ services.private-storage.monitoring.exporters.megacli2prom.enable = true;
+
+ # Disable Borg Backup for this grid!
+ services.private-storage.borgbackup.enable = false;
+ };
+ };
+
+ # Define all of the storage nodes for this grid.
+ storageNodes = builtins.mapAttrs defineStorageNode {
+ storage001 = { vpnIP = "172.23.23.21"; stateVersion = "19.09"; };
+ storage002 = { vpnIP = "172.23.23.22"; stateVersion = "19.09"; };
+ storage003 = { vpnIP = "172.23.23.23"; stateVersion = "19.09"; };
+ };
+
+ paymentExporterTargets = [ "payments.monitoringvpn" ];
+ blackboxExporterHttpsTargets = [
+ "https://deerfield.leastauthority.com/"
+ "https://www.deerfield.leastauthority.com/"
+ "https://payments.deerfield.leastauthority.com/"
+ "https://monitoring.deerfield.leastauthority.com/"
+ ];
+
+in {
+ network = {
+ description = "HRO Grid";
+ inherit (gridlib) pkgs;
+ };
+ inherit payments;
+ inherit monitoring;
+} // storageNodes
diff --git a/morph/grid/hro-cloud/public-keys/deploy_key.pub b/morph/grid/hro-cloud/public-keys/deploy_key.pub
new file mode 100644
index 0000000000000000000000000000000000000000..9338b184e6f67685f1a2a68d4338b8f755c2a473
--- /dev/null
+++ b/morph/grid/hro-cloud/public-keys/deploy_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2ME4kxDgS5KtwdITfq4hKuB6mQDv2zYsPcUlhXhZkS jehad@nixos
\ No newline at end of file
diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.1.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.1.pub
new file mode 100644
index 0000000000000000000000000000000000000000..5e1f8829e4ce978bbfb35c86ab5578c9bfedf971
--- /dev/null
+++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.1.pub
@@ -0,0 +1 @@
+An7g9oexXQizNu6PTNWuLHDprwd5GydHHd2fuImvhGs=
diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.11.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.11.pub
new file mode 100644
index 0000000000000000000000000000000000000000..ca6afb607f2cb4197e2db5e087727a15e6e9baca
--- /dev/null
+++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.11.pub
@@ -0,0 +1 @@
+mVXVGBpS/rHp5qQG8izNdP/Tpj5TXO9CA4CGJ5c0cXk=
diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.21.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.21.pub
new file mode 100644
index 0000000000000000000000000000000000000000..ebd2e8f75964b0dec876a52022b2702e6361e48e
--- /dev/null
+++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.21.pub
@@ -0,0 +1 @@
+aKsdXaE+1YINE71pX2BLiaIrxeSXbr/F/lHo/gDSxG4=
diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.22.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.22.pub
new file mode 100644
index 0000000000000000000000000000000000000000..2f5ca047322a49b71c4451bba1c924477cf67239
--- /dev/null
+++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.22.pub
@@ -0,0 +1 @@
+GCnw0k/Y4HDkRCSpZ/hrpMIGQt6LViS7ub25cpbHm3Q=
diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.23.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.23.pub
new file mode 100644
index 0000000000000000000000000000000000000000..07cf3a9af3a8d9fcd708ddbab6dfd049c0409a7e
--- /dev/null
+++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.23.pub
@@ -0,0 +1 @@
+8xMB69/yQDyjfXbPWn3VWqXKqRT/yCZ/RGjy1hLBE2Y=
diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.24.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.24.pub
new file mode 100644
index 0000000000000000000000000000000000000000..c54c728a732d7ca083f9f5ac9e1cb7d82475101f
--- /dev/null
+++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.24.pub
@@ -0,0 +1 @@
+fPUnFOzBZRJDBdSR6iS5AaC40KKy/2REiM16hx+woxk=
diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.25.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.25.pub
new file mode 100644
index 0000000000000000000000000000000000000000..0ae6bb2adee18a318237aa020ab222be0b240aa9
--- /dev/null
+++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.25.pub
@@ -0,0 +1 @@
+qS4rT+zjWrbXDhtEF4oyGv8/5oCIE1ZU9FF+O6AL8V4=
diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/server.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/server.pub
new file mode 100644
index 0000000000000000000000000000000000000000..5e1f8829e4ce978bbfb35c86ab5578c9bfedf971
--- /dev/null
+++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/server.pub
@@ -0,0 +1 @@
+An7g9oexXQizNu6PTNWuLHDprwd5GydHHd2fuImvhGs=
diff --git a/morph/grid/hro-cloud/public-keys/users.nix b/morph/grid/hro-cloud/public-keys/users.nix
new file mode 100644
index 0000000000000000000000000000000000000000..0348536057b59f59ebefe1010fed7101fb02fd26
--- /dev/null
+++ b/morph/grid/hro-cloud/public-keys/users.nix
@@ -0,0 +1,13 @@
+let
+ jbaeth = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2ME4kxDgS5KtwdITfq4hKuB6mQDv2zYsPcUlhXhZkS jehad@nixos"];
+ bdonneaux = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZtWY7t8HVnaz6bluYsrAlzZC3MZtb8g0nO5L5fCQKR cardno:000619776016"];
+ flo = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6EUU/KNDr7y3m5OVWBZAuPiMJ4us3YOBEhxpG29yPN flo@la"];
+ lastresort = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1hy9mPkJI+7mY2Uq6CLpuFMMLOTfiY2sRJHwpihgRt cardno:26 269 859"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPYMUVNuWr2y+FL1GxW6S6jb3BWYhbzJ2zhvQVKu2ll cardno:23 845 763"];
+in {
+ "root" = jbaeth ++ bdonneaux ++ flo ++ lastresort;
+ "jbaeth" = jbaeth;
+ inherit bdonneaux;
+ inherit flo;
+ inherit lastresort;
+}
diff --git a/morph/grid/hro-cloud/storage001-config.nix b/morph/grid/hro-cloud/storage001-config.nix
new file mode 100644
index 0000000000000000000000000000000000000000..0bd4c2fb022f2a789eae876773eeb33b1f6c476c
--- /dev/null
+++ b/morph/grid/hro-cloud/storage001-config.nix
@@ -0,0 +1,8 @@
+#100tb
+{ "hostId" = "00000001";
+ "interface" = "eno1";
+ "publicIPv4" = "185.225.209.174";
+ "prefixLength" = 24;
+ "gateway" = "185.225.209.1";
+ "gatewayInterface" = "eno1";
+}
diff --git a/morph/grid/hro-cloud/storage001-hardware.nix b/morph/grid/hro-cloud/storage001-hardware.nix
new file mode 100644
index 0000000000000000000000000000000000000000..37d04225462c5f176c85e15e4e4272cc68d19c3e
--- /dev/null
+++ b/morph/grid/hro-cloud/storage001-hardware.nix
@@ -0,0 +1,37 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+ imports =
+ [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+ ];
+
+ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/d0837e6f-72cb-4ffa-85ba-fd57bbbd9a97";
+ fsType = "ext4";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/915E-08F9";
+ fsType = "vfat";
+ };
+
+ fileSystems."/storage" =
+ { device = "root";
+ fsType = "zfs";
+ };
+
+ swapDevices =
+ [ { device = "/dev/disk/by-uuid/45eb994e-0d1b-4903-9412-920f0ba017c9"; }
+ ];
+
+ nix.maxJobs = lib.mkDefault 24;
+ powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
diff --git a/morph/grid/hro-cloud/storage002-config.nix b/morph/grid/hro-cloud/storage002-config.nix
new file mode 100644
index 0000000000000000000000000000000000000000..3ae425ade41ab36156be67cce2ceb0e455b9290c
--- /dev/null
+++ b/morph/grid/hro-cloud/storage002-config.nix
@@ -0,0 +1,8 @@
+#Servermania
+{ "hostId" = "00000002";
+ "interface" = "eno1";
+ "publicIPv4" = "38.170.241.34";
+ "prefixLength" = 29;
+ "gateway" = "38.170.241.33";
+ "gatewayInterface" = "eno1";
+}
diff --git a/morph/grid/hro-cloud/storage002-hardware.nix b/morph/grid/hro-cloud/storage002-hardware.nix
new file mode 100644
index 0000000000000000000000000000000000000000..c011e02f86e5da2e0f17c356e4e7507f6af97376
--- /dev/null
+++ b/morph/grid/hro-cloud/storage002-hardware.nix
@@ -0,0 +1,40 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+ imports =
+ [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+ ];
+
+ boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+ boot.kernel.sysctl = { "vm.swappiness" = 0; };
+
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/c8d29070-c5d3-4cfb-9bb2-c14d3727c45b";
+ fsType = "ext4";
+ };
+
+ # Manually created using:
+ # zpool create -m legacy -o ashift=12 root raidz /dev/disk/by-id/{wwn-0x5000cca25dcc966d,wwn-0x5000cca24cec02e3,wwn-0x5000cca25dcc7711,wwn-0x5000cca25dccca63,wwn-0x5000cca25dcc74b6,wwn-0x5000cca25dcc4591,wwn-0x5000cca25dcc4461}
+ fileSystems."/storage" = {
+ device = "root";
+ fsType = "zfs";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/3648-C8F5";
+ fsType = "vfat";
+ };
+
+ swapDevices =
+ [ { device = "/dev/disk/by-uuid/51e0652f-46c9-4150-95a1-223f37154d4f"; }
+ ];
+
+ nix.maxJobs = lib.mkDefault 24;
+ powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
diff --git a/morph/grid/hro-cloud/storage003-config.nix b/morph/grid/hro-cloud/storage003-config.nix
new file mode 100644
index 0000000000000000000000000000000000000000..f5be748f2a41093e2cf9928d576fee12af72753c
--- /dev/null
+++ b/morph/grid/hro-cloud/storage003-config.nix
@@ -0,0 +1,9 @@
+#OVH
+{ "hostId" = "00000001";
+ "interface" = "eno3";
+ "publicIPv4" = "151.80.28.108";
+ "prefixLength" = 24;
+ "gateway" = "151.80.28.254";
+ "gatewayInterface" = "eno3";
+ "grubDeviceID" = "nvme-eui.e8238fa6bf530001001b448b463b77bf";
+}
diff --git a/morph/grid/hro-cloud/storage003-hardware.nix b/morph/grid/hro-cloud/storage003-hardware.nix
new file mode 100644
index 0000000000000000000000000000000000000000..f29193d199c383b66098712818677daf188b1092
--- /dev/null
+++ b/morph/grid/hro-cloud/storage003-hardware.nix
@@ -0,0 +1,34 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+ imports =
+ [ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+ boot.supportedFilesystems = [ "zfs" ];
+
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/8f88c0f1-3aef-41ec-bfd7-55b4ba6c1341";
+ fsType = "ext4";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/23DC-4051";
+ fsType = "vfat";
+ };
+ swapDevices =
+ [ { device = "/dev/disk/by-uuid/b02af75a-ea3a-47cf-ad40-c6611ee4dc09"; }
+ ];
+ fileSystems."/storage" = {
+ device = "root";
+ fsType = "zfs";
+ };
+ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/morph/lib/default.nix b/morph/lib/default.nix
index c99c19a57e45a27e585830a8dfff95fa3d9d2efb..6b91aab9cb4cdd4a632745b0c09c13b3dca062c9 100644
--- a/morph/lib/default.nix
+++ b/morph/lib/default.nix
@@ -6,6 +6,8 @@
hardware-aws = import ./issuer-aws.nix;
hardware-vagrant = import ./hardware-vagrant.nix;
+ hardware-monitoring-ovh = import ./issuer-monitoring-ovh.nix;
+ hardware-payments-ovh = import ./issuer-payments-ovh.nix;
issuer = import ./issuer.nix;
storage = import ./storage.nix;
diff --git a/morph/lib/issuer-monitoring-ovh.nix b/morph/lib/issuer-monitoring-ovh.nix
new file mode 100644
index 0000000000000000000000000000000000000000..51a51afdfa913744a0bbe9116e6ed3c8786250a3
--- /dev/null
+++ b/morph/lib/issuer-monitoring-ovh.nix
@@ -0,0 +1,40 @@
+{ modulesPath, name, lib, ... }: {
+
+ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+ boot.loader.grub.device = "/dev/sda";
+ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+ boot.initrd.kernelModules = [ "nvme" ];
+ fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+
+
+ swapDevices = [ {
+ device = "/var/swapfile";
+ size = 4096; # megabytes
+ randomEncryption = true;
+ } ];
+
+ # Break the tie between AWS and morph for the hostname by forcing the
+ # morph-supplied name. See also
+ # <https://github.com/DBCDK/morph/issues/146>.
+ networking.hostName = name;
+
+ # Mount a dedicated filesystem (ideally on a dedicated volume, but that's
+ # beyond control of this particular part of the system) for the
+ # PaymentServer voucher database. This makes it easier to manage for
+ # tasks like backup/recovery and encryption.
+ services.private-storage-issuer.databaseFileSystem = {
+ label = "zkapissuer-data";
+ };
+
+ # Clean up packages after a while
+ nix.gc = {
+ automatic = true;
+ dates = "weekly";
+ options = "--delete-older-than 30d";
+ };
+
+ # Turn on automatic optimization of nix store
+ # https://nixos.wiki/wiki/Storage_optimization
+ nix.autoOptimiseStore = true;
+}
diff --git a/morph/lib/issuer-payments-ovh.nix b/morph/lib/issuer-payments-ovh.nix
new file mode 100644
index 0000000000000000000000000000000000000000..6408645038566a6be038899e27df9dd81e511004
--- /dev/null
+++ b/morph/lib/issuer-payments-ovh.nix
@@ -0,0 +1,36 @@
+{ modulesPath, name, lib, ... }: {
+
+ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+ boot.loader.grub.device = "/dev/sda";
+ fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; };
+
+ swapDevices = [ {
+ device = "/var/swapfile";
+ size = 4096; # megabytes
+ randomEncryption = true;
+ } ];
+
+ # Break the tie between AWS and morph for the hostname by forcing the
+ # morph-supplied name. See also
+ # <https://github.com/DBCDK/morph/issues/146>.
+ networking.hostName = name;
+
+ # Mount a dedicated filesystem (ideally on a dedicated volume, but that's
+ # beyond control of this particular part of the system) for the
+ # PaymentServer voucher database. This makes it easier to manage for
+ # tasks like backup/recovery and encryption.
+ services.private-storage-issuer.databaseFileSystem = {
+ label = "zkapissuer-data";
+ };
+
+ # Clean up packages after a while
+ nix.gc = {
+ automatic = true;
+ dates = "weekly";
+ options = "--delete-older-than 30d";
+ };
+
+ # Turn on automatic optimization of nix store
+ # https://nixos.wiki/wiki/Storage_optimization
+ nix.autoOptimiseStore = true;
+}
diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index 69d44d3104d03553f384b2b2d2e98a34557d2d84..dd5ca1ef78a5fd31511592df5037fdc97e776a0f 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -3,7 +3,7 @@
{ lib, config, ...}:
let
inherit (config.grid) privateKeyPath;
- inherit (config.grid.issuer) issuerDomains allowedChargeOrigins;
+ inherit (config.grid.issuer) issuerDomains allowedChargeOrigins tokensPerVoucher;
in {
imports = [
./monitoringvpn-client.nix
@@ -25,6 +25,16 @@ in {
to allow.
'';
};
+
+ tokensPerVoucher = lib.mkOption {
+ default = null;
+ type = lib.types.nullOr lib.types.int;
+ example = 50000;
+ description = ''
+ If not null, a value to pass to PaymentServer for
+ ``--tokens-per-voucher``.
+ '';
+ };
};
config = {
@@ -67,6 +77,7 @@ in {
inherit (config.grid) letsEncryptAdminEmail;
inherit allowedChargeOrigins;
domains = issuerDomains;
+ inherit tokensPerVoucher;
};
services.private-storage.monitoring.exporters.node.enable = true;
diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix
index 1fd8c26ce3db81ae405025d97abe6068ce2a6903..37efb8dfdbb4f9334607dcd694fdb6d66072f18d 100644
--- a/morph/lib/storage.nix
+++ b/morph/lib/storage.nix
@@ -47,7 +47,7 @@ in {
services.private-storage.monitoring.exporters.node.enable = true;
services.private-storage.monitoring.exporters.tahoe.enable = true;
- services.private-storage.borgbackup.enable = true;
+ services.private-storage.borgbackup.enable = lib.mkDefault true;
# Turn on the Private Storage (Tahoe-LAFS) service.
services.private-storage = {
diff --git a/nixos/modules/100tb.nix b/nixos/modules/100tb.nix
index 87554ef316b3c25076260d0f43aa8008941580e2..12bb4b35b4c24acd28bfb9a5909809e0f9a8fdd0 100644
--- a/nixos/modules/100tb.nix
+++ b/nixos/modules/100tb.nix
@@ -68,6 +68,7 @@ let
{ type = lib.types.str;
example = "wwn-0x5000c500936410b9";
description = "The ID of the disk on which to install grub.";
+ default = "nodev";
};
};
in {
@@ -103,8 +104,7 @@ in {
config =
{ boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
- boot.loader.grub.device = "/dev/disk/by-id/${cfg.grubDeviceID}";
-
+ boot.loader.grub.device = if cfg.grubDeviceID == "nodev" then "nodev" else "/dev/disk/by-id/${cfg.grubDeviceID}";
boot.loader.timeout = 10;
networking.firewall.enable = false;