From 8fbe982752bbc276e99008b581f8e3b7d06c60d9 Mon Sep 17 00:00:00 2001 From: jehad <jehad@leastauthority.com> Date: Thu, 18 Aug 2022 12:38:20 +0200 Subject: [PATCH] working update without configurable token count Co-authored-by: Benoit Donneaux <benoit@leastauthority.com> Signed-off-by: Benoit Donneaux <benoit@leastauthority.com> --- morph/grid/hro-cloud/config.json | 18 +++ morph/grid/hro-cloud/grid.nix | 130 ++++++++++++++++++ .../grid/hro-cloud/public-keys/deploy_key.pub | 1 + .../public-keys/monitoringvpn/172.23.23.1.pub | 1 + .../monitoringvpn/172.23.23.11.pub | 1 + .../monitoringvpn/172.23.23.21.pub | 1 + .../monitoringvpn/172.23.23.22.pub | 1 + .../monitoringvpn/172.23.23.23.pub | 1 + .../monitoringvpn/172.23.23.24.pub | 1 + .../monitoringvpn/172.23.23.25.pub | 1 + .../public-keys/monitoringvpn/server.pub | 1 + morph/grid/hro-cloud/public-keys/users.nix | 6 + morph/grid/hro-cloud/storage001-config.nix | 14 ++ morph/grid/hro-cloud/storage001-hardware.nix | 37 +++++ morph/grid/hro-cloud/storage002-config.nix | 14 ++ morph/grid/hro-cloud/storage002-hardware.nix | 40 ++++++ morph/grid/hro-cloud/storage003-config.nix | 11 ++ morph/grid/hro-cloud/storage003-hardware.nix | 41 ++++++ morph/lib/default.nix | 2 + morph/lib/issuer-monitoring-ovh.nix | 40 ++++++ morph/lib/issuer-payments-ovh.nix | 36 +++++ morph/lib/storage.nix | 2 +- nixos/modules/100tb.nix | 30 +++- 23 files changed, 427 insertions(+), 3 deletions(-) create mode 100644 morph/grid/hro-cloud/config.json create mode 100644 morph/grid/hro-cloud/grid.nix create mode 100644 morph/grid/hro-cloud/public-keys/deploy_key.pub create mode 100644 morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.1.pub create mode 100644 morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.11.pub create mode 100644 morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.21.pub create mode 100644 morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.22.pub create mode 100644 morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.23.pub create mode 100644 morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.24.pub create mode 100644 morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.25.pub create mode 100644 morph/grid/hro-cloud/public-keys/monitoringvpn/server.pub create mode 100644 morph/grid/hro-cloud/public-keys/users.nix create mode 100644 morph/grid/hro-cloud/storage001-config.nix create mode 100644 morph/grid/hro-cloud/storage001-hardware.nix create mode 100644 morph/grid/hro-cloud/storage002-config.nix create mode 100644 morph/grid/hro-cloud/storage002-hardware.nix create mode 100644 morph/grid/hro-cloud/storage003-config.nix create mode 100644 morph/grid/hro-cloud/storage003-hardware.nix create mode 100644 morph/lib/issuer-monitoring-ovh.nix create mode 100644 morph/lib/issuer-payments-ovh.nix diff --git a/morph/grid/hro-cloud/config.json b/morph/grid/hro-cloud/config.json new file mode 100644 index 00000000..dca2b2ec --- /dev/null +++ b/morph/grid/hro-cloud/config.json @@ -0,0 +1,18 @@ +{ "domain": "deerfield.leastauthority.com" +, "publicStoragePort": 8898 +, "privateKeyPath": "./private-keys" +, "publicKeyPath": "./public-keys" +, "monitoringvpnEndpoint": "monitoring.deerfield.leastauthority.com:51820" +, "passValue": 1000000 +, "issuerDomains": [ + "payments.deerfield.leastauthority.com" + ] +, "monitoringDomains": [ + "monitoring.deerfield.leastauthority.com" +] +, "letsEncryptAdminEmail": "infrastructure@leastauthority.com" +, "allowedChargeOrigins": [ + "https://leastauthority.com" + ] +, "monitoringGoogleOAuthClientID": "" +} diff --git a/morph/grid/hro-cloud/grid.nix b/morph/grid/hro-cloud/grid.nix new file mode 100644 index 00000000..bd7ee0f6 --- /dev/null +++ b/morph/grid/hro-cloud/grid.nix @@ -0,0 +1,130 @@ +# See morph/grid/local/grid.nix for additional commentary. +let + gridlib = import ../../lib; + grid-config = builtins.fromJSON (builtins.readFile ./config.json); + + # Module with per-grid configuration + grid-module = {config, ...}: { + imports = [ + gridlib.base + # Allow us to remotely trigger updates to this system. + ../../../nixos/modules/deployment.nix + # Give it a good SSH configuration. + ../../../nixos/modules/ssh.nix + ]; + services.private-storage.sshUsers = import ./public-keys/users.nix; + networking.domain = grid-config.domain; + # Convert relative paths to absolute so library code can resolve names + # correctly. + grid = { + publicKeyPath = toString ./. + "/${grid-config.publicKeyPath}"; + privateKeyPath = toString ./. + "/${grid-config.privateKeyPath}"; + inherit (grid-config) monitoringvpnEndpoint letsEncryptAdminEmail; + }; + # Configure deployment management authorization for all systems in the grid. + services.private-storage.deployment = { + authorizedKey = builtins.readFile "${config.grid.publicKeyPath}/deploy_key.pub"; + gridName = "production"; + }; + }; + payments = { + imports = [ + gridlib.issuer + gridlib.hardware-payments-ovh + grid-module + ]; + config = { + grid.monitoringvpnIPv4 = "172.23.23.11"; + grid.issuer = { + inherit (grid-config) issuerDomains allowedChargeOrigins; + }; + }; + }; + + monitoring = { + imports = [ + gridlib.monitoring + gridlib.hardware-monitoring-ovh + grid-module + ]; + config = { + grid.monitoringvpnIPv4 = "172.23.23.1"; + grid.monitoring = { + inherit paymentExporterTargets blackboxExporterHttpsTargets; + inherit (grid-config) monitoringDomains; + googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID; + enableSlackAlert = false; + }; + system.stateVersion = "19.09"; + }; + }; + + defineStorageNode = name: { vpnIP, stateVersion }: + let + nodecfg = import "${./.}/${name}-config.nix"; + hardware ="${./.}/${name}-hardware.nix"; + in { + imports = [ + # Get some of the very lowest-level system configuration for this + # node. This isn't all *completely* hardware related. Maybe some + # more factoring is in order, someday. + hardware + + # Slightly awkwardly, enable some of our hardware / network / bootloader options. + ../../../nixos/modules/100tb.nix + + # At least some of our storage nodes utilize MegaRAID storage controllers. + # Monitor their array status. + ../../../nixos/modules/monitoring/exporters/megacli2prom.nix + + # Get all of the configuration that is common across all storage nodes. + gridlib.storage + # Also configure deployment management authorization + grid-module + ]; + + config = { + grid.monitoringvpnIPv4 = vpnIP; + grid.storage = { + inherit (grid-config) passValue publicStoragePort; + }; + system.stateVersion = stateVersion; + + # And supply configuration for those hardware / network / bootloader + # options. See the 100tb module for handling of this value. The module + # name is quoted because `1` makes `100tb` look an awful lot like a + # number. + "100tb".config = nodecfg; + + # Enable statistics gathering for MegaRAID cards. + # TODO would be nice to enable only on machines that have such a device. + services.private-storage.monitoring.exporters.megacli2prom.enable = true; + + # Disable Borg Backup for this grid! + services.private-storage.borgbackup.enable = false; + }; + }; + + # Define all of the storage nodes for this grid. + storageNodes = builtins.mapAttrs defineStorageNode { + storage001 = { vpnIP = "172.23.23.21"; stateVersion = "19.09"; }; + storage002 = { vpnIP = "172.23.23.22"; stateVersion = "19.09"; }; + storage003 = { vpnIP = "172.23.23.23"; stateVersion = "19.09"; }; + }; + + paymentExporterTargets = [ "payments.monitoringvpn" ]; + blackboxExporterHttpsTargets = [ + "https://deerfield.leastauthority.com/" + "https://www.deerfield.leastauthority.com/" + "https://payments.deerfield.leastauthority.com/" + "https://monitoring.deerfield.leastauthority.com/" + ]; + +in { + network = { + description = "HRO Grid"; + inherit (gridlib) pkgs; + }; + inherit payments; + inherit monitoring; +} // storageNodes diff --git a/morph/grid/hro-cloud/public-keys/deploy_key.pub b/morph/grid/hro-cloud/public-keys/deploy_key.pub new file mode 100644 index 00000000..9338b184 --- /dev/null +++ b/morph/grid/hro-cloud/public-keys/deploy_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2ME4kxDgS5KtwdITfq4hKuB6mQDv2zYsPcUlhXhZkS jehad@nixos \ No newline at end of file diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.1.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.1.pub new file mode 100644 index 00000000..5e1f8829 --- /dev/null +++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.1.pub @@ -0,0 +1 @@ +An7g9oexXQizNu6PTNWuLHDprwd5GydHHd2fuImvhGs= diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.11.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.11.pub new file mode 100644 index 00000000..ca6afb60 --- /dev/null +++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.11.pub @@ -0,0 +1 @@ +mVXVGBpS/rHp5qQG8izNdP/Tpj5TXO9CA4CGJ5c0cXk= diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.21.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.21.pub new file mode 100644 index 00000000..ebd2e8f7 --- /dev/null +++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.21.pub @@ -0,0 +1 @@ +aKsdXaE+1YINE71pX2BLiaIrxeSXbr/F/lHo/gDSxG4= diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.22.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.22.pub new file mode 100644 index 00000000..2f5ca047 --- /dev/null +++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.22.pub @@ -0,0 +1 @@ +GCnw0k/Y4HDkRCSpZ/hrpMIGQt6LViS7ub25cpbHm3Q= diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.23.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.23.pub new file mode 100644 index 00000000..07cf3a9a --- /dev/null +++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.23.pub @@ -0,0 +1 @@ +8xMB69/yQDyjfXbPWn3VWqXKqRT/yCZ/RGjy1hLBE2Y= diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.24.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.24.pub new file mode 100644 index 00000000..c54c728a --- /dev/null +++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.24.pub @@ -0,0 +1 @@ +fPUnFOzBZRJDBdSR6iS5AaC40KKy/2REiM16hx+woxk= diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.25.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.25.pub new file mode 100644 index 00000000..0ae6bb2a --- /dev/null +++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/172.23.23.25.pub @@ -0,0 +1 @@ +qS4rT+zjWrbXDhtEF4oyGv8/5oCIE1ZU9FF+O6AL8V4= diff --git a/morph/grid/hro-cloud/public-keys/monitoringvpn/server.pub b/morph/grid/hro-cloud/public-keys/monitoringvpn/server.pub new file mode 100644 index 00000000..5e1f8829 --- /dev/null +++ b/morph/grid/hro-cloud/public-keys/monitoringvpn/server.pub @@ -0,0 +1 @@ +An7g9oexXQizNu6PTNWuLHDprwd5GydHHd2fuImvhGs= diff --git a/morph/grid/hro-cloud/public-keys/users.nix b/morph/grid/hro-cloud/public-keys/users.nix new file mode 100644 index 00000000..953c20d1 --- /dev/null +++ b/morph/grid/hro-cloud/public-keys/users.nix @@ -0,0 +1,6 @@ +let + jbaeth = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2ME4kxDgS5KtwdITfq4hKuB6mQDv2zYsPcUlhXhZkS jehad@nixos"]; +in { + "root" = jbaeth; + "jbaeth" = jbaeth; +} diff --git a/morph/grid/hro-cloud/storage001-config.nix b/morph/grid/hro-cloud/storage001-config.nix new file mode 100644 index 00000000..d4f4082c --- /dev/null +++ b/morph/grid/hro-cloud/storage001-config.nix @@ -0,0 +1,14 @@ +#100tb +{ "hostId" = "00000001"; + "interface" = "eno1"; + "publicIPv4" = "185.225.209.174"; + "prefixLength" = 24; + "gateway" = "185.225.209.173"; + "gatewayInterface" = "eno1"; + "grubDeviceID" = "nodev"; #might be wrong + "efiSupport" = true; + #"efiInstallAsRemovable" = true; + "fsIdentifier" = "label"; + #"canTouchEfiVariables" = false; + "systemd-boot" = false; +} diff --git a/morph/grid/hro-cloud/storage001-hardware.nix b/morph/grid/hro-cloud/storage001-hardware.nix new file mode 100644 index 00000000..80608f1a --- /dev/null +++ b/morph/grid/hro-cloud/storage001-hardware.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/d0837e6f-72cb-4ffa-85ba-fd57bbbd9a97"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/915E-08F9"; + fsType = "vfat"; + }; + + fileSystems."/storage" = + { device = "root"; + fsType = "zfs"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/45eb994e-0d1b-4903-9412-920f0ba017c9"; } + ]; + + nix.maxJobs = lib.mkDefault 24; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/morph/grid/hro-cloud/storage002-config.nix b/morph/grid/hro-cloud/storage002-config.nix new file mode 100644 index 00000000..270160fd --- /dev/null +++ b/morph/grid/hro-cloud/storage002-config.nix @@ -0,0 +1,14 @@ +#Servermania +{ "hostId" = "00000002"; + "interface" = "eno1"; + "publicIPv4" = "104.144.74.50"; + "prefixLength" = 29; + "gateway" = "104.144.74.49"; + "gatewayInterface" = "eno1"; + "grubDeviceID" = "nodev"; #nodev if we want to use efi (double check) + #"canTouchEfiVariables" = false; + "efiSupport" = true; + #"efiInstallAsRemovable" = true; + "fsIdentifier" = "label"; + "systemd-boot" = false; +} diff --git a/morph/grid/hro-cloud/storage002-hardware.nix b/morph/grid/hro-cloud/storage002-hardware.nix new file mode 100644 index 00000000..c011e02f --- /dev/null +++ b/morph/grid/hro-cloud/storage002-hardware.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.kernel.sysctl = { "vm.swappiness" = 0; }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/c8d29070-c5d3-4cfb-9bb2-c14d3727c45b"; + fsType = "ext4"; + }; + + # Manually created using: + # zpool create -m legacy -o ashift=12 root raidz /dev/disk/by-id/{wwn-0x5000cca25dcc966d,wwn-0x5000cca24cec02e3,wwn-0x5000cca25dcc7711,wwn-0x5000cca25dccca63,wwn-0x5000cca25dcc74b6,wwn-0x5000cca25dcc4591,wwn-0x5000cca25dcc4461} + fileSystems."/storage" = { + device = "root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/3648-C8F5"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/51e0652f-46c9-4150-95a1-223f37154d4f"; } + ]; + + nix.maxJobs = lib.mkDefault 24; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/morph/grid/hro-cloud/storage003-config.nix b/morph/grid/hro-cloud/storage003-config.nix new file mode 100644 index 00000000..6abce610 --- /dev/null +++ b/morph/grid/hro-cloud/storage003-config.nix @@ -0,0 +1,11 @@ +#OVH +{ "hostId" = "00000001"; + "interface" = "eno3"; + "publicIPv4" = "151.80.28.108"; + "prefixLength" = 24; + "gateway" = "151.80.28.254"; + "gatewayInterface" = "eno3"; + "grubDeviceID" = "nodev"; + #"grubDeviceID" = "nvme-eui.e8238fa6bf530001001b448b463b77bf"; + "systemd-boot" = true; +} diff --git a/morph/grid/hro-cloud/storage003-hardware.nix b/morph/grid/hro-cloud/storage003-hardware.nix new file mode 100644 index 00000000..3ff55090 --- /dev/null +++ b/morph/grid/hro-cloud/storage003-hardware.nix @@ -0,0 +1,41 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.supportedFilesystems = [ "zfs" ]; + boot.kernel.sysctl = { "vm.swappiness" = 0; }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/56a050e2-daee-40e2-becb-17d1f7908ceb"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/B89B-F110"; + fsType = "vfat"; + }; + + # Manually created using: + # zpool create -f -m legacy -o ashift=12 root raidz /dev/disk/by-id/{wwn-0x5000cca249d43969,wwn-0x5000039a8bc0075e,wwn-0x5000cca249d44a67,wwn-0x5000cca249d46730,wwn-0x5000cca25dcc719c,wwn-0x5000cca25dcc0241,wwn-0x5000039a8bc00765} + fileSystems."/storage" = + { device = "root"; + fsType = "zfs"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/e47cfddc-485c-46fb-9004-c9b8619b81ff"; } + ]; + + nix.maxJobs = lib.mkDefault 24; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/morph/lib/default.nix b/morph/lib/default.nix index c99c19a5..6b91aab9 100644 --- a/morph/lib/default.nix +++ b/morph/lib/default.nix @@ -6,6 +6,8 @@ hardware-aws = import ./issuer-aws.nix; hardware-vagrant = import ./hardware-vagrant.nix; + hardware-monitoring-ovh = import ./issuer-monitoring-ovh.nix; + hardware-payments-ovh = import ./issuer-payments-ovh.nix; issuer = import ./issuer.nix; storage = import ./storage.nix; diff --git a/morph/lib/issuer-monitoring-ovh.nix b/morph/lib/issuer-monitoring-ovh.nix new file mode 100644 index 00000000..51a51afd --- /dev/null +++ b/morph/lib/issuer-monitoring-ovh.nix @@ -0,0 +1,40 @@ +{ modulesPath, name, lib, ... }: { + + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + + + + swapDevices = [ { + device = "/var/swapfile"; + size = 4096; # megabytes + randomEncryption = true; + } ]; + + # Break the tie between AWS and morph for the hostname by forcing the + # morph-supplied name. See also + # <https://github.com/DBCDK/morph/issues/146>. + networking.hostName = name; + + # Mount a dedicated filesystem (ideally on a dedicated volume, but that's + # beyond control of this particular part of the system) for the + # PaymentServer voucher database. This makes it easier to manage for + # tasks like backup/recovery and encryption. + services.private-storage-issuer.databaseFileSystem = { + label = "zkapissuer-data"; + }; + + # Clean up packages after a while + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + # Turn on automatic optimization of nix store + # https://nixos.wiki/wiki/Storage_optimization + nix.autoOptimiseStore = true; +} diff --git a/morph/lib/issuer-payments-ovh.nix b/morph/lib/issuer-payments-ovh.nix new file mode 100644 index 00000000..73c606f6 --- /dev/null +++ b/morph/lib/issuer-payments-ovh.nix @@ -0,0 +1,36 @@ +{ modulesPath, name, lib, ... }: { + + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + + swapDevices = [ { + device = "/var/swapfile"; + size = 4096; # megabytes + randomEncryption = true; + } ]; + + # Break the tie between AWS and morph for the hostname by forcing the + # morph-supplied name. See also + # <https://github.com/DBCDK/morph/issues/146>. + networking.hostName = name; + + # Mount a dedicated filesystem (ideally on a dedicated volume, but that's + # beyond control of this particular part of the system) for the + # PaymentServer voucher database. This makes it easier to manage for + # tasks like backup/recovery and encryption. + services.private-storage-issuer.databaseFileSystem = { + label = "zkapissuer-data"; + }; + + # Clean up packages after a while + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + # Turn on automatic optimization of nix store + # https://nixos.wiki/wiki/Storage_optimization + nix.autoOptimiseStore = true; +} diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix index 1fd8c26c..37efb8df 100644 --- a/morph/lib/storage.nix +++ b/morph/lib/storage.nix @@ -47,7 +47,7 @@ in { services.private-storage.monitoring.exporters.node.enable = true; services.private-storage.monitoring.exporters.tahoe.enable = true; - services.private-storage.borgbackup.enable = true; + services.private-storage.borgbackup.enable = lib.mkDefault true; # Turn on the Private Storage (Tahoe-LAFS) service. services.private-storage = { diff --git a/nixos/modules/100tb.nix b/nixos/modules/100tb.nix index 87554ef3..ef57324c 100644 --- a/nixos/modules/100tb.nix +++ b/nixos/modules/100tb.nix @@ -69,6 +69,32 @@ let example = "wwn-0x5000c500936410b9"; description = "The ID of the disk on which to install grub."; }; + fsIdentifier = lib.mkOption + { type = lib.types.str; + example = "nixos"; + description = "Determines how GRUB will identify devices when generating the configuration file"; + }; + efiInstallAsRemovable = lib.mkOption + { type = lib.types.bool; + example = false; + description = "Whether to invoke grub-install with --removable"; + }; + efiSupport = lib.mkOption + { type = lib.types.bool; + example = false; + description = "Whether GRUB should be built with EFI support. EFI support is only available for GRUB v2."; + }; + canTouchEfiVariables = lib.mkOption + { type = lib.types.bool; + example = false; + description = "Fill later"; + }; + systemd-boot = lib.mkOption + { type = lib.types.bool; + example = false; + description = "Fill later"; + }; + }; in { # Here we actually define the module's options. They're what we said they @@ -103,8 +129,8 @@ in { config = { boot.loader.grub.enable = true; boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/disk/by-id/${cfg.grubDeviceID}"; - + boot.loader.grub.device = if cfg.grubDeviceID == "nodev" then "nodev" else "/dev/disk/by-id/${cfg.grubDeviceID}"; + boot.loader.systemd-boot.enable = if cfg.systemd-boot == "" then false else cfg.systemd-boot; boot.loader.timeout = 10; networking.firewall.enable = false; -- GitLab