diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 7c4b95a5e66d4fce10213f555064f3423557cc05..09074b3a6077b471f999f78de4226648b8c7e617 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -1,7 +1,7 @@
{ "publicStoragePort": 8898
, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
, "stripeSecretKeyPath": "../../PrivateStorageSecrets/privatestorageio-testing-stripe.secret"
-, "monitoringvpnSecretKeyDir": "../../PrivateStorageSecrets/monitoringvpn"
+, "monitoringvpnKeyDir": "../../PrivateStorageSecrets/monitoringvpn"
, "passValue": 1000000
, "issuerDomain": "payments.localdev"
, "letsEncryptAdminEmail": "florian@privatestorage.io"
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index a4cfd1f5ca929b3ca542b6c64b6b0d5300a1b489..b71c6e614de9eeedc2cd7ed6f3d0b8fb289e9268 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -49,7 +49,6 @@ import ../../lib/make-grid.nix {
inherit vpnClientIPs;
inherit hostsMap;
inherit nodeExporterTargets;
- nginxExporterTargets = [ ];
hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
stateVersion = "19.09";
inherit sshUsers;
diff --git a/morph/grid/testing/config.json b/morph/grid/testing/config.json
index 7e8eac29a3ff7455954687582046f11780cbfcd1..0765f915107a60bb373f347f63597c7648ac46ed 100644
--- a/morph/grid/testing/config.json
+++ b/morph/grid/testing/config.json
@@ -1,7 +1,7 @@
{ "publicStoragePort": 8898
, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
, "stripeSecretKeyPath": "../../PrivateStorageSecrets/privatestorageio-testing-stripe.secret"
-, "monitoringvpnSecretKeyDir": "../../PrivateStorageSecrets/monitoringvpn"
+, "monitoringvpnKeyDir": "../../PrivateStorageSecrets/monitoringvpn"
, "passValue": 1000000
, "issuerDomain": "payments.privatestorage-staging.com"
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index b15c0de84471d85ad1b35979b0f52a8fb4418ac4..b4bb55a6d793321e8ecb2ad789d27729e3767dc2 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -1,16 +1,40 @@
{ hardware
, ristrettoSigningKeyPath
, stripeSecretKeyPath
-, monitoringvpnSecretKeyDir
, issuerDomain
, letsEncryptAdminEmail
, allowedChargeOrigins
, sshUsers
, stateVersion
, publicIPv4
-, monitoringvpnIPv4
+, monitoringvpnKeyDir ? null
+, monitoringvpnIPv4 ? null
, ...
-}: rec {
+}: let
+
+ enableVpn = monitoringvpnKeyDir != null &&
+ monitoringvpnIPv4 != null;
+
+ vpnSecrets = if !enableVpn then {} else {
+ "monitoringvpn-secret-key" = {
+ source = monitoringvpnKeyDir + "/${monitoringvpnIPv4}.key";
+ destination = "/run/keys/monitoringvpn/client.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ "monitoringvpn-preshared-key" = {
+ source = monitoringvpnKeyDir + "/preshared.key";
+ destination = "/run/keys/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ };
+
+in rec {
deployment = {
targetHost = publicIPv4;
@@ -31,23 +55,7 @@
permissions = "0400";
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
- "monitoringvpn-secret-key" = {
- source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key";
- destination = "/run/keys/monitoringvpn/client.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- "monitoringvpn-preshared-key" = {
- source = monitoringvpnSecretKeyDir + "/preshared.key";
- destination = "/run/keys/monitoringvpn/preshared.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- };
+ } // vpnSecrets;
};
imports = [
@@ -72,7 +80,7 @@
system.stateVersion = stateVersion;
- services.private-storage.monitoring.vpn.client = {
+ services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
enable = true;
ip = monitoringvpnIPv4;
};
diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix
index e3505a75b650c414495dc75106535e16c12aa76d..acd8c1e924f48b5a838b209e4bb09d21f34f368f 100644
--- a/morph/lib/make-monitoring.nix
+++ b/morph/lib/make-monitoring.nix
@@ -2,49 +2,46 @@
, hardware
, publicStoragePort
, ristrettoSigningKeyPath
-, monitoringvpnSecretKeyDir
, passValue
, sshUsers
, stateVersion
-, monitoringvpnIPv4
-, vpnClientIPs
-, nodeExporterTargets
-, nginxExporterTargets
+, monitoringvpnIPv4 ? null
+, monitoringvpnKeyDir ? null
+, vpnClientIPs ? null
+, nodeExporterTargets ? []
+, nginxExporterTargets ? []
, hostsMap ? {}
-, ... }:
+, ... }: let
-# This doesn't work yet:
-# let
-# pkgs = import (builtins.fetchTarball {
-# url = "https://github.com/nixos/nixpkgs/archive/76ed24ceab9ec8b520f977a2803181f0c1d86b4d.tar.gz";
-# sha256 = "0dnpkkkv1cly8vywsfizfk3iwl8dnffqh0k6vkq616iw6biha725";
-# }) {};
-#
-# in
+ enableVpn = monitoringvpnKeyDir != null &&
+ monitoringvpnIPv4 != null &&
+ vpnClientIPs != null;
-rec {
+ vpnSecrets = if !enableVpn then {} else {
+ "monitoringvpn-private-key" = {
+ source = monitoringvpnKeyDir + "/server.key";
+ destination = "/run/keys/monitoringvpn/server.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ "monitoringvpn-preshared-key" = {
+ source = monitoringvpnKeyDir + "/preshared.key";
+ destination = "/run/keys/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ };
+
+in rec {
deployment = {
targetHost = publicIPv4;
- secrets = {
- "monitoringvpn-private-key" = {
- source = monitoringvpnSecretKeyDir + "/server.key";
- destination = "/run/keys/monitoringvpn/server.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- "monitoringvpn-preshared-key" = {
- source = monitoringvpnSecretKeyDir + "/preshared.key";
- destination = "/run/keys/monitoringvpn/preshared.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- };
+ secrets = { } // vpnSecrets;
};
imports = [
@@ -57,7 +54,7 @@ rec {
# ../../nixos/modules/monitoring/server/loki.nix
];
- services.private-storage.monitoring.vpn.server = {
+ services.private-storage.monitoring.vpn.server = if !enableVpn then {} else {
enable = true;
ip = monitoringvpnIPv4;
inherit vpnClientIPs;
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index b0e131301cc6f69bceba3ef760f0275c9b019bf9..cd4128f70e0da92d091b468bbee6fbdeea18f069 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -2,12 +2,36 @@
, hardware
, publicStoragePort
, ristrettoSigningKeyPath
-, monitoringvpnSecretKeyDir
, passValue
, sshUsers
, stateVersion
-, monitoringvpnIPv4
-, ... }: rec {
+, monitoringvpnKeyDir ? null
+, monitoringvpnIPv4 ? null
+, ... }: let
+
+ enableVpn = monitoringvpnKeyDir != null &&
+ monitoringvpnIPv4 != null;
+
+ vpnSecrets = if !enableVpn then {} else {
+ "monitoringvpn-secret-key" = {
+ source = monitoringvpnKeyDir + "/${monitoringvpnIPv4}.key";
+ destination = "/run/keys/monitoringvpn/client.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ "monitoringvpn-preshared-key" = {
+ source = monitoringvpnKeyDir + "/preshared.key";
+ destination = "/run/keys/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ };
+
+in rec {
deployment = {
targetHost = publicIPv4;
@@ -24,23 +48,7 @@
# extract it from the tahoe-lafs nixos module somehow?
action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
};
- "monitoringvpn-secret-key" = {
- source = monitoringvpnSecretKeyDir + "/${monitoringvpnIPv4}.key";
- destination = "/run/keys/monitoringvpn/client.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- "monitoringvpn-preshared-key" = {
- source = monitoringvpnSecretKeyDir + "/preshared.key";
- destination = "/run/keys/monitoringvpn/preshared.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- };
+ } // vpnSecrets;
};
imports = [
@@ -61,7 +69,7 @@
system.stateVersion = stateVersion;
- services.private-storage.monitoring.vpn.client = {
+ services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
enable = true;
ip = monitoringvpnIPv4;
};