diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix index 3def2d77556e8b82b5fd0dbd2513f3d08b7ea2c7..51f41832ded8fe18290c47b5b3ad85fb58c2a511 100644 --- a/morph/grid/local/grid.nix +++ b/morph/grid/local/grid.nix @@ -61,7 +61,7 @@ let (gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; })) (gridlib.customize-monitoring { inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets; - inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail; + inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail; googleOAuthClientID = config.monitoringGoogleOAuthClientID; monitoringvpnIPv4 = "172.23.23.1"; stateVersion = "19.09"; diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix index e663d2243e4aa6078260e41f07f807f606e64ef6..06eefdd28da57ad65ea99543ba8421bc934ef752 100644 --- a/morph/grid/production/grid.nix +++ b/morph/grid/production/grid.nix @@ -38,7 +38,7 @@ let gridlib.hardware-aws (gridlib.customize-monitoring { inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets; - inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail; + inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail; googleOAuthClientID = config.monitoringGoogleOAuthClientID; monitoringvpnIPv4 = "172.23.23.1"; stateVersion = "19.09"; diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix index fbbbd9f13e49cfdc7fd2f0687fa2fe12df91ea33..7b06c99e1f7a1b65b535f924a0a24aebe6753586 100644 --- a/morph/grid/testing/grid.nix +++ b/morph/grid/testing/grid.nix @@ -51,7 +51,7 @@ let gridlib.hardware-aws (gridlib.customize-monitoring { inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets; - inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail; + inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail; googleOAuthClientID = config.monitoringGoogleOAuthClientID; monitoringvpnIPv4 = "172.23.23.1"; stateVersion = "19.09"; diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix index f5b820a272fcfd4ea7106af32ad2fd0ac5c8ece3..391aa5602575100c8650d8e4fb6892e38fc95ebf 100644 --- a/morph/lib/customize-monitoring.nix +++ b/morph/lib/customize-monitoring.nix @@ -13,6 +13,7 @@ , privateKeyPath , monitoringvpnIPv4 , domain +, sshUsers , letsEncryptAdminEmail # A list of VPN IP addresses as strings indicating which clients will be @@ -84,6 +85,8 @@ networking.domain = domain; networking.hosts = hostsMap; + services.private-storage.sshUsers = sshUsers; + services.private-storage.monitoring.vpn.server = { enable = true; ip = monitoringvpnIPv4; diff --git a/morph/lib/issuer-aws.nix b/morph/lib/issuer-aws.nix index a66ab72addd43da1feb96bdd86d46312ec327fd3..bf7de56cfb570857da32c34ebfcc9b21c91e702e 100644 --- a/morph/lib/issuer-aws.nix +++ b/morph/lib/issuer-aws.nix @@ -9,7 +9,7 @@ boot.kernel.sysctl = { "vm.swappiness" = 0; }; swapDevices = [ { device = "/var/swapfile"; - size = 8192; # megabytes + size = 4096; # megabytes randomEncryption = true; } ]; @@ -17,4 +17,11 @@ # morph-supplied name. See also # <https://github.com/DBCDK/morph/issues/146>. networking.hostName = name; + + # Clean up packages after a while + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; } diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix index d8af93b24119ba6dff5ce63a5b2d16fbd18edb71..f8810be2f7e878eeb979e82d2746895d6157212e 100644 --- a/morph/lib/monitoring.nix +++ b/morph/lib/monitoring.nix @@ -21,6 +21,8 @@ rec { }; imports = [ + # Give it a good SSH configuration. + ../../nixos/modules/ssh.nix # Allow us to remotely trigger updates to this system. ../../nixos/modules/deployment.nix diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix index da56a43012b7e53a6d5ced17123eb3d898b24f3e..ce1f928b2738066811425a3c7e3e3c85c03ac272 100644 --- a/nixos/modules/issuer.nix +++ b/nixos/modules/issuer.nix @@ -182,11 +182,17 @@ in { "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}"; }; - # Certificate renewal. We must declare that we *require* it in our - # service above. - systemd.services."${certServiceName}" = { - enable = true; + # Certificate renewal. A short-lived service meant to be repeatedly + # activated to request a new certificate be issued, if the current one is + # close to expiring. + systemd.services.${certServiceName} = { + enable = cfg.tls; description = "Certificate ${domain}"; + # Activate this unit periodically so that certbot can determine if the + # certificate expiration time is close enough to warrant a renewal + # request. + startAt = "weekly"; + serviceConfig = { ExecStart = let @@ -201,6 +207,7 @@ in { ''; }; }; + # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server. networking.firewall.allowedTCPPorts = [ 80 diff --git a/nixos/modules/monitoring/server/grafana-config/resources-overview.json b/nixos/modules/monitoring/server/grafana-config/resources-overview.json index cd171d50594d77153f4d905bd91aec12f6bafcb9..8cf342514143d84de1263a3d6debaf8e40b4c922 100644 --- a/nixos/modules/monitoring/server/grafana-config/resources-overview.json +++ b/nixos/modules/monitoring/server/grafana-config/resources-overview.json @@ -1281,6 +1281,6 @@ "timepicker": {}, "timezone": "utc", "title": "Resources overview", - "uid": "ResSatUse", + "uid": "ResourcesOverview", "version": 1 } diff --git a/nixos/modules/monitoring/server/grafana-config/services-overview.json b/nixos/modules/monitoring/server/grafana-config/services-overview.json index 8ee7b130ce917183edfa26a7a53c1a8df1353303..1606d2e59593fea116323dfaea25448bc4fbc9b6 100644 --- a/nixos/modules/monitoring/server/grafana-config/services-overview.json +++ b/nixos/modules/monitoring/server/grafana-config/services-overview.json @@ -659,6 +659,6 @@ }, "timezone": "", "title": "Services overview", - "uid": "JX3RVEk7k", + "uid": "ServicesOverview", "version": 6 } diff --git a/nixos/modules/monitoring/server/prometheus.nix b/nixos/modules/monitoring/server/prometheus.nix index c92261ccad2ebdd8dd34dda9027e66962b345be9..1f27f023df5b3211a81e3603226cc7cfe2c25e27 100644 --- a/nixos/modules/monitoring/server/prometheus.nix +++ b/nixos/modules/monitoring/server/prometheus.nix @@ -59,7 +59,9 @@ in { scheme = "https"; tls_config.insecure_skip_verify = true; static_configs = [{ - targets = cfg.paymentExporterTargets; + # Explicitly setting the port number so the relabel_config can filter it out again. + # Leaving it out makes the port number show in Grafana. + targets = map (x: x + ":443") cfg.paymentExporterTargets; }]; relabel_configs = [ dropPortNumber ]; } diff --git a/nixpkgs-ps.json b/nixpkgs-ps.json index 97449535de722fdaf89d8551c6bd6d124e3818c7..58add30734e8f7b9b2840a9be38693ceb6a4249d 100644 --- a/nixpkgs-ps.json +++ b/nixpkgs-ps.json @@ -1,4 +1,4 @@ { "name": "nixpkgs" -, "url": "https://github.com/PrivateStorageio/nixpkgs/archive/a5cbaadd9676e8c568061e92bbf5ad6a5d884ded.tar.gz" -, "sha256": "0q5zknsp0qb25ag9zr9bw1ap7pb3f76bxsw81ahxkzj4z5dw6k2f" +, "url": "https://github.com/PrivateStorageio/nixpkgs/archive/5ebd5af2d5c6caf23735c8c0e6bc27357fa8d2a8.tar.gz" +, "sha256": "1g2bvs8prqjskzv8s1qmh36k7rmj98jib0syqbrq02xxzw5dpqb4" }