diff --git a/DEPLOYMENT-NOTES.rst b/DEPLOYMENT-NOTES.rst
index 9603da2e899d63161486313a7acce7dd05f9b14a..79a98dc5676e397287909470382eb5722ee647de 100644
--- a/DEPLOYMENT-NOTES.rst
+++ b/DEPLOYMENT-NOTES.rst
@@ -1,6 +1,14 @@
Deployment notes
================
+- 2023-06-19
+
+ ZKAPAuthorizer's Tahoe-LAFS plugin name changed from "privatestorageio-zkapauthz-v1" to "privatestorageio-zkapauthz-v2".
+ This causes Tahoe-LAFS to use a different filename to persist the plugin's Foolscap fURL.
+ To preserve the original fURL value (required) each storage node needs this command run before the deployment::
+
+ cp /var/db/tahoe-lafs/storage/private/storage-plugin.privatestorageio-zkapauthz-v{1,2}.furl
+
- 2023-04-19
The team switched from Slack to Zulip.
diff --git a/docs/conf.py b/docs/conf.py
index 747a90a8cc039e65fd01c3d598170c001599c1c8..f3347073a977bdc170c3e1639c5610bf96b790b0 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -61,7 +61,7 @@ master_doc = 'index'
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
diff --git a/morph/grid/local/Vagrantfile b/morph/grid/local/Vagrantfile
index 159452e467c720989042f849846e3901cff3af54..911dd3f7570834060ed0879b738bb3ea2a61420d 100644
--- a/morph/grid/local/Vagrantfile
+++ b/morph/grid/local/Vagrantfile
@@ -83,6 +83,7 @@ Vagrant.configure("2") do |config|
end
# To make the VMs assign the static IPs to the network interfaces we need a rebuild:
+ ## Rename to 'nix.settings.trusted-users' after 20.09 or so:
config.vm.provision "shell",
inline: "echo '{ nix.trustedUsers = [ \"@wheel\" \"root\" \"vagrant\" ]; boot.kernelParams = [ \"console=tty0\" \"console=ttyS0,115200\" ]; }' > /etc/nixos/custom-configuration.nix"
config.vm.provision "shell", inline: "nixos-rebuild switch"
diff --git a/morph/lib/hardware-vagrant.nix b/morph/lib/hardware-vagrant.nix
index 8bf035e9b701533f5345ba84122aa2e9fc532c11..c13cef856552e43e1bdfcab8bffce487dd4c0887 100644
--- a/morph/lib/hardware-vagrant.nix
+++ b/morph/lib/hardware-vagrant.nix
@@ -53,6 +53,6 @@
};
# We want to push packages with morph without having to sign them
- nix.trustedUsers = [ "@wheel" "root" "vagrant" ];
+ nix.settings.trusted-users = [ "@wheel" "root" "vagrant" ];
};
}
diff --git a/morph/lib/issuer-aws.nix b/morph/lib/issuer-aws.nix
index 80495e2dc7bafbc9bfbbe174e1a2f75f66942dfe..8a7c14ecaa73cd7aebadebee5f534988baef94b6 100644
--- a/morph/lib/issuer-aws.nix
+++ b/morph/lib/issuer-aws.nix
@@ -13,6 +13,12 @@
randomEncryption = true;
} ];
+ # If we don't manually and explicitly early-load the loop module, crypt-swap
+ # setup fails with the not very helpful message: "loop device with autoclear
+ # flag is required"
+ # See https://unix.stackexchange.com/a/554500/81275
+ boot.kernelModules = [ "loop" ];
+
# Break the tie between AWS and morph for the hostname by forcing the
# morph-supplied name. See also
# <https://github.com/DBCDK/morph/issues/146>.
@@ -35,5 +41,5 @@
# Turn on automatic optimization of nix store
# https://nixos.wiki/wiki/Storage_optimization
- nix.autoOptimiseStore = true;
+ nix.settings.auto-optimise-store = true;
}
diff --git a/nixos/lib/testing.nix b/nixos/lib/testing.nix
index d89717a0a76f93bb6062ad63c6cfdbb91c12c746..6ed4b733bffad29fbc52a492e295bc5ee7dddbe2 100644
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@@ -14,7 +14,8 @@
''
# The driver runs pyflakes on this script before letting it
# run... Convince pyflakes that there is a `test` name.
- test = None
+ def test():
+ pass
with open("${testpath}") as testfile:
exec(testfile.read(), globals())
# For simple types, JSON is compatible with Python syntax!
diff --git a/nixos/modules/deployment.nix b/nixos/modules/deployment.nix
index 41381ce5d33e62f4e569b87709d591f3586804df..17eb095f836d0ef75a23bad41a318b4a516eda2f 100755
--- a/nixos/modules/deployment.nix
+++ b/nixos/modules/deployment.nix
@@ -35,11 +35,11 @@ in {
config = {
# Configure the system to use our binary cache so that deployment updates
# only require downloading pre-built software, not building it ourselves.
- nix = {
- binaryCachePublicKeys = [
+ nix.settings = {
+ trusted-public-keys = [
"saxtons.private.storage:MplOcEH8G/6mRlhlKkbA8GdeFR3dhCFsSszrspE/ZwY="
];
- binaryCaches = [
+ substituters = [
"http://saxtons.private.storage"
];
};
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 375f064c63c65b1b0b0c5fa94a121a4d68bba781..5537850b4dfc72038d8ba75f92881dd4762b222c 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -254,7 +254,7 @@ in {
];
# NGINX reverse proxy
- security.acme.email = cfg.letsEncryptAdminEmail;
+ security.acme.defaults.email = cfg.letsEncryptAdminEmail;
security.acme.acceptTerms = true;
services.nginx = {
enable = true;
diff --git a/nixos/modules/monitoring/exporters/node.nix b/nixos/modules/monitoring/exporters/node.nix
index 407011069ec0cfdec129244b37a60edd09a57f2b..4a9e41b5c840852323aaf952859e79b4c878a870 100644
--- a/nixos/modules/monitoring/exporters/node.nix
+++ b/nixos/modules/monitoring/exporters/node.nix
@@ -69,7 +69,7 @@ in {
] ++ (
optionals (config.services.nfs.server.enable) [ "nfsd" ]
) ++ (
- optionals ("" != config.boot.initrd.mdadmConf) [ "mdadm" ]
+ optionals ("" != config.boot.initrd.services.swraid.mdadmConf) [ "mdadm" ]
) ++ (
optionals ({} != config.networking.bonds) [ "bonding" ]
) ++ (
diff --git a/nixos/modules/monitoring/server/grafana-service.nix b/nixos/modules/monitoring/server/grafana-service.nix
deleted file mode 100644
index fd4055ee396ab4ea450a102402782045920bc851..0000000000000000000000000000000000000000
--- a/nixos/modules/monitoring/server/grafana-service.nix
+++ /dev/null
@@ -1,739 +0,0 @@
-# This is the NixOS 21.11 Grafana service definition module
-# with the backported UID setting for data sources, so that
-# we can have the same dashboards in our dev, test and prod
-# environments.
-#
-# The change from nixpkgs 81291cc793cf88bd6eff3fd8512e5eb9d037066c
-# will land in NixOS 22.11.
-#
-# When upgrading PrivateStorageio to 22.05, this file will
-# need an upgrade too. When upgrading PrivateStorageio to
-# 22.11, it can be removed.
-
-{ options, config, lib, pkgs, ... }:
-
-with lib;
-
-let
- cfg = config.services.grafana;
- opt = options.services.grafana;
- declarativePlugins = pkgs.linkFarm "grafana-plugins" (builtins.map (pkg: { name = pkg.pname; path = pkg; }) cfg.declarativePlugins);
- useMysql = cfg.database.type == "mysql";
- usePostgresql = cfg.database.type == "postgres";
-
- envOptions = {
- PATHS_DATA = cfg.dataDir;
- PATHS_PLUGINS = if builtins.isNull cfg.declarativePlugins then "${cfg.dataDir}/plugins" else declarativePlugins;
- PATHS_LOGS = "${cfg.dataDir}/log";
-
- SERVER_PROTOCOL = cfg.protocol;
- SERVER_HTTP_ADDR = cfg.addr;
- SERVER_HTTP_PORT = cfg.port;
- SERVER_SOCKET = cfg.socket;
- SERVER_DOMAIN = cfg.domain;
- SERVER_ROOT_URL = cfg.rootUrl;
- SERVER_STATIC_ROOT_PATH = cfg.staticRootPath;
- SERVER_CERT_FILE = cfg.certFile;
- SERVER_CERT_KEY = cfg.certKey;
-
- DATABASE_TYPE = cfg.database.type;
- DATABASE_HOST = cfg.database.host;
- DATABASE_NAME = cfg.database.name;
- DATABASE_USER = cfg.database.user;
- DATABASE_PASSWORD = cfg.database.password;
- DATABASE_PATH = cfg.database.path;
- DATABASE_CONN_MAX_LIFETIME = cfg.database.connMaxLifetime;
-
- SECURITY_ADMIN_USER = cfg.security.adminUser;
- SECURITY_ADMIN_PASSWORD = cfg.security.adminPassword;
- SECURITY_SECRET_KEY = cfg.security.secretKey;
-
- USERS_ALLOW_SIGN_UP = boolToString cfg.users.allowSignUp;
- USERS_ALLOW_ORG_CREATE = boolToString cfg.users.allowOrgCreate;
- USERS_AUTO_ASSIGN_ORG = boolToString cfg.users.autoAssignOrg;
- USERS_AUTO_ASSIGN_ORG_ROLE = cfg.users.autoAssignOrgRole;
-
- AUTH_ANONYMOUS_ENABLED = boolToString cfg.auth.anonymous.enable;
- AUTH_ANONYMOUS_ORG_NAME = cfg.auth.anonymous.org_name;
- AUTH_ANONYMOUS_ORG_ROLE = cfg.auth.anonymous.org_role;
- AUTH_GOOGLE_ENABLED = boolToString cfg.auth.google.enable;
- AUTH_GOOGLE_ALLOW_SIGN_UP = boolToString cfg.auth.google.allowSignUp;
- AUTH_GOOGLE_CLIENT_ID = cfg.auth.google.clientId;
-
- ANALYTICS_REPORTING_ENABLED = boolToString cfg.analytics.reporting.enable;
-
- SMTP_ENABLED = boolToString cfg.smtp.enable;
- SMTP_HOST = cfg.smtp.host;
- SMTP_USER = cfg.smtp.user;
- SMTP_PASSWORD = cfg.smtp.password;
- SMTP_FROM_ADDRESS = cfg.smtp.fromAddress;
- } // cfg.extraOptions;
-
- datasourceConfiguration = {
- apiVersion = 1;
- datasources = cfg.provision.datasources;
- };
-
- datasourceFile = pkgs.writeText "datasource.yaml" (builtins.toJSON datasourceConfiguration);
-
- dashboardConfiguration = {
- apiVersion = 1;
- providers = cfg.provision.dashboards;
- };
-
- dashboardFile = pkgs.writeText "dashboard.yaml" (builtins.toJSON dashboardConfiguration);
-
- notifierConfiguration = {
- apiVersion = 1;
- notifiers = cfg.provision.notifiers;
- };
-
- notifierFile = pkgs.writeText "notifier.yaml" (builtins.toJSON notifierConfiguration);
-
- provisionConfDir = pkgs.runCommand "grafana-provisioning" { } ''
- mkdir -p $out/{datasources,dashboards,notifiers}
- ln -sf ${datasourceFile} $out/datasources/datasource.yaml
- ln -sf ${dashboardFile} $out/dashboards/dashboard.yaml
- ln -sf ${notifierFile} $out/notifiers/notifier.yaml
- '';
-
- # Get a submodule without any embedded metadata:
- _filter = x: filterAttrs (k: v: k != "_module") x;
-
- # http://docs.grafana.org/administration/provisioning/#datasources
- grafanaTypes.datasourceConfig = types.submodule {
- options = {
- name = mkOption {
- type = types.str;
- description = "Name of the datasource. Required.";
- };
- type = mkOption {
- type = types.str;
- description = "Datasource type. Required.";
- };
- access = mkOption {
- type = types.enum ["proxy" "direct"];
- default = "proxy";
- description = "Access mode. proxy or direct (Server or Browser in the UI). Required.";
- };
- orgId = mkOption {
- type = types.int;
- default = 1;
- description = "Org id. will default to orgId 1 if not specified.";
- };
- uid = mkOption {
- type = types.nullOr types.str;
- default = null;
- description = "Custom UID which can be used to reference this datasource in other parts of the configuration, if not specified will be generated automatically.";
- };
- url = mkOption {
- type = types.str;
- description = "Url of the datasource.";
- };
- password = mkOption {
- type = types.nullOr types.str;
- default = null;
- description = "Database password, if used.";
- };
- user = mkOption {
- type = types.nullOr types.str;
- default = null;
- description = "Database user, if used.";
- };
- database = mkOption {
- type = types.nullOr types.str;
- default = null;
- description = "Database name, if used.";
- };
- basicAuth = mkOption {
- type = types.nullOr types.bool;
- default = null;
- description = "Enable/disable basic auth.";
- };
- basicAuthUser = mkOption {
- type = types.nullOr types.str;
- default = null;
- description = "Basic auth username.";
- };
- basicAuthPassword = mkOption {
- type = types.nullOr types.str;
- default = null;
- description = "Basic auth password.";
- };
- withCredentials = mkOption {
- type = types.bool;
- default = false;
- description = "Enable/disable with credentials headers.";
- };
- isDefault = mkOption {
- type = types.bool;
- default = false;
- description = "Mark as default datasource. Max one per org.";
- };
- jsonData = mkOption {
- type = types.nullOr types.attrs;
- default = null;
- description = "Datasource specific configuration.";
- };
- secureJsonData = mkOption {
- type = types.nullOr types.attrs;
- default = null;
- description = "Datasource specific secure configuration.";
- };
- version = mkOption {
- type = types.int;
- default = 1;
- description = "Version.";
- };
- editable = mkOption {
- type = types.bool;
- default = false;
- description = "Allow users to edit datasources from the UI.";
- };
- };
- };
-
- # http://docs.grafana.org/administration/provisioning/#dashboards
- grafanaTypes.dashboardConfig = types.submodule {
- options = {
- name = mkOption {
- type = types.str;
- default = "default";
- description = "Provider name.";
- };
- orgId = mkOption {
- type = types.int;
- default = 1;
- description = "Organization ID.";
- };
- folder = mkOption {
- type = types.str;
- default = "";
- description = "Add dashboards to the specified folder.";
- };
- type = mkOption {
- type = types.str;
- default = "file";
- description = "Dashboard provider type.";
- };
- disableDeletion = mkOption {
- type = types.bool;
- default = false;
- description = "Disable deletion when JSON file is removed.";
- };
- updateIntervalSeconds = mkOption {
- type = types.int;
- default = 10;
- description = "How often Grafana will scan for changed dashboards.";
- };
- options = {
- path = mkOption {
- type = types.path;
- description = "Path grafana will watch for dashboards.";
- };
- };
- };
- };
-
- grafanaTypes.notifierConfig = types.submodule {
- options = {
- name = mkOption {
- type = types.str;
- default = "default";
- description = "Notifier name.";
- };
- type = mkOption {
- type = types.enum ["dingding" "discord" "email" "googlechat" "hipchat" "kafka" "line" "teams" "opsgenie" "pagerduty" "prometheus-alertmanager" "pushover" "sensu" "sensugo" "slack" "telegram" "threema" "victorops" "webhook"];
- description = "Notifier type.";
- };
- uid = mkOption {
- type = types.str;
- description = "Unique notifier identifier.";
- };
- org_id = mkOption {
- type = types.int;
- default = 1;
- description = "Organization ID.";
- };
- org_name = mkOption {
- type = types.str;
- default = "Main Org.";
- description = "Organization name.";
- };
- is_default = mkOption {
- type = types.bool;
- description = "Is the default notifier.";
- default = false;
- };
- send_reminder = mkOption {
- type = types.bool;
- default = true;
- description = "Should the notifier be sent reminder notifications while alerts continue to fire.";
- };
- frequency = mkOption {
- type = types.str;
- default = "5m";
- description = "How frequently should the notifier be sent reminders.";
- };
- disable_resolve_message = mkOption {
- type = types.bool;
- default = false;
- description = "Turn off the message that sends when an alert returns to OK.";
- };
- settings = mkOption {
- type = types.nullOr types.attrs;
- default = null;
- description = "Settings for the notifier type.";
- };
- secure_settings = mkOption {
- type = types.nullOr types.attrs;
- default = null;
- description = "Secure settings for the notifier type.";
- };
- };
- };
-in {
- options.services.grafana = {
- enable = mkEnableOption "grafana";
-
- protocol = mkOption {
- description = "Which protocol to listen.";
- default = "http";
- type = types.enum ["http" "https" "socket"];
- };
-
- addr = mkOption {
- description = "Listening address.";
- default = "127.0.0.1";
- type = types.str;
- };
-
- port = mkOption {
- description = "Listening port.";
- default = 3000;
- type = types.port;
- };
-
- socket = mkOption {
- description = "Listening socket.";
- default = "/run/grafana/grafana.sock";
- type = types.str;
- };
-
- domain = mkOption {
- description = "The public facing domain name used to access grafana from a browser.";
- default = "localhost";
- type = types.str;
- };
-
- rootUrl = mkOption {
- description = "Full public facing url.";
- default = "%(protocol)s://%(domain)s:%(http_port)s/";
- type = types.str;
- };
-
- certFile = mkOption {
- description = "Cert file for ssl.";
- default = "";
- type = types.str;
- };
-
- certKey = mkOption {
- description = "Cert key for ssl.";
- default = "";
- type = types.str;
- };
-
- staticRootPath = mkOption {
- description = "Root path for static assets.";
- default = "${cfg.package}/share/grafana/public";
- defaultText = literalExpression ''"''${package}/share/grafana/public"'';
- type = types.str;
- };
-
- package = mkOption {
- description = "Package to use.";
- default = pkgs.grafana;
- defaultText = literalExpression "pkgs.grafana";
- type = types.package;
- };
-
- declarativePlugins = mkOption {
- type = with types; nullOr (listOf path);
- default = null;
- description = "If non-null, then a list of packages containing Grafana plugins to install. If set, plugins cannot be manually installed.";
- example = literalExpression "with pkgs.grafanaPlugins; [ grafana-piechart-panel ]";
- # Make sure each plugin is added only once; otherwise building
- # the link farm fails, since the same path is added multiple
- # times.
- apply = x: if isList x then lib.unique x else x;
- };
-
- dataDir = mkOption {
- description = "Data directory.";
- default = "/var/lib/grafana";
- type = types.path;
- };
-
- database = {
- type = mkOption {
- description = "Database type.";
- default = "sqlite3";
- type = types.enum ["mysql" "sqlite3" "postgres"];
- };
-
- host = mkOption {
- description = "Database host.";
- default = "127.0.0.1:3306";
- type = types.str;
- };
-
- name = mkOption {
- description = "Database name.";
- default = "grafana";
- type = types.str;
- };
-
- user = mkOption {
- description = "Database user.";
- default = "root";
- type = types.str;
- };
-
- password = mkOption {
- description = ''
- Database password.
- This option is mutual exclusive with the passwordFile option.
- '';
- default = "";
- type = types.str;
- };
-
- passwordFile = mkOption {
- description = ''
- File that containts the database password.
- This option is mutual exclusive with the password option.
- '';
- default = null;
- type = types.nullOr types.path;
- };
-
- path = mkOption {
- description = "Database path.";
- default = "${cfg.dataDir}/data/grafana.db";
- type = types.path;
- };
-
- connMaxLifetime = mkOption {
- description = ''
- Sets the maximum amount of time (in seconds) a connection may be reused.
- For MySQL this setting should be shorter than the `wait_timeout' variable.
- '';
- default = "unlimited";
- example = 14400;
- type = types.either types.int (types.enum [ "unlimited" ]);
- };
- };
-
- provision = {
- enable = mkEnableOption "provision";
- datasources = mkOption {
- description = "Grafana datasources configuration.";
- default = [];
- type = types.listOf grafanaTypes.datasourceConfig;
- apply = x: map _filter x;
- };
- dashboards = mkOption {
- description = "Grafana dashboard configuration.";
- default = [];
- type = types.listOf grafanaTypes.dashboardConfig;
- apply = x: map _filter x;
- };
- notifiers = mkOption {
- description = "Grafana notifier configuration.";
- default = [];
- type = types.listOf grafanaTypes.notifierConfig;
- apply = x: map _filter x;
- };
- };
-
- security = {
- adminUser = mkOption {
- description = "Default admin username.";
- default = "admin";
- type = types.str;
- };
-
- adminPassword = mkOption {
- description = ''
- Default admin password.
- This option is mutual exclusive with the adminPasswordFile option.
- '';
- default = "admin";
- type = types.str;
- };
-
- adminPasswordFile = mkOption {
- description = ''
- Default admin password.
- This option is mutual exclusive with the <literal>adminPassword</literal> option.
- '';
- default = null;
- type = types.nullOr types.path;
- };
-
- secretKey = mkOption {
- description = "Secret key used for signing.";
- default = "SW2YcwTIb9zpOOhoPsMm";
- type = types.str;
- };
-
- secretKeyFile = mkOption {
- description = "Secret key used for signing.";
- default = null;
- type = types.nullOr types.path;
- };
- };
-
- smtp = {
- enable = mkEnableOption "smtp";
- host = mkOption {
- description = "Host to connect to.";
- default = "localhost:25";
- type = types.str;
- };
- user = mkOption {
- description = "User used for authentication.";
- default = "";
- type = types.str;
- };
- password = mkOption {
- description = ''
- Password used for authentication.
- This option is mutual exclusive with the passwordFile option.
- '';
- default = "";
- type = types.str;
- };
- passwordFile = mkOption {
- description = ''
- Password used for authentication.
- This option is mutual exclusive with the password option.
- '';
- default = null;
- type = types.nullOr types.path;
- };
- fromAddress = mkOption {
- description = "Email address used for sending.";
- default = "admin@grafana.localhost";
- type = types.str;
- };
- };
-
- users = {
- allowSignUp = mkOption {
- description = "Disable user signup / registration.";
- default = false;
- type = types.bool;
- };
-
- allowOrgCreate = mkOption {
- description = "Whether user is allowed to create organizations.";
- default = false;
- type = types.bool;
- };
-
- autoAssignOrg = mkOption {
- description = "Whether to automatically assign new users to default org.";
- default = true;
- type = types.bool;
- };
-
- autoAssignOrgRole = mkOption {
- description = "Default role new users will be auto assigned.";
- default = "Viewer";
- type = types.enum ["Viewer" "Editor"];
- };
- };
-
- auth = {
- anonymous = {
- enable = mkOption {
- description = "Whether to allow anonymous access.";
- default = false;
- type = types.bool;
- };
- org_name = mkOption {
- description = "Which organization to allow anonymous access to.";
- default = "Main Org.";
- type = types.str;
- };
- org_role = mkOption {
- description = "Which role anonymous users have in the organization.";
- default = "Viewer";
- type = types.str;
- };
- };
- google = {
- enable = mkOption {
- description = "Whether to allow Google OAuth2.";
- default = false;
- type = types.bool;
- };
- allowSignUp = mkOption {
- description = "Whether to allow sign up with Google OAuth2.";
- default = false;
- type = types.bool;
- };
- clientId = mkOption {
- description = "Google OAuth2 client ID.";
- default = "";
- type = types.str;
- };
- clientSecretFile = mkOption {
- description = "Google OAuth2 client secret.";
- default = null;
- type = types.nullOr types.path;
- };
- };
- };
-
- analytics.reporting = {
- enable = mkOption {
- description = "Whether to allow anonymous usage reporting to stats.grafana.net.";
- default = true;
- type = types.bool;
- };
- };
-
- extraOptions = mkOption {
- description = ''
- Extra configuration options passed as env variables as specified in
- <link xlink:href="http://docs.grafana.org/installation/configuration/">documentation</link>,
- but without GF_ prefix
- '';
- default = {};
- type = with types; attrsOf (either str path);
- };
- };
-
- config = mkIf cfg.enable {
- warnings = flatten [
- (optional (
- cfg.database.password != opt.database.password.default ||
- cfg.security.adminPassword != opt.security.adminPassword.default
- ) "Grafana passwords will be stored as plaintext in the Nix store!")
- (optional (
- any (x: x.password != null || x.basicAuthPassword != null || x.secureJsonData != null) cfg.provision.datasources
- ) "Datasource passwords will be stored as plaintext in the Nix store!")
- (optional (
- any (x: x.secure_settings != null) cfg.provision.notifiers
- ) "Notifier secure settings will be stored as plaintext in the Nix store!")
- ];
-
- environment.systemPackages = [ cfg.package ];
-
- assertions = [
- {
- assertion = cfg.database.password != opt.database.password.default -> cfg.database.passwordFile == null;
- message = "Cannot set both password and passwordFile";
- }
- {
- assertion = cfg.security.adminPassword != opt.security.adminPassword.default -> cfg.security.adminPasswordFile == null;
- message = "Cannot set both adminPassword and adminPasswordFile";
- }
- {
- assertion = cfg.security.secretKey != opt.security.secretKey.default -> cfg.security.secretKeyFile == null;
- message = "Cannot set both secretKey and secretKeyFile";
- }
- {
- assertion = cfg.smtp.password != opt.smtp.password.default -> cfg.smtp.passwordFile == null;
- message = "Cannot set both password and passwordFile";
- }
- ];
-
- systemd.services.grafana = {
- description = "Grafana Service Daemon";
- wantedBy = ["multi-user.target"];
- after = ["networking.target"] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service";
- environment = {
- QT_QPA_PLATFORM = "offscreen";
- } // mapAttrs' (n: v: nameValuePair "GF_${n}" (toString v)) envOptions;
- script = ''
- set -o errexit -o pipefail -o nounset -o errtrace
- shopt -s inherit_errexit
-
- ${optionalString (cfg.auth.google.clientSecretFile != null) ''
- GF_AUTH_GOOGLE_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.google.clientSecretFile})"
- export GF_AUTH_GOOGLE_CLIENT_SECRET
- ''}
- ${optionalString (cfg.database.passwordFile != null) ''
- GF_DATABASE_PASSWORD="$(<${escapeShellArg cfg.database.passwordFile})"
- export GF_DATABASE_PASSWORD
- ''}
- ${optionalString (cfg.security.adminPasswordFile != null) ''
- GF_SECURITY_ADMIN_PASSWORD="$(<${escapeShellArg cfg.security.adminPasswordFile})"
- export GF_SECURITY_ADMIN_PASSWORD
- ''}
- ${optionalString (cfg.security.secretKeyFile != null) ''
- GF_SECURITY_SECRET_KEY="$(<${escapeShellArg cfg.security.secretKeyFile})"
- export GF_SECURITY_SECRET_KEY
- ''}
- ${optionalString (cfg.smtp.passwordFile != null) ''
- GF_SMTP_PASSWORD="$(<${escapeShellArg cfg.smtp.passwordFile})"
- export GF_SMTP_PASSWORD
- ''}
- ${optionalString cfg.provision.enable ''
- export GF_PATHS_PROVISIONING=${provisionConfDir};
- ''}
- exec ${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir}
- '';
- serviceConfig = {
- WorkingDirectory = cfg.dataDir;
- User = "grafana";
- RuntimeDirectory = "grafana";
- RuntimeDirectoryMode = "0755";
- # Hardening
- AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
- CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
- DeviceAllow = [ "" ];
- LockPersonality = true;
- NoNewPrivileges = true;
- PrivateDevices = true;
- PrivateTmp = true;
- ProtectClock = true;
- ProtectControlGroups = true;
- ProtectHome = true;
- ProtectHostname = true;
- ProtectKernelLogs = true;
- ProtectKernelModules = true;
- ProtectKernelTunables = true;
- ProtectProc = "invisible";
- ProtectSystem = "full";
- RemoveIPC = true;
- RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
- RestrictNamespaces = true;
- RestrictRealtime = true;
- RestrictSUIDSGID = true;
- SystemCallArchitectures = "native";
- # Upstream grafana is not setting SystemCallFilter for compatibility
- # reasons, see https://github.com/grafana/grafana/pull/40176
- SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
- UMask = "0027";
- };
- preStart = ''
- ln -fs ${cfg.package}/share/grafana/conf ${cfg.dataDir}
- ln -fs ${cfg.package}/share/grafana/tools ${cfg.dataDir}
- '';
- };
-
- users.users.grafana = {
- uid = config.ids.uids.grafana;
- description = "Grafana user";
- home = cfg.dataDir;
- createHome = true;
- group = "grafana";
- };
- users.groups.grafana = {};
- };
-}
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index 91b3641e8d7ae52b4da320e452b0ae0be21652d8..4da836c10975d56438fee3961912da20b4788c7b 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -7,24 +7,9 @@
let
cfg = config.services.private-storage.monitoring.grafana;
- grafanaAuth = if (cfg.googleOAuthClientID == "") then {
- anonymous.enable = true;
- } else {
- google.enable = true;
- # Grafana considers it "sign up" to let in a user it has
- # never seen before.
- google.allowSignUp = true;
- google.clientSecretFile = cfg.googleOAuthClientSecretFile;
- google.clientId = cfg.googleOAuthClientID;
- };
in {
- # Override Grafana module so we can specify datasource UIDs
- # Copied from https://nixos.org/manual/nixos/stable/#sec-replace-modules
- disabledModules = [ "services/monitoring/grafana.nix" ];
- imports = [ ./grafana-service.nix ];
-
options.services.private-storage.monitoring.grafana = {
domains = lib.mkOption
{ type = lib.types.listOf lib.types.str;
@@ -111,41 +96,59 @@ in {
services.grafana = {
enable = true;
- inherit domain;
- port = 2342;
- addr = "127.0.0.1";
-
- # No phoning home
- analytics.reporting.enable = false;
-
- # Force Grafana to believe it is reachable via https on the default port
- # number because that's where the nginx that forwards traffic to it is
- # listening. Grafana's own server listens on an internal address that
- # doesn't matter to anyone except our nginx instance.
- rootUrl = "https://%(domain)s/";
-
- extraOptions = {
- # Defend against DNS rebinding attacks.
- SERVER_ENFORCE_DOMAIN = "true";
- # Same time zone for all users by default
- DATE_FORMATS_DEFAULT_TIMEZONE = "UTC";
- };
- auth = {
- anonymous.org_role = "Admin";
- anonymous.org_name = "Main Org.";
- } // grafanaAuth;
+ settings = {
+
+ server = {
+ domain = "${toString domain}";
+ http_port = 2342;
+ http_addr = "127.0.0.1";
+
+ # Defend against DNS rebinding attacks.
+ enforce_domain = true;
+
+ # Force Grafana to believe it is reachable via https on the default port
+ # number because that's where the nginx that forwards traffic to it is
+ # listening. Grafana's own server listens on an internal address that
+ # doesn't matter to anyone except our nginx instance.
+ root_url = "https://%(domain)s/";
+ };
- # Give users that come through GSuite SSO the highest possible privileges:
- users.autoAssignOrgRole = "Editor";
+ # No phoning home
+ analytics.reporting_enabled = false;
- # Read the admin password from a file in our secrets folder:
- security.adminPasswordFile = cfg.adminPasswordFile;
+ # Same time zone for all users by default
+ date_formats.default_timezone = "UTC";
+
+ # The auth sections since NixOS 22.11 are named a bit funky with a dot in the name
+ #
+ # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/grafana/#anonymous-authentication
+ # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/google/
+ "auth.anonymous" = lib.mkIf (cfg.googleOAuthClientID == "") {
+ enabled = true;
+ org_role = "Admin";
+ org_name = "Main Org.";
+ };
+ "auth.google" = lib.mkIf (cfg.googleOAuthClientID != "") {
+ enabled = true;
+ # Grafana considers it "sign up" to let in a user it has
+ # never seen before.
+ allow_sign_up = true;
+ client_secret = "$__file{${toString cfg.googleOAuthClientSecretFile}}";
+ client_id = cfg.googleOAuthClientID;
+ };
+
+ # Give users that come through GSuite SSO the highest possible privileges:
+ users.auto_assign_org_role = "Editor";
+
+ # Read the admin password from a file in our secrets folder:
+ security.admin_password = "$__file{${toString cfg.adminPasswordFile}}";
+ };
provision = {
enable = true;
# See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources
- datasources = [{
+ datasources.settings.datasources = [{
name = "Prometheus";
type = "prometheus";
uid = "LocalPrometheus";
@@ -160,7 +163,7 @@ in {
url = cfg.lokiUrl;
}];
# See https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
- dashboards = [{
+ dashboards.settings.providers = [{
name = "provisioned";
options.path = ./grafana-dashboards;
}];
@@ -195,7 +198,7 @@ in {
};
# nginx reverse proxy
- security.acme.email = cfg.letsEncryptAdminEmail;
+ security.acme.defaults.email = cfg.letsEncryptAdminEmail;
security.acme.acceptTerms = true;
services.nginx = {
enable = true;
@@ -213,7 +216,7 @@ in {
enableACME = true;
forceSSL = true;
locations."/" = {
- proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+ proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
locations."/metrics" = {
@@ -225,7 +228,7 @@ in {
allow ::1;
deny all;
'';
- proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+ proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
};
};
};
diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index 3a716cf05eeb8a5bd5b2aafb6f6c2b3aa54da894..1b55614859801fd7580dd50508a10382bb493ae3 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -132,9 +132,9 @@ in
# Put the storage where we have a lot of space configured.
storage_dir = "/storage";
# Turn on our plugin.
- plugins = "privatestorageio-zkapauthz-v1";
+ plugins = "privatestorageio-zkapauthz-v2";
};
- "storageserver.plugins.privatestorageio-zkapauthz-v1" =
+ "storageserver.plugins.privatestorageio-zkapauthz-v2" =
{ "ristretto-issuer-root-url" = cfg.issuerRootURL;
"ristretto-signing-key-path" = cfg.ristrettoSigningKeyPath;
} // (
diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index 8d5d5766ae3b30c4801b6ce200fa58c1460f6ca7..90fd34b002c607965038a574334fb0fc370d146c 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -25,11 +25,8 @@
services.openssh = {
enable = true;
- # We don't use SFTP for anything. No reason to expose it.
- allowSFTP = false;
-
# We only allow key-based authentication.
- challengeResponseAuthentication = false;
+ kbdInteractiveAuthentication = false;
passwordAuthentication = false;
extraConfig = ''
diff --git a/nixos/pkgs/privatestorage/default.nix b/nixos/pkgs/privatestorage/default.nix
index 3bbbd3dbcf0b974e6e1997e20773cddbd9ea59c0..e152f021cf5d6409d7b0f05582d28a44ccb87641 100644
--- a/nixos/pkgs/privatestorage/default.nix
+++ b/nixos/pkgs/privatestorage/default.nix
@@ -2,7 +2,9 @@
let
repo-data = lib.importJSON ./repo.json;
repo = fetchFromGitHub (builtins.removeAttrs repo-data [ "branch" ]);
- privatestorage = callPackage repo { python = "python39"; };
+ zk = import repo;
+ # XXX package version choice here
+ zkapauthorizer = zk.outputs.packages.x86_64-linux.zkapauthorizer-python39-tahoe_1_17_1;
+ python = zkapauthorizer.passthru.python;
in
- privatestorage.privatestorage
-
+ python.withPackages (ps: [ zkapauthorizer ] )
diff --git a/nixos/pkgs/privatestorage/repo.json b/nixos/pkgs/privatestorage/repo.json
index 4113e150a72c907dce4ee0d7345361eadb248041..f57181a6978b0c72bcf6cc9c99618f5afda3a927 100644
--- a/nixos/pkgs/privatestorage/repo.json
+++ b/nixos/pkgs/privatestorage/repo.json
@@ -1,8 +1,8 @@
{
"owner": "PrivateStorageio",
- "branch": "main",
+ "branch": "458.update-tahoe-lafs",
"repo": "ZKAPAuthorizer",
- "rev": "744a063ab76a677b259aa9022711113ffbab2545",
+ "rev": "6f8d67c81cdc6de2f52e0a699a077b43232a0589",
"outputHashAlgo": "sha512",
- "outputHash": "293j4469iy69d2hz3gwxwyj0flqb1cncl938s5w5jmfgbvkm1w0yfg1y06nx89zis1rvwqpcly3vxp94pz1dx28d74wiianqks11p54"
+ "outputHash": "3bg882wlm0bn23xazal81mzac63svg66gcbrabvzqyin98jrwlimk5n64hrdiywiw954g7srpdr1g9f1y4p79vbpnkfkrv7sa108aa4"
}
\ No newline at end of file
diff --git a/nixos/system-tests.nix b/nixos/system-tests.nix
index 819b5c738eca08b95d3c85b14088a2bf6c000dbf..eafd712cc141bd3ba7c9f6f824d06cb950745ec0 100644
--- a/nixos/system-tests.nix
+++ b/nixos/system-tests.nix
@@ -6,6 +6,13 @@ let
pkgs' = pkgs.extend (self: super: { ourpkgs = self.callPackage ./pkgs {}; });
in {
private-storage = pkgs'.nixosTest ./tests/private-storage.nix;
- spending = pkgs'.nixosTest ./tests/spending.nix;
+
+ # The spending service is not deployed so it doesn't seem *necessary* to run
+ # its test suite here. The packaging still uses mach-nix which is
+ # incompatible with NixOS 22.11 so we can't actually load the ZKAP spending
+ # service derivation anymore. So ... disable the test suite.
+ #
+ # spending = pkgs'.nixosTest ./tests/spending.nix;
+
tahoe = pkgs'.nixosTest ./tests/tahoe.nix;
}
diff --git a/nixos/tests/exercise-storage.py b/nixos/tests/exercise-storage.py
index e3a1d4d2ec7674042487cc0c6dabc670fcd6561d..288a846d87e6fc468f22bc0e634ae4430c17791b 100755
--- a/nixos/tests/exercise-storage.py
+++ b/nixos/tests/exercise-storage.py
@@ -85,10 +85,13 @@ def get_api_root(path):
return hyperlink.URL.from_text(f.read().strip())
def tahoe_put(api_root, data, **kwargs):
+ uri = api_root.child(u"uri").to_uri()
response = requests.put(
- api_root.child(u"uri").to_uri(),
+ uri,
BytesIO(data),
+ headers={"accept": "text/plain"},
)
+ print(f"PUT {uri} responded:\n{response.text}\n")
response.raise_for_status()
return response.text
diff --git a/nixos/tests/get-passes.py b/nixos/tests/get-passes.py
index 206e8900e496f7b08967fb11715043fedeaa3f5d..6f9263345521fa9e3977015231a06060f83bd912 100755
--- a/nixos/tests/get-passes.py
+++ b/nixos/tests/get-passes.py
@@ -29,7 +29,7 @@ def main():
if issuerAPIRoot is not None and not issuerAPIRoot.endswith("/"):
issuerAPIRoot += "/"
- zkapauthz = clientAPIRoot + "storage-plugins/privatestorageio-zkapauthz-v1"
+ zkapauthz = clientAPIRoot + "storage-plugins/privatestorageio-zkapauthz-v2"
with open(clientAPITokenPath) as p:
clientAPIToken = p.read().strip()
diff --git a/nixos/tests/private-storage.nix b/nixos/tests/private-storage.nix
index b593a18ef84947bdfe299e1ec6388987f4296491..d7a5aaafe9908b0f3a36c4cdfb041e371eef6bfe 100644
--- a/nixos/tests/private-storage.nix
+++ b/nixos/tests/private-storage.nix
@@ -1,4 +1,4 @@
-{ pkgs }:
+{ pkgs, ... }:
let
ourpkgs = pkgs.callPackage ../pkgs { };
@@ -66,6 +66,8 @@ let
networking.dhcpcd.enable = false;
};
in {
+ name = "private-storage";
+
# https://nixos.org/nixos/manual/index.html#sec-nixos-tests
# https://nixos.mayflower.consulting/blog/2019/07/11/leveraging-nixos-tests-in-your-project/
nodes = rec {
diff --git a/nixos/tests/run-client.py b/nixos/tests/run-client.py
index 8d3d82720ec94b4b91e6af8791aadc58cd7ce2ad..86909bde894225865c9f295f4ba3c461519141a4 100755
--- a/nixos/tests/run-client.py
+++ b/nixos/tests/run-client.py
@@ -29,12 +29,12 @@ def main():
with open("/tmp/client/tahoe.cfg") as cfg:
config.read_file(cfg)
- config.set(u"client", u"storage.plugins", u"privatestorageio-zkapauthz-v1")
- config.add_section(u"storageclient.plugins.privatestorageio-zkapauthz-v1")
- config.set(u"storageclient.plugins.privatestorageio-zkapauthz-v1", u"redeemer", u"ristretto")
- config.set(u"storageclient.plugins.privatestorageio-zkapauthz-v1", u"ristretto-issuer-root-url", issuerURL)
- config.set(u"storageclient.plugins.privatestorageio-zkapauthz-v1", u"allowed-public-keys", publicKey)
- config.set(u"storageclient.plugins.privatestorageio-zkapauthz-v1", u"default-token-count", tokenCount)
+ config.set(u"client", u"storage.plugins", u"privatestorageio-zkapauthz-v2")
+ config.add_section(u"storageclient.plugins.privatestorageio-zkapauthz-v2")
+ config.set(u"storageclient.plugins.privatestorageio-zkapauthz-v2", u"redeemer", u"ristretto")
+ config.set(u"storageclient.plugins.privatestorageio-zkapauthz-v2", u"ristretto-issuer-root-url", issuerURL)
+ config.set(u"storageclient.plugins.privatestorageio-zkapauthz-v2", u"allowed-public-keys", publicKey)
+ config.set(u"storageclient.plugins.privatestorageio-zkapauthz-v2", u"default-token-count", tokenCount)
with open("/tmp/client/tahoe.cfg", "wt") as cfg:
config.write(cfg)
diff --git a/nixos/tests/tahoe.nix b/nixos/tests/tahoe.nix
index a007e65efd2d6bee8ab4adba9df3cb2901f53526..5b3c5c3827d11798f3656a4912de7d648883e624 100644
--- a/nixos/tests/tahoe.nix
+++ b/nixos/tests/tahoe.nix
@@ -1,8 +1,9 @@
-{ pkgs }:
+{ pkgs, ... }:
let
ourpkgs = pkgs.callPackage ../pkgs { };
in
{
+ name = "tahoe";
nodes = {
storage = { config, pkgs, ourpkgs, ... }: {
imports = [
diff --git a/nixos/tests/test_privatestorage.py b/nixos/tests/test_privatestorage.py
index 0429ac9257f7b587f4efd1d1ecc53375ed9ee4d3..724b99c3667074bc97af13ebe5de71dd58405f24 100644
--- a/nixos/tests/test_privatestorage.py
+++ b/nixos/tests/test_privatestorage.py
@@ -274,7 +274,7 @@ def test(
# It should be possible to restart the storage service without the
# storage node fURL changing.
- furlfile = '/var/db/tahoe-lafs/storage/private/storage-plugin.privatestorageio-zkapauthz-v1.furl'
+ furlfile = '/var/db/tahoe-lafs/storage/private/storage-plugin.privatestorageio-zkapauthz-v2.furl'
before = storage.execute('cat ' + furlfile)
runOnNode(storage, [["systemctl", "restart", "tahoe.storage"]])
after = storage.execute('cat ' + furlfile)
diff --git a/nixpkgs.json b/nixpkgs.json
index 87445ee44c04baa66c0973d665194fa494481973..cb1a73e104de18dddc11467dd4740ea85d009de1 100644
--- a/nixpkgs.json
+++ b/nixpkgs.json
@@ -1,5 +1,5 @@
{
"name": "source",
- "url": "https://releases.nixos.org/nixos/21.11/nixos-21.11.337975.eabc3821918/nixexprs.tar.xz",
- "sha256": "1fq3zz7qfavksdbqvicns7hg61q3hhbxs2ibm818gy629hwkvsvm"
+ "url": "https://releases.nixos.org/nixos/22.11/nixos-22.11.2523.1b82144edfc/nixexprs.tar.xz",
+ "sha256": "12i6lznqz2wxwnjzm1ak5j15dvm2jny1c8998720nnf0qds7180r"
}
\ No newline at end of file
diff --git a/tools/update-nixpkgs b/tools/update-nixpkgs
index 12752892fab880582857d43c5cc4632a41c96d0f..58dedd9c0894b074f41bfa7b2a1b7c3ec1812616 100755
--- a/tools/update-nixpkgs
+++ b/tools/update-nixpkgs
@@ -10,7 +10,7 @@ from ps_tools import get_url_hash
# We pass this to builtins.fetchTarball which only supports sha256
HASH_TYPE = "sha256"
-DEFAULT_CHANNEL = "nixos-21.11"
+DEFAULT_CHANNEL = "nixos-22.11"
CHANNEL_URL_TEMPLATE = "https://channels.nixos.org/{channel}/nixexprs.tar.xz"
@@ -24,9 +24,8 @@ def get_nixos_channel_url(*, channel):
the release.
"""
response = httpx.head(
- CHANNEL_URL_TEMPLATE.format(channel=channel), allow_redirects=False
+ CHANNEL_URL_TEMPLATE.format(channel=channel), follow_redirects=False
)
- response.raise_for_status()
assert response.is_redirect
return str(response.next_request.url)