From fcac456bcbd29fbf6c07aaba4f14abc87f846588 Mon Sep 17 00:00:00 2001
From: Tom Prince <tom.prince@private.storage>
Date: Thu, 2 Sep 2021 12:52:28 -0600
Subject: [PATCH] Move ssh and deployment configuration to per-grid config
module.
---
morph/grid/local/grid.nix | 11 ++++++++---
morph/grid/production/grid.nix | 11 ++++++++---
morph/grid/testing/grid.nix | 11 ++++++++---
morph/lib/customize-issuer.nix | 7 -------
morph/lib/customize-monitoring.nix | 3 ---
morph/lib/customize-storage.nix | 3 +--
morph/lib/issuer.nix | 3 ---
morph/lib/monitoring.nix | 5 -----
morph/lib/storage.nix | 2 --
nixos/modules/issuer.nix | 5 -----
nixos/modules/private-storage.nix | 2 --
nixos/modules/tests/private-storage.nix | 2 ++
12 files changed, 27 insertions(+), 38 deletions(-)
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index a17f4546..19fc3cfd 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -4,8 +4,6 @@ let
gridlib = import ../../lib;
rawConfig = pkgs.lib.trivial.importJSON ./config.json;
config = rawConfig // {
- sshUsers = import ./public-keys/users.nix;
-
# Convert relative paths to absolute so library code can resolve names
# correctly.
publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
@@ -14,6 +12,13 @@ let
# Module with per-grid configuration
grid-module = {
+ imports = [
+ # Allow us to remotely trigger updates to this system.
+ ../../../nixos/modules/deployment.nix
+ # Give it a good SSH configuration.
+ ../../../nixos/modules/ssh.nix
+ ];
+ services.private-storage.sshUsers = import ./public-keys/users.nix;
# Configure deployment management authorization for all systems in the grid.
services.private-storage.deployment = {
authorizedKey = builtins.readFile "${config.publicKeyPath}/deploy_key.pub";
@@ -62,7 +67,7 @@ let
(gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; }))
(gridlib.customize-monitoring {
inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
- inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
+ inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
googleOAuthClientID = config.monitoringGoogleOAuthClientID;
monitoringvpnIPv4 = "172.23.23.1";
stateVersion = "19.09";
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index fac74ccf..4578218b 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -5,8 +5,6 @@ let
gridlib = import ../../lib;
rawConfig = pkgs.lib.trivial.importJSON ./config.json;
config = rawConfig // {
- sshUsers = import ./public-keys/users.nix;
-
# Convert relative paths to absolute so library code can resolve names
# correctly.
publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
@@ -15,6 +13,13 @@ let
# Module with per-grid configuration
grid-module = {
+ imports = [
+ # Allow us to remotely trigger updates to this system.
+ ../../../nixos/modules/deployment.nix
+ # Give it a good SSH configuration.
+ ../../../nixos/modules/ssh.nix
+ ];
+ services.private-storage.sshUsers = import ./public-keys/users.nix;
# Configure deployment management authorization for all systems in the grid.
services.private-storage.deployment = {
authorizedKey = builtins.readFile "${config.publicKeyPath}/deploy_key.pub";
@@ -39,7 +44,7 @@ let
gridlib.hardware-aws
(gridlib.customize-monitoring {
inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
- inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
+ inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
googleOAuthClientID = config.monitoringGoogleOAuthClientID;
monitoringvpnIPv4 = "172.23.23.1";
stateVersion = "19.09";
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index 9e03a500..9997463f 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -5,8 +5,6 @@ let
gridlib = import ../../lib;
rawConfig = pkgs.lib.trivial.importJSON ./config.json;
config = rawConfig // {
- sshUsers = import ./public-keys/users.nix;
-
# Convert relative paths to absolute so library code can resolve names
# correctly.
publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
@@ -15,6 +13,13 @@ let
# Module with per-grid configuration
grid-module = {
+ imports = [
+ # Allow us to remotely trigger updates to this system.
+ ../../../nixos/modules/deployment.nix
+ # Give it a good SSH configuration.
+ ../../../nixos/modules/ssh.nix
+ ];
+ services.private-storage.sshUsers = import ./public-keys/users.nix;
# Configure deployment management authorization for all systems in the grid.
services.private-storage.deployment = {
authorizedKey = builtins.readFile "${config.publicKeyPath}/deploy_key.pub";
@@ -52,7 +57,7 @@ let
gridlib.hardware-aws
(gridlib.customize-monitoring {
inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
- inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
+ inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
googleOAuthClientID = config.monitoringGoogleOAuthClientID;
monitoringvpnIPv4 = "172.23.23.1";
stateVersion = "19.09";
diff --git a/morph/lib/customize-issuer.nix b/morph/lib/customize-issuer.nix
index 1c0d668f..ea5b31fe 100644
--- a/morph/lib/customize-issuer.nix
+++ b/morph/lib/customize-issuer.nix
@@ -26,12 +26,6 @@
# ``"example-grid.invalid"`` for the system figure out that
# ``payments.example-grid.invalid`` is the name of this system.
, domain
-
- # A set mapping usernames as strings to SSH public keys as strings. For
- # each element of the site, the indicated user is configured on the system
- # with the indicated SSH key as an authorized key.
-, sshUsers
-
# A string giving an email address to use for Let's Encrypt registration and
# certificate issuance.
, letsEncryptAdminEmail
@@ -77,7 +71,6 @@
networking.domain = domain;
- services.private-storage.sshUsers = sshUsers;
services.private-storage.monitoring.vpn.client = {
enable = true;
ip = monitoringvpnIPv4;
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 391aa560..f5b820a2 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -13,7 +13,6 @@
, privateKeyPath
, monitoringvpnIPv4
, domain
-, sshUsers
, letsEncryptAdminEmail
# A list of VPN IP addresses as strings indicating which clients will be
@@ -85,8 +84,6 @@
networking.domain = domain;
networking.hosts = hostsMap;
- services.private-storage.sshUsers = sshUsers;
-
services.private-storage.monitoring.vpn.server = {
enable = true;
ip = monitoringvpnIPv4;
diff --git a/morph/lib/customize-storage.nix b/morph/lib/customize-storage.nix
index 68655874..6ec84316 100644
--- a/morph/lib/customize-storage.nix
+++ b/morph/lib/customize-storage.nix
@@ -6,7 +6,6 @@
, publicKeyPath
, monitoringvpnEndpoint
, monitoringvpnIPv4
-, sshUsers
, domain
# An integer giving the value of a single pass in byte×months.
@@ -33,7 +32,7 @@
networking.domain = domain;
services.private-storage = {
- inherit sshUsers passValue publicStoragePort;
+ inherit passValue publicStoragePort;
};
services.private-storage.monitoring.vpn.client = {
diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index f617eef1..74db99bb 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -41,9 +41,6 @@
};
imports = [
- # Allow us to remotely trigger updates to this system.
- ../../nixos/modules/deployment.nix
-
../../nixos/modules/issuer.nix
../../nixos/modules/monitoring/vpn/client.nix
../../nixos/modules/monitoring/exporters/node.nix
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index 7d59c296..bf92d104 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -21,11 +21,6 @@
};
imports = [
- # Give it a good SSH configuration.
- ../../nixos/modules/ssh.nix
- # Allow us to remotely trigger updates to this system.
- ../../nixos/modules/deployment.nix
-
../../nixos/modules/monitoring/vpn/server.nix
../../nixos/modules/monitoring/server/grafana.nix
../../nixos/modules/monitoring/server/prometheus.nix
diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix
index 52be8136..c437fcf6 100644
--- a/morph/lib/storage.nix
+++ b/morph/lib/storage.nix
@@ -33,8 +33,6 @@
# Any extra NixOS modules to load on this server.
imports = [
- # Allow us to remotely trigger updates to this system.
- ../../nixos/modules/deployment.nix
# Bring in our module for configuring the Tahoe-LAFS service and other
# Private Storage-specific things.
../../nixos/modules/private-storage.nix
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index ce1f928b..3a8d05bf 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -5,11 +5,6 @@
# Our own nixpkgs fork:
ourpkgs = import ../../nixpkgs-ps.nix {};
in {
- imports = [
- # Give it a good SSH configuration.
- ../../nixos/modules/ssh.nix
- ];
-
options = {
services.private-storage-issuer.enable = lib.mkEnableOption "PrivateStorage ZKAP Issuer Service";
services.private-storage-issuer.package = lib.mkOption {
diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index fa5fea83..d3bc9e61 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -30,8 +30,6 @@ let
in
{
imports = [
- # Give it a good SSH configuration.
- ./ssh.nix
# Load our tahoe-lafs module. It is configurable in the way I want it to
# be configurable.
./tahoe.nix
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index 59c572fa..2687718b 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -111,6 +111,7 @@ in {
{ config, pkgs, ... }:
{ imports =
[ ../private-storage.nix
+ ../ssh.nix
];
services.private-storage = {
enable = true;
@@ -128,6 +129,7 @@ in {
{ config, pkgs, ... }:
{ imports =
[ ../issuer.nix
+ ../ssh.nix
];
services.private-storage.sshUsers = sshUsers;
--
GitLab