... and fix that option the other commit introduced

If I understand the behavior current Prometheus and Grafana
correctly, this should remove the port number from the
paymentserver labels in Prometheus TDSB.

Do some name resolution for those poor computers

Improve factoring by removing those `/etc/hosts` entries

And avoid the infinite loop @tomprince was encountering in !258

morph offers an auto-passed `nodes` parameter from which we can read all of
the nodes in the morph "network".  We can dig around in this to find the
monitoring node and then read its configured IP address.

It may be worth noting that this address appears in at least two places in the
configuration.  It appears in our "input" configuration which grid.nix
defines.  This change reads it from there.  We also have a NixOS module
`nixos/modules/monitoring/vpn/server.nix` which reads this "input" and uses it
to configure `networking.wireguard.interfaces.monitoringvpn`.  This is fed
onwards to <nixos> to generate actual system configuration.

It seems better to use the former than the latter because we have more direct
control over it and if we consider the whole configuration system a function
then it is more like an argument we are supplying rather than an obscure
implementation detail.

This reverts commit 3113a3e6.

Thinking a second time:  While the staging grid is deployed to
by an automaton anyway and it taking a minute longer won't bother
us, 20 % space savings is probably not worth slowing down
development interactivity.

This is the derivation I use when running `nix store diff-closures` for the
weekly nixpkgs update.

The derivation also includes some attributes that are useful for exploring the
various grid configurations in the nix repl.

Should be pure refactoring

This is my latest version of this, updated to work with the
packages in NixOS 21.05.

Note that changing the origin repository in the on-node deployment checkout
is also required.

See https://whetstone.private.storage/privatestorage/privatestorageops/-/merge_requests/197#note_19071

Older versions of nixpkgs allowed you to specify multiple keys by having
newline separated keys in your string. However, this worked essentially by
accident, and is now explictly disallowed.

I noticed this because I had configured multiple keys for the local grid.  This
isn't currently impacting my ability to work, but it seems like a worthwhile
improvement anyway. This will be necessary (for example) if/when multiple people are
given root access to our storage nodes.

So perhaps it is impossible for anyone to approach the payment server from
these other domains now.

Mostly though I want to force CI to run because whetstone is not currently
showing the pipeline status for this MR...

Florian Sesser authored 3 years ago and Jean-Paul Calderone committed 3 years ago

... just because I like to be consistent.

Florian Sesser authored 3 years ago and Jean-Paul Calderone committed 3 years ago

... to make private.storage the default above privatestorage.io.
Before this the privatestorage.io could be seen in the TLS cert.

Source: https://whetstone.privatestorage.io/privatestorage/PrivateStorageio/-/merge_requests/237#note_18712

The current code evaluates our custom packages once for each node, which adds
signifcant amount of time to evaluate a grid. We can reduce this, by adding the
custom package set as an attribute to the nixpkgs set we pass to morph.

This doesn't change how we refer to those packages, as we continue to expose the
custom package set as a module attribute.

These are the times to evaluate all three grids (on a partially loaded system),
when there was nothing new to build:

```
before:
real	2m27.837s
user	3m35.528s
sys	0m3.722s

after:
real	1m12.748s
user	1m34.047s
sys	0m3.346s
```

For some reason this had eluded my earlier grepping.

Grafana 8 on NixOS 21.11 fails harder than 7.x on 21.05 when its
`grafana-admin.password` file is missing.  Provide it regardless
whether Google auth is configured or not.

Also strip that domain component from the labels collected.

The VirtualBox documentation says this is the network to use for host-only
networking.

mkfs silently truncates "zkapissuer-database" to "zkapissuer-datab" and
everything falls apart.

The point is this is where PaymentServer's persistent state goes.  That
includes vouchers but might include more stuff too.

The hardware modules can now configure this fileSystem in a way appropriate
for themselves and the issuer module can enable that configuration when it is
enabled itself.