morph/grid/local/public-keys/borgbackup/storage1.repopath

+abc123de@abc123de.repo.borgbase.com:repo

morph/grid/local/public-keys/borgbackup/storage2.repopath

+vwx789yz@vwx789yz.repo.borgbase.com:repo

morph/grid/local/public-keys/deploy_key.pub

+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANTUgFOHIfRuVYEbxp8gD+H9uZV1RCQUC4AhCABYT57 exarkun@baryon

morph/grid/local/public-keys/users.nix.example

+let
+# Add your public key. Example:
+# key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
+# You can use the following to get key from the local machine.
+# key = builtins.readFile ~/.ssh/id_ed25519.pub;
+  key = undefined;
+  keys = [key]
+in {
+  "root" = keys;
+  "vagrant" = keys;
+}

morph/grid/local/secrets/users.nix

-# Add your public key. Example: 
-# let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
-let key = undefined;
-in { "root" = key; "vagrant" = key; }

morph/grid/production/.gitignore

-secrets
+private-keys

morph/grid/production/config.json

 { "domain": "private.storage"
 , "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "./secrets/stripe.secret"
-, "monitoringvpnKeyDir": "./secrets/monitoringvpn"
+, "privateKeyPath": "./private-keys"
+, "publicKeyPath": "./public-keys"
 , "monitoringvpnEndpoint": "monitoring.private.storage:51820"
 , "passValue": 1000000
 , "issuerDomains": [
-    "payments.privatestorage.io"
-  , "payments.private.storage"
+    "payments.private.storage"
+  , "payments.privatestorage.io"
+  ]
+, "monitoringDomains": [
+    "monitoring.private.storage"
+  , "monitoring.privatestorage.io"
   ]
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
 , "allowedChargeOrigins": [
-    "https://privatestorage.io"
-  , "https://www.privatestorage.io"
-  , "https://private.storage"
-  , "https://www.private.storage"
+    "https://private.storage"
   ]
+, "monitoringGoogleOAuthClientID": "802959152038-klpkk38sfnqmknn1ucg7pvs4hcc2k8ae.apps.googleusercontent.com"
 }

morph/grid/production/grid.nix

 # See morph/grid/local/grid.nix for additional commentary.
 let
-  pkgs = import <nixpkgs> { };
-
   gridlib = import ../../lib;
-  rawConfig = pkgs.lib.trivial.importJSON ./config.json;
-  config = rawConfig // {
-    sshUsers = import ./secrets/users.nix;
+  grid-config = builtins.fromJSON (builtins.readFile ./config.json);
 
-    # Get absolute vpn key directory path, as a string:
-    monitoringvpnKeyDir = toString ./. + "/${rawConfig.monitoringvpnKeyDir}";
+  # Module with per-grid configuration
+  grid-module = {config, ...}: {
+    imports = [
+      gridlib.base
+      # Allow us to remotely trigger updates to this system.
+      ../../../nixos/modules/deployment.nix
+      # Give it a good SSH configuration.
+      ../../../nixos/modules/ssh.nix
+    ];
+    services.private-storage.sshUsers = import ./public-keys/users.nix;
+    networking.domain = grid-config.domain;
+    # Convert relative paths to absolute so library code can resolve names
+    # correctly.
+    grid = {
+      publicKeyPath = toString ./. + "/${grid-config.publicKeyPath}";
+      privateKeyPath = toString ./. + "/${grid-config.privateKeyPath}";
+      inherit (grid-config) monitoringvpnEndpoint letsEncryptAdminEmail;
+    };
+    # Configure deployment management authorization for all systems in the grid.
+    services.private-storage.deployment = {
+      authorizedKey = builtins.readFile "${config.grid.publicKeyPath}/deploy_key.pub";
+      gridName = "production";
+    };
   };
 
   payments = {
     imports = [
       gridlib.issuer
       gridlib.hardware-aws
-      (gridlib.customize-issuer (config // {
-        monitoringvpnIPv4 = "172.23.23.11";
-      }))
+      grid-module
     ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.11";
+      grid.issuer = {
+        inherit (grid-config) issuerDomains allowedChargeOrigins;
+      };
+    };
   };
 
   monitoring = {
     imports = [
       gridlib.monitoring
       gridlib.hardware-aws
-      (gridlib.customize-monitoring {
-        inherit hostsMap vpnClientIPs nodeExporterTargets;
-        inherit (config) domain monitoringvpnKeyDir;
-        monitoringvpnIPv4 = "172.23.23.1";
-        stateVersion = "19.09";
-      })
+      grid-module
     ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.1";
+      grid.monitoring = {
+        inherit paymentExporterTargets blackboxExporterHttpsTargets;
+        inherit (grid-config) monitoringDomains;
+        googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
+        enableZulipAlert = true;
+      };
+      system.stateVersion = "19.09";
+    };
   };
 
   defineStorageNode = name: { vpnIP, stateVersion }:
   let
-    nodecfg = import "${./.}/${name}-config.nix";
-    hardware ="${./.}/${name}-hardware.nix";
+    nodecfg = import (./. + "/${name}-config.nix");
+    hardware = (./. + "/${name}-hardware.nix");
   in {
     imports = [
       # Get some of the very lowest-level system configuration for this
@@ -48,21 +74,33 @@ let
       # Slightly awkwardly, enable some of our hardware / network / bootloader options.
       ../../../nixos/modules/100tb.nix
 
+      # At least some of our storage nodes utilize MegaRAID storage controllers.
+      # Monitor their array status.
+      ../../../nixos/modules/monitoring/exporters/megacli2prom.nix
+
       # Get all of the configuration that is common across all storage nodes.
       gridlib.storage
-
-      # Then customize the storage system a little bit based on this node's particulars.
-      (gridlib.customize-storage (config // nodecfg // {
-        monitoringvpnIPv4 = vpnIP;
-        inherit stateVersion;
-      }))
+      # Also configure deployment management authorization
+      grid-module
     ];
 
+    config = {
+      grid.monitoringvpnIPv4 = vpnIP;
+      grid.storage = {
+        inherit (grid-config) passValue publicStoragePort;
+      };
+      system.stateVersion = stateVersion;
+
       # And supply configuration for those hardware / network / bootloader
       # options.  See the 100tb module for handling of this value.  The module
       # name is quoted because `1` makes `100tb` look an awful lot like a
       # number.
       "100tb".config = nodecfg;
+
+      # Enable statistics gathering for MegaRAID cards.
+      # TODO would be nice to enable only on machines that have such a device.
+      services.private-storage.monitoring.exporters.megacli2prom.enable = true;
+    };
   };
 
   # Define all of the storage nodes for this grid.
@@ -74,37 +112,22 @@ let
     storage005 = { vpnIP = "172.23.23.25"; stateVersion = "19.03"; };
   };
 
-  # TBD: derive these automatically:
-  hostsMap = {
-    "172.23.23.1"  = [ "monitoring" "monitoring.monitoringvpn" ];
-    "172.23.23.11" = [   "payments"   "payments.monitoringvpn" ];
-    "172.23.23.21" = [ "storage001" "storage001.monitoringvpn" ];
-    "172.23.23.22" = [ "storage002" "storage002.monitoringvpn" ];
-    "172.23.23.23" = [ "storage003" "storage003.monitoringvpn" ];
-    "172.23.23.24" = [ "storage004" "storage004.monitoringvpn" ];
-    "172.23.23.25" = [ "storage005" "storage005.monitoringvpn" ];
-  };
-  vpnClientIPs = [
-    "172.23.23.11"
-    "172.23.23.21"
-    "172.23.23.22"
-    "172.23.23.23"
-    "172.23.23.24"
-    "172.23.23.25"
-  ];
-  nodeExporterTargets = [
-    "monitoring"
-    "payments"
-    "storage001"
-    "storage002"
-    "storage003"
-    "storage004"
-    "storage005"
+  paymentExporterTargets = [ "payments.monitoringvpn" ];
+  blackboxExporterHttpsTargets = [
+    "https://private.storage/"
+    "https://www.private.storage/"
+    "https://privatestorage.io/"
+    "https://www.privatestorage.io/"
+    "https://payments.private.storage/"
+    "https://payments.privatestorage.io/"
+    "https://monitoring.private.storage/"
+    "https://monitoring.privatestorage.io/"
   ];
 
 in {
   network = {
     description = "PrivateStorage.io Production Grid";
+    inherit (gridlib) pkgs;
   };
   inherit payments;
   inherit monitoring;

morph/grid/production/public-keys/borgbackup/storage001.repopath

+gye1flhy@gye1flhy.repo.borgbase.com:repo

morph/grid/production/public-keys/borgbackup/storage002.repopath

+l4642x1g@l4642x1g.repo.borgbase.com:repo

morph/grid/production/public-keys/borgbackup/storage003.repopath

+c7400xl6@c7400xl6.repo.borgbase.com:repo

morph/grid/production/public-keys/borgbackup/storage004.repopath

+sbn13vf8@sbn13vf8.repo.borgbase.com:repo

morph/grid/production/public-keys/borgbackup/storage005.repopath

+wg8x4po7@wg8x4po7.repo.borgbase.com:repo

morph/grid/production/public-keys/deploy_key.pub

+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK50RwXncelNB4JAazoXEhCxXbJZ79qWcQMAWeX14H+W exarkun@baryon

morph/grid/production/public-keys/monitoringvpn/172.23.23.1.pub

+f4PF38t1ZRneFCV+12irDbMuG81WK6jiH0Ba+P+XtXM=

morph/grid/production/public-keys/monitoringvpn/172.23.23.11.pub

+yBdp154+SjyjTJM6ag1mbdnXORWrv/mJ01NJdkEe9VY=