Compare revisions

196bfaff · 196bfaff · 196bfaff · 196bfaff · 196bfaff · 196bfaff
--- a/morph/grid/production/public-keys/monitoringvpn/172.23.23.21.pub
+++ b/morph/grid/production/public-keys/monitoringvpn/172.23.23.21.pub
+G0//oetsCGa75x8rLsg98c9GT9a0ncf1yG9w2+5JV0M=
--- a/morph/grid/production/public-keys/monitoringvpn/172.23.23.22.pub
+++ b/morph/grid/production/public-keys/monitoringvpn/172.23.23.22.pub
+Zq4OsMOTJ2NsVi00hB0x20mMqvoCrDUfleoI5rzIeEc=
--- a/morph/grid/production/public-keys/monitoringvpn/172.23.23.23.pub
+++ b/morph/grid/production/public-keys/monitoringvpn/172.23.23.23.pub
+9ThSUgSNrykQEULj70QQyjlvtvGTmMPqsRMz8hc9xHA=
--- a/morph/grid/production/public-keys/monitoringvpn/172.23.23.24.pub
+++ b/morph/grid/production/public-keys/monitoringvpn/172.23.23.24.pub
+fPUnFOzBZRJDBdSR6iS5AaC40KKy/2REiM16hx+woxk=
--- a/morph/grid/production/public-keys/monitoringvpn/172.23.23.25.pub
+++ b/morph/grid/production/public-keys/monitoringvpn/172.23.23.25.pub
+qS4rT+zjWrbXDhtEF4oyGv8/5oCIE1ZU9FF+O6AL8V4=
--- a/morph/grid/production/public-keys/monitoringvpn/server.pub
+++ b/morph/grid/production/public-keys/monitoringvpn/server.pub
+172.23.23.1.pub
\ No newline at end of file
--- a/morph/grid/production/public-keys/users.nix
+++ b/morph/grid/production/public-keys/users.nix
+let
+  flo = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6EUU/KNDr7y3m5OVWBZAuPiMJ4us3YOBEhxpG29yPN flo@la"];
+  last-resort = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1hy9mPkJI+7mY2Uq6CLpuFMMLOTfiY2sRJHwpihgRt cardno:26 269 859 - Last Resort A-Key"
+                  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPYMUVNuWr2y+FL1GxW6S6jb3BWYhbzJ2zhvQVKu2ll cardno:23 845 763 - Last Resort C-key"
+                ];
+in {
+  "root" = flo ++ last-resort;
+  inherit  flo    last-resort;
+}
--- a/morph/grid/production/storage001-hardware.nix
+++ b/morph/grid/production/storage001-hardware.nix
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
+# NixOS configuration specific to this node
 { config, lib, pkgs, ... }:

 {
@@ -12,7 +10,7 @@
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  boot.kernel.sysctl = { "vm.swappiness" = 0; };
+  boot.kernel.sysctl = { "vm.swappiness" = 1; };

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/f72c1f46-6723-45bf-9ef7-92f31cc37589";
@@ -38,6 +36,6 @@
  } ];


-  nix.maxJobs = lib.mkDefault 24;
+  nix.settings.max-jobs = lib.mkDefault 24;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }
--- a/morph/grid/production/storage002-hardware.nix
+++ b/morph/grid/production/storage002-hardware.nix
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
+# NixOS configuration specific to this node
 { config, lib, pkgs, ... }:

 {
@@ -12,7 +10,7 @@
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  boot.kernel.sysctl = { "vm.swappiness" = 0; };
+  boot.kernel.sysctl = { "vm.swappiness" = 1; };

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/0e92ada9-effb-42e2-a26a-9cdb529bcdc7";
@@ -37,6 +35,6 @@
    randomEncryption = true;
  } ];

-  nix.maxJobs = lib.mkDefault 24;
+  nix.settings.max-jobs = lib.mkDefault 24;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }
--- a/morph/grid/production/storage003-hardware.nix
+++ b/morph/grid/production/storage003-hardware.nix
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
+# NixOS configuration specific to this node
 { config, lib, pkgs, modulesPath, ... }:

 {
@@ -13,7 +11,7 @@
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.supportedFilesystems = [ "zfs" ];
-  boot.kernel.sysctl = { "vm.swappiness" = 0; };
+  boot.kernel.sysctl = { "vm.swappiness" = 1; };

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/240fc1f6-cd55-48a3-ac80-5b3550a32ef5";
@@ -38,6 +36,6 @@
    randomEncryption = true;
  } ];

-  nix.maxJobs = lib.mkDefault 24;
+  nix.settings.max-jobs = lib.mkDefault 24;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }
--- a/morph/grid/production/storage004-hardware.nix
+++ b/morph/grid/production/storage004-hardware.nix
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
+# NixOS configuration specific to this node
 { config, lib, pkgs, ... }:

 {
@@ -12,7 +10,7 @@
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  boot.kernel.sysctl = { "vm.swappiness" = 0; };
+  boot.kernel.sysctl = { "vm.swappiness" = 1; };

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d628122e-05d9-4212-b6a5-4b9516d85dbe";
@@ -32,6 +30,6 @@
    randomEncryption = true;
  } ];

-  nix.maxJobs = lib.mkDefault 32;
+  nix.settings.max-jobs = lib.mkDefault 32;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }
--- a/morph/grid/production/storage005-hardware.nix
+++ b/morph/grid/production/storage005-hardware.nix
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
+# NixOS configuration specific to this node
 { config, lib, pkgs, ... }:

 {
@@ -12,7 +10,7 @@
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  boot.kernel.sysctl = { "vm.swappiness" = 0; };
+  boot.kernel.sysctl = { "vm.swappiness" = 1; };

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/2653c6bb-396f-4911-b9ff-b68de8f9715d";
@@ -37,6 +35,6 @@
    randomEncryption = true;
  } ];

-  nix.maxJobs = lib.mkDefault 32;
+  nix.settings.max-jobs = lib.mkDefault 32;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }
--- a/morph/grid/testing/.gitignore
+++ b/morph/grid/testing/.gitignore
-secrets
+private-keys
--- a/morph/grid/testing/config.json
+++ b/morph/grid/testing/config.json
 { "domain": "privatestorage-staging.com"
 , "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "./secrets/stripe.secret"
-, "monitoringvpnKeyDir": "./secrets/monitoringvpn"
+, "privateKeyPath": "./private-keys"
+, "publicKeyPath": "./public-keys"
 , "monitoringvpnEndpoint": "monitoring.privatestorage-staging.com:51820"
 , "passValue": 1000000
 , "issuerDomains": [
    "payments.privatestorage-staging.com"
  , "payments.extra.privatestorage-staging.com"
  ]
+, "monitoringDomains": [
+    "monitoring.privatestorage-staging.com"
+  , "monitoring.extra.privatestorage-staging.com"
+  ]
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
 , "allowedChargeOrigins": [
    "http://localhost:5000"
  , "https://privatestorage-staging.com"
-  , "https://www.privatestorage-staging.com"
  ]
+, "monitoringGoogleOAuthClientID": "802959152038-6esn1c6u2lm3j82lf29jvmn8s63hi8dc.apps.googleusercontent.com"
 }
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
 # See morph/grid/local/grid.nix for additional commentary.
 let
-  pkgs = import <nixpkgs> { };
-
  gridlib = import ../../lib;
-  rawConfig = pkgs.lib.trivial.importJSON ./config.json;
-  config = rawConfig // {
-    sshUsers = import ./secrets/users.nix;
+  grid-config = builtins.fromJSON (builtins.readFile ./config.json);

-    # Get absolute vpn key directory path, as a string:
-    monitoringvpnKeyDir = toString ./. + "/${rawConfig.monitoringvpnKeyDir}";
+  # Module with per-grid configuration
+  grid-module = {config, ...}: {
+    imports = [
+      gridlib.base
+      # Allow us to remotely trigger updates to this system.
+      ../../../nixos/modules/deployment.nix
+      # Give it a good SSH configuration.
+      ../../../nixos/modules/ssh.nix
+    ];
+    services.private-storage.sshUsers = import ./public-keys/users.nix;
+    networking.domain = grid-config.domain;
+    # Convert relative paths to absolute so library code can resolve names
+    # correctly.
+    grid = {
+      publicKeyPath = toString ./. + "/${grid-config.publicKeyPath}";
+      privateKeyPath = toString ./. + "/${grid-config.privateKeyPath}";
+      inherit (grid-config) monitoringvpnEndpoint letsEncryptAdminEmail;
+    };
+    # Configure deployment management authorization for all systems in the grid.
+    services.private-storage.deployment = {
+      authorizedKey = builtins.readFile "${config.grid.publicKeyPath}/deploy_key.pub";
+      gridName = "testing";
+    };
  };

  payments = {
    imports = [
      gridlib.issuer
      gridlib.hardware-aws
-      (gridlib.customize-issuer (config // {
-        monitoringvpnIPv4 = "172.23.23.11";
-      }))
+      grid-module
    ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.11";
+      grid.issuer = {
+        inherit (grid-config) issuerDomains allowedChargeOrigins;
+      };
+    };
  };

  storage001 = {
    imports = [
      gridlib.storage
+      gridlib.hardware-aws
      ./testing001-hardware.nix
-      (gridlib.customize-storage (config // {
-        monitoringvpnIPv4 = "172.23.23.12";
-        stateVersion = "19.03";
-      }))
+      grid-module
    ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.12";
+      grid.storage = {
+        inherit (grid-config) passValue publicStoragePort;
+      };
+      system.stateVersion = "19.03";
+    };
  };

  monitoring = {
    imports = [
      gridlib.monitoring
      gridlib.hardware-aws
-      (gridlib.customize-monitoring {
-        inherit hostsMap vpnClientIPs nodeExporterTargets;
-        inherit (config) domain monitoringvpnKeyDir;
-        monitoringvpnIPv4 = "172.23.23.1";
-        stateVersion = "19.09";
-      })
+      grid-module
    ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.1";
+      grid.monitoring = {
+        inherit paymentExporterTargets blackboxExporterHttpsTargets;
+        inherit (grid-config) monitoringDomains;
+        googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
+        enableZulipAlert = true;
+      };
+      system.stateVersion = "19.09";
+    };
  };

  # TBD: derive these automatically:
-  hostsMap = {
-    "172.23.23.1"  = [ "monitoring" "monitoring.monitoringvpn" ];
-    "172.23.23.11" = [ "payments"   "payments.monitoringvpn"   ];
-    "172.23.23.12" = [ "storage001" "storage001.monitoringvpn" ];
-  };
-  vpnClientIPs = [ "172.23.23.11" "172.23.23.12" ];
-  nodeExporterTargets = [ "monitoring" "payments" "storage001" ];
+  paymentExporterTargets = [ "payments.monitoringvpn" ];
+  blackboxExporterHttpsTargets = [
+    "https://privatestorage-staging.com/"
+    "https://www.privatestorage-staging.com/"
+    "https://extra.privatestorage-staging.com/"
+    "https://www.extra.privatestorage-staging.com/"
+    "https://payments.privatestorage-staging.com/"
+    "https://payments.extra.privatestorage-staging.com/"
+    "https://monitoring.privatestorage-staging.com/"
+    "https://monitoring.extra.privatestorage-staging.com/"
+  ];

 in {
  network = {
    description = "PrivateStorage.io Testing Grid";
+    inherit (gridlib) pkgs;
  };
  inherit payments monitoring storage001;
 }
--- a/morph/grid/testing/public-keys/borgbackup/storage001.repopath
+++ b/morph/grid/testing/public-keys/borgbackup/storage001.repopath
+p2kt6691@p2kt6691.repo.borgbase.com:repo
--- a/morph/grid/testing/public-keys/deploy_key.pub
+++ b/morph/grid/testing/public-keys/deploy_key.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB88qfLdoR5Pq9Us7vOVc6wBWmIDxme9MXYQSxxO+8/X exarkun@baryon
--- a/morph/grid/testing/public-keys/monitoringvpn/172.23.23.1.pub
+++ b/morph/grid/testing/public-keys/monitoringvpn/172.23.23.1.pub
+iVS3L2DkH/pHAhiPpuduBMKlICPYmchHFfCg6n2ReUI=
--- a/morph/grid/testing/public-keys/monitoringvpn/172.23.23.11.pub
+++ b/morph/grid/testing/public-keys/monitoringvpn/172.23.23.11.pub
+sGUEH9+Mli1E1BFBMAHgPsnVlaD1EJKFaYOJ+dpyLy0=
--- a/morph/grid/testing/public-keys/monitoringvpn/172.23.23.12.pub
+++ b/morph/grid/testing/public-keys/monitoringvpn/172.23.23.12.pub
+wvpkXigLG2zvmLhxsV2cmN/IgF+nLednV6uENvI6fh0=
No results found