nixos/modules/monitoring/server/prometheus.nix

@@ -10,9 +10,10 @@ let
   cfg = config.services.private-storage.monitoring.prometheus;
   dropPortNumber = {
     source_labels = [ "__address__" ];
-    regex = "^(.*):\\d+$";
+    regex = "^(.*)(?:\\.monitoringvpn):\\d+$";
     target_label = "instance";
   };
+  logRetention = toString(config.services.private-storage.monitoring.policy.logRetentionSeconds) + "s";
 
 in {
   options.services.private-storage.monitoring.prometheus = {
@@ -44,6 +45,7 @@ in {
     services.prometheus = {
       enable = true;
       # port = 9090; # Option only in recent (20.09?) nixpkgs, 9090 default
+      retentionTime = logRetention;
       scrapeConfigs = [
         {
           job_name = "node-exporters";

nixos/modules/packages.nix

 # A NixOS module which exposes custom packages to other modules.
 { pkgs, ...}:
 let
-  ourpkgs = pkgs.callPackage ../../nixos/pkgs {};
+  # Get our custom packages; either from the nixpkgs attribute added via an
+  # overlay in `morph/lib/default.nix`, or by importing them directly.
+  ourpkgs = pkgs.ourpkgs or (pkgs.callPackage ../pkgs {});
 in {
   config = {
     # Expose `nixos/pkgs` as a new module argument `ourpkgs`.

nixos/modules/restricted-service.nix

+# Provide secure defaults for systemd services
+#
+# Good reads:
+# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
+# https://docs.arbitrary.ch/security/systemd.html
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+
+{
+  DynamicUser = true;
+
+  # This set of restrictions is mostly dervied from
+  # - running `systemd-analyze security zkap-spending-service.service`
+  # - Looking at the restrictions from the nixos nginx config.
+  AmbientCapabilities = "";
+  CapabilityBoundingSet = "";
+  LockPersonality = true;
+  MemoryDenyWriteExecute = true;
+  NoNewPrivileges = true;
+  PrivateDevices = true;
+  PrivateMounts = true;
+  PrivateNetwork = true;
+  PrivateTmp = true;
+  PrivateUsers = true;
+  ProcSubset = "pid";
+  ProtectClock = true;
+  ProtectControlGroups = true;
+  ProtectHome = true;
+  ProtectHostname = true;
+  ProtectKernelLogs = true;
+  ProtectKernelModules = true;
+  ProtectKernelTunables = true;
+  ProtectProc = "invisible";
+  ProtectSystem = "strict";
+  RemoveIPC = true;
+  RestrictAddressFamilies = "AF_UNIX";
+  RestrictNamespaces = true;
+  RestrictRealtime = true;
+  RestrictSUIDSGID = true;
+  SystemCallArchitectures = "native";
+  # Lines starting with "~" are deny-list the others are allow-list
+  # Since the first line is allow, that bounds the set of allowed syscalls
+  # and the further lines restrict it.
+  SystemCallFilter = [
+    # From systemd.exec(5), @system-service is "A reasonable set of
+    # system calls used by common system [...]"
+    "@system-service"
+    # This is from the nginx config, except that `@ipc` is not removed,
+    # since twisted uses a self-pipe.
+    "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"
+  ];
+  Umask = "0077";
+}

nixos/modules/update-deployment

@@ -32,7 +32,7 @@ CHECKOUT="${HOME}/PrivateStorageio"
 
 # This is the address of the git remote where we can get the latest
 # PrivateStorageio.
-REPO="https://whetstone.privatestorage.io/privatestorage/PrivateStorageio.git"
+REPO="https://whetstone.private.storage/privatestorage/PrivateStorageio.git"
 
 if [ -e "${CHECKOUT}" ]; then
     # It exists already so just make sure it contains the latest changes from
@@ -72,14 +72,18 @@ EOF
 ssh -o StrictHostKeyChecking=no "$(hostname).$(domainname)" ":"
 
 # Set nixpkgs to our preferred version for the morph build.  Annoyingly, we
-# can't just use nixpkgs-2105.nix as our nixpkgs because some code (in morph,
+# can't just use nixpkgs.nix as our nixpkgs because some code (in morph,
 # at least) wants <nixpkgs> to be a fully-resolved path to a nixpkgs tree.
 # For example, morph evaluated `import <nixpkgs/lib>` which would turn into
-# something like `import nixpkgs-2105.nix/lib` which is nonsense.
+# something like `import nixpkgs.nix/lib` which is nonsense.
 #
 # So instead, import our nixpkgs which forces it to be instantiated in the
 # store, then ask for its path, then set NIX_PATH to that.
-export NIX_PATH="nixpkgs=$(nix eval "(import ${CHECKOUT}/nixpkgs-2105.nix { }).path")"
+
+# Two lines since 'export' masks 'set -e'
+# See https://mywiki.wooledge.org/BashFAQ/105#line-204
+NIX_PATH="nixpkgs=$(nix --extra-experimental-features nix-command eval --impure --expr "(import ${CHECKOUT}/nixpkgs.nix { }).path")"
+export NIX_PATH
 
 # Attempt to update just this host.  Choose the morph grid definition matching
 # the grid we belong to and limit the morph deployment update to the host