Compare revisions

196bfaff · 196bfaff · 196bfaff · 196bfaff · 196bfaff · 196bfaff
--- a/morph/grid/local/private-keys/ristretto.signing-key
+++ b/morph/grid/local/private-keys/ristretto.signing-key
+NAQBkEEUKPDtq8af5anlHvWMjeSVoH56RnpCTy70QwA=
\ No newline at end of file
--- a/morph/grid/local/private-keys/stripe.secret
+++ b/morph/grid/local/private-keys/stripe.secret
+sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw
--- a/morph/grid/local/private-keys/stripe.webhook-secret
+++ b/morph/grid/local/private-keys/stripe.webhook-secret
+whsec_12121212121212121212121212121212121212
--- a/morph/grid/local/public-keys/borgbackup/storage1.repopath
+++ b/morph/grid/local/public-keys/borgbackup/storage1.repopath
+abc123de@abc123de.repo.borgbase.com:repo
--- a/morph/grid/local/public-keys/borgbackup/storage2.repopath
+++ b/morph/grid/local/public-keys/borgbackup/storage2.repopath
+vwx789yz@vwx789yz.repo.borgbase.com:repo
--- a/morph/grid/local/public-keys/deploy_key.pub
+++ b/morph/grid/local/public-keys/deploy_key.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANTUgFOHIfRuVYEbxp8gD+H9uZV1RCQUC4AhCABYT57 exarkun@baryon
--- a/morph/grid/local/public-keys/monitoringvpn/172.23.23.11.pub
+++ b/morph/grid/local/public-keys/monitoringvpn/172.23.23.11.pub
+GYNjLkoyQ1d3OMymYbgq40WAHIUzrSEGBWXvxqceF00=
--- a/morph/grid/local/public-keys/monitoringvpn/172.23.23.12.pub
+++ b/morph/grid/local/public-keys/monitoringvpn/172.23.23.12.pub
+veio/0E0sJYOjwp3E8EccCyME1pqjkZr4R6whFMdrhs=
--- a/morph/grid/local/public-keys/monitoringvpn/172.23.23.13.pub
+++ b/morph/grid/local/public-keys/monitoringvpn/172.23.23.13.pub
+4VlUMl9FubrLWaN0pRvfdNjjRBQzfCVLMA2lU7OwPzA=
--- a/morph/grid/local/public-keys/monitoringvpn/server.pub
+++ b/morph/grid/local/public-keys/monitoringvpn/server.pub
+ojo+p9ZE03GN66ewoIlrHmyV7ICt+2LV32Prs66JsA4=
--- a/morph/grid/local/public-keys/users.nix.example
+++ b/morph/grid/local/public-keys/users.nix.example
+let
+# Add your public key. Example:
+# key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
+# You can use the following to get key from the local machine.
+# key = builtins.readFile ~/.ssh/id_ed25519.pub;
+  key = undefined;
+  keys = [key]
+in {
+  "root" = keys;
+  "vagrant" = keys;
+}
--- a/morph/grid/production/.gitignore
+++ b/morph/grid/production/.gitignore
+private-keys
--- a/morph/grid/production/config.json
+++ b/morph/grid/production/config.json
-{ "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "../../PrivateStorageSecrets/stripe.secret"
+{ "domain": "private.storage"
+, "publicStoragePort": 8898
+, "privateKeyPath": "./private-keys"
+, "publicKeyPath": "./public-keys"
+, "monitoringvpnEndpoint": "monitoring.private.storage:51820"
 , "passValue": 1000000
-, "issuerDomain": "payments.privatestorage.io"
+, "issuerDomains": [
+    "payments.private.storage"
+  , "payments.privatestorage.io"
+  ]
+, "monitoringDomains": [
+    "monitoring.private.storage"
+  , "monitoring.privatestorage.io"
+  ]
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
 , "allowedChargeOrigins": [
-    "https://privatestorage.io"
-  , "https://www.privatestorage.io"
+    "https://private.storage"
  ]
+, "monitoringGoogleOAuthClientID": "802959152038-klpkk38sfnqmknn1ucg7pvs4hcc2k8ae.apps.googleusercontent.com"
 }
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
-# Load the helper function and call it with arguments tailored for the testing
-# grid.  It will make the morph configuration for us.  We share this function
-# with the testing grid and have one fewer possible point of divergence.
-import ../../lib/make-grid.nix {
-  name = "Production";
-  config = ./config.json;
-  nodes = cfg:
+# See morph/grid/local/grid.nix for additional commentary.
 let
-      sshUsers = import ../../../../PrivateStorageSecrets/production-users.nix;
+  gridlib = import ../../lib;
+  grid-config = builtins.fromJSON (builtins.readFile ./config.json);
+
+  # Module with per-grid configuration
+  grid-module = {config, ...}: {
+    imports = [
+      gridlib.base
+      # Allow us to remotely trigger updates to this system.
+      ../../../nixos/modules/deployment.nix
+      # Give it a good SSH configuration.
+      ../../../nixos/modules/ssh.nix
+    ];
+    services.private-storage.sshUsers = import ./public-keys/users.nix;
+    networking.domain = grid-config.domain;
+    # Convert relative paths to absolute so library code can resolve names
+    # correctly.
+    grid = {
+      publicKeyPath = toString ./. + "/${grid-config.publicKeyPath}";
+      privateKeyPath = toString ./. + "/${grid-config.privateKeyPath}";
+      inherit (grid-config) monitoringvpnEndpoint letsEncryptAdminEmail;
+    };
+    # Configure deployment management authorization for all systems in the grid.
+    services.private-storage.deployment = {
+      authorizedKey = builtins.readFile "${config.grid.publicKeyPath}/deploy_key.pub";
+      gridName = "production";
+    };
+  };
+
+  payments = {
+    imports = [
+      gridlib.issuer
+      gridlib.hardware-aws
+      grid-module
+    ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.11";
+      grid.issuer = {
+        inherit (grid-config) issuerDomains allowedChargeOrigins;
+      };
+    };
+  };
+
+  monitoring = {
+    imports = [
+      gridlib.monitoring
+      gridlib.hardware-aws
+      grid-module
+    ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.1";
+      grid.monitoring = {
+        inherit paymentExporterTargets blackboxExporterHttpsTargets;
+        inherit (grid-config) monitoringDomains;
+        googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
+        enableZulipAlert = true;
+      };
+      system.stateVersion = "19.09";
+    };
+  };
+
+  defineStorageNode = name: { vpnIP, stateVersion }:
+  let
+    nodecfg = import (./. + "/${name}-config.nix");
+    hardware = (./. + "/${name}-hardware.nix");
  in {
-    # Here are the hosts that are in this morph network.  This is sort of like
-    # a server manifest.  We try to keep as many of the specific details as
-    # possible out of *this* file so that this file only grows as server count
-    # grows.  If it grows too much, we can load servers by listing contents of
-    # a directory or reading from another JSON file or some such.  For now,
-    # I'm just manually maintaining these entries.
-    #
-    # The name on the left of the `=` is mostly irrelevant but it does provide
-    # a default hostname for the server if the configuration on the right side
-    # doesn't specify one.
-    #
-    # The names must be unique!
-    "payments.privatestorage.io" = import ../../lib/issuer.nix ({
-      inherit sshUsers;
-      hardware = ../../lib/issuer-aws.nix;
-      stateVersion = "19.03";
-    } // cfg);
-
-    "storage001" = import ../../lib/make-storage.nix ({
-        cfg = import ./storage001-config.nix;
-        inherit sshUsers;
-        hardware = ./storage001-hardware.nix;
-        stateVersion = "19.09";
-    } // cfg);
-    "storage002" = import ../../lib/make-storage.nix ({
-        cfg = import ./storage002-config.nix;
-        inherit sshUsers;
-        hardware = ./storage002-hardware.nix;
-        stateVersion = "19.09";
-    } // cfg);
-    "storage003" = import ../../lib/make-storage.nix ({
-        cfg = import ./storage003-config.nix;
-        inherit sshUsers;
-        hardware = ./storage003-hardware.nix;
-        stateVersion = "19.09";
-    } // cfg);
-    "storage004" = import ../../lib/make-storage.nix ({
-        cfg = import ./storage004-config.nix;
-        inherit sshUsers;
-        hardware = ./storage004-hardware.nix;
-        stateVersion = "19.09";
-    } // cfg);
-    "storage005" = import ../../lib/make-storage.nix ({
-        cfg = import ./storage005-config.nix;
-        inherit sshUsers;
-        hardware = ./storage005-hardware.nix;
-        stateVersion = "19.03";
-    } // cfg);
-  };
-}
+    imports = [
+      # Get some of the very lowest-level system configuration for this
+      # node.  This isn't all *completely* hardware related.  Maybe some
+      # more factoring is in order, someday.
+      hardware
+
+      # Slightly awkwardly, enable some of our hardware / network / bootloader options.
+      ../../../nixos/modules/100tb.nix
+
+      # At least some of our storage nodes utilize MegaRAID storage controllers.
+      # Monitor their array status.
+      ../../../nixos/modules/monitoring/exporters/megacli2prom.nix
+
+      # Get all of the configuration that is common across all storage nodes.
+      gridlib.storage
+      # Also configure deployment management authorization
+      grid-module
+    ];
+
+    config = {
+      grid.monitoringvpnIPv4 = vpnIP;
+      grid.storage = {
+        inherit (grid-config) passValue publicStoragePort;
+      };
+      system.stateVersion = stateVersion;
+
+      # And supply configuration for those hardware / network / bootloader
+      # options.  See the 100tb module for handling of this value.  The module
+      # name is quoted because `1` makes `100tb` look an awful lot like a
+      # number.
+      "100tb".config = nodecfg;
+
+      # Enable statistics gathering for MegaRAID cards.
+      # TODO would be nice to enable only on machines that have such a device.
+      services.private-storage.monitoring.exporters.megacli2prom.enable = true;
+    };
+  };
+
+  # Define all of the storage nodes for this grid.
+  storageNodes = builtins.mapAttrs defineStorageNode {
+    storage001 = { vpnIP = "172.23.23.21"; stateVersion = "19.09"; };
+    storage002 = { vpnIP = "172.23.23.22"; stateVersion = "19.09"; };
+    storage003 = { vpnIP = "172.23.23.23"; stateVersion = "19.09"; };
+    storage004 = { vpnIP = "172.23.23.24"; stateVersion = "19.09"; };
+    storage005 = { vpnIP = "172.23.23.25"; stateVersion = "19.03"; };
+  };
+
+  paymentExporterTargets = [ "payments.monitoringvpn" ];
+  blackboxExporterHttpsTargets = [
+    "https://private.storage/"
+    "https://www.private.storage/"
+    "https://privatestorage.io/"
+    "https://www.privatestorage.io/"
+    "https://payments.private.storage/"
+    "https://payments.privatestorage.io/"
+    "https://monitoring.private.storage/"
+    "https://monitoring.privatestorage.io/"
+  ];
+
+in {
+  network = {
+    description = "PrivateStorage.io Production Grid";
+    inherit (gridlib) pkgs;
+  };
+  inherit payments;
+  inherit monitoring;
+} // storageNodes
--- a/morph/grid/production/public-keys/borgbackup/storage001.repopath
+++ b/morph/grid/production/public-keys/borgbackup/storage001.repopath
+gye1flhy@gye1flhy.repo.borgbase.com:repo
--- a/morph/grid/production/public-keys/borgbackup/storage002.repopath
+++ b/morph/grid/production/public-keys/borgbackup/storage002.repopath
+l4642x1g@l4642x1g.repo.borgbase.com:repo
--- a/morph/grid/production/public-keys/borgbackup/storage003.repopath
+++ b/morph/grid/production/public-keys/borgbackup/storage003.repopath
+c7400xl6@c7400xl6.repo.borgbase.com:repo
--- a/morph/grid/production/public-keys/borgbackup/storage004.repopath
+++ b/morph/grid/production/public-keys/borgbackup/storage004.repopath
+sbn13vf8@sbn13vf8.repo.borgbase.com:repo
--- a/morph/grid/production/public-keys/borgbackup/storage005.repopath
+++ b/morph/grid/production/public-keys/borgbackup/storage005.repopath
+wg8x4po7@wg8x4po7.repo.borgbase.com:repo
--- a/morph/grid/production/public-keys/deploy_key.pub
+++ b/morph/grid/production/public-keys/deploy_key.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK50RwXncelNB4JAazoXEhCxXbJZ79qWcQMAWeX14H+W exarkun@baryon
No results found