morph/grid/production/public-keys/monitoringvpn/172.23.23.1.pub

+f4PF38t1ZRneFCV+12irDbMuG81WK6jiH0Ba+P+XtXM=

morph/grid/production/public-keys/monitoringvpn/172.23.23.11.pub

+yBdp154+SjyjTJM6ag1mbdnXORWrv/mJ01NJdkEe9VY=

morph/grid/production/public-keys/monitoringvpn/172.23.23.21.pub

+G0//oetsCGa75x8rLsg98c9GT9a0ncf1yG9w2+5JV0M=

morph/grid/production/public-keys/monitoringvpn/172.23.23.22.pub

+Zq4OsMOTJ2NsVi00hB0x20mMqvoCrDUfleoI5rzIeEc=

morph/grid/production/public-keys/monitoringvpn/172.23.23.23.pub

+9ThSUgSNrykQEULj70QQyjlvtvGTmMPqsRMz8hc9xHA=

morph/grid/production/public-keys/monitoringvpn/172.23.23.24.pub

+fPUnFOzBZRJDBdSR6iS5AaC40KKy/2REiM16hx+woxk=

morph/grid/production/public-keys/monitoringvpn/172.23.23.25.pub

+qS4rT+zjWrbXDhtEF4oyGv8/5oCIE1ZU9FF+O6AL8V4=

morph/grid/production/public-keys/monitoringvpn/server.pub

+172.23.23.1.pub
\ No newline at end of file

morph/grid/production/public-keys/users.nix

+let
+  flo = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6EUU/KNDr7y3m5OVWBZAuPiMJ4us3YOBEhxpG29yPN flo@la"];
+  last-resort = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1hy9mPkJI+7mY2Uq6CLpuFMMLOTfiY2sRJHwpihgRt cardno:26 269 859 - Last Resort A-Key"
+                  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPYMUVNuWr2y+FL1GxW6S6jb3BWYhbzJ2zhvQVKu2ll cardno:23 845 763 - Last Resort C-key"
+                ];
+in {
+  "root" = flo ++ last-resort;
+  inherit  flo    last-resort;
+}

morph/grid/production/storage000-config.nix

-{ "interface" = "eno1";
-  "publicIPv4" = "69.36.183.24";
-  "prefixLength" = 24;
-  "gateway" = "69.36.183.1";
-  "gatewayInterface" = "eno1";
-  "grubDeviceID" = "wwn-0x5000c500936410b9";
-}

morph/grid/production/storage000-hardware.nix

-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
-
-{
-  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    ];
-
-  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/ccabaa39-d888-467e-b8d9-75b5790a91aa";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/849c8696-a7e6-42d2-810d-15326d9f9ff6";
-      fsType = "ext4";
-    };
-
-  fileSystems."/storage" =
-    { device = "/dev/disk/by-uuid/2745cbf3-5a63-491d-ab92-6dfd4da1b504";
-      fsType = "ext4";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/c6f09c9a-572a-4b0f-b792-412cb5c749d4"; }
-    ];
-
-  nix.maxJobs = lib.mkDefault 32;
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-}

morph/grid/production/storage001-hardware.nix

-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
+# NixOS configuration specific to this node
 { config, lib, pkgs, ... }:
 
 {
@@ -12,6 +10,7 @@
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
+  boot.kernel.sysctl = { "vm.swappiness" = 1; };
 
   fileSystems."/" =
     { device = "/dev/disk/by-uuid/f72c1f46-6723-45bf-9ef7-92f31cc37589";
@@ -30,10 +29,13 @@
       fsType = "zfs";
     };
 
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/f986a811-4912-4e9a-8bc3-01cb6926c4c6"; }
-    ];
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];
+
 
-  nix.maxJobs = lib.mkDefault 24;
+  nix.settings.max-jobs = lib.mkDefault 24;
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }

morph/grid/production/storage002-hardware.nix

-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
+# NixOS configuration specific to this node
 { config, lib, pkgs, ... }:
 
 {
@@ -12,6 +10,7 @@
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
+  boot.kernel.sysctl = { "vm.swappiness" = 1; };
 
   fileSystems."/" =
     { device = "/dev/disk/by-uuid/0e92ada9-effb-42e2-a26a-9cdb529bcdc7";
@@ -30,10 +29,12 @@
       fsType = "ext4";
     };
 
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/f762b5e2-bbdd-4a02-bbd9-0bf6b11e0ab5"; }
-    ];
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];
 
-  nix.maxJobs = lib.mkDefault 24;
+  nix.settings.max-jobs = lib.mkDefault 24;
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }

morph/grid/production/storage003-config.nix

@@ -4,5 +4,5 @@
   "prefixLength" = 30;
   "gateway" = "45.83.89.185";
   "gatewayInterface" = "eno1";
-  "grubDeviceID" = "wwn-0x5000cca248c31469";
+  "grubDeviceID" = "wwn-0x5000039a8bc00766";
 }

morph/grid/production/storage003-hardware.nix

-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
+# NixOS configuration specific to this node
+{ config, lib, pkgs, modulesPath, ... }:
 
 {
   imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "usbhid" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.kernel.sysctl = { "vm.swappiness" = 1; };
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/daf0b345-97da-46bc-b9df-500d771ec375";
+    { device = "/dev/disk/by-uuid/240fc1f6-cd55-48a3-ac80-5b3550a32ef5";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/a1843705-f4e9-4805-924c-19f464d23da7";
+    { device = "/dev/disk/by-label/boot";
       fsType = "ext4";
     };
 
   # Manually created using:
-  #   zpool create -f -m legacy -o ashift=12 root raidz /dev/disk/by-id/{wwn-0x5000cca249d43969,wwn-0x5000cca248dd1f83,wwn-0x5000cca249d44a67,wwn-0x5000cca249d46730,wwn-0x5000cca25dcc719c,wwn-0x5000cca25dcc0241,wwn-0x5000cca24ac2b2df}
+  #   zpool create -f -m legacy -o ashift=12 root raidz /dev/disk/by-id/{wwn-0x5000cca249d43969,wwn-0x5000039a8bc0075e,wwn-0x5000cca249d44a67,wwn-0x5000cca249d46730,wwn-0x5000cca25dcc719c,wwn-0x5000cca25dcc0241,wwn-0x5000039a8bc00765}
   fileSystems."/storage" =
     { device = "root";
       fsType = "zfs";
     };
 
-  swapDevices = [ ];
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];
 
-  nix.maxJobs = lib.mkDefault 24;
+  nix.settings.max-jobs = lib.mkDefault 24;
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }

morph/grid/production/storage004-hardware.nix

-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
+# NixOS configuration specific to this node
 { config, lib, pkgs, ... }:
 
 {
@@ -12,6 +10,7 @@
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
+  boot.kernel.sysctl = { "vm.swappiness" = 1; };
 
   fileSystems."/" =
     { device = "/dev/disk/by-uuid/d628122e-05d9-4212-b6a5-4b9516d85dbe";
@@ -25,8 +24,12 @@
       fsType = "zfs";
     };
 
-  swapDevices = [ ];
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];
 
-  nix.maxJobs = lib.mkDefault 32;
+  nix.settings.max-jobs = lib.mkDefault 32;
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }

morph/grid/production/storage005-hardware.nix

-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
+# NixOS configuration specific to this node
 { config, lib, pkgs, ... }:
 
 {
@@ -12,6 +10,7 @@
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
+  boot.kernel.sysctl = { "vm.swappiness" = 1; };
 
   fileSystems."/" =
     { device = "/dev/disk/by-uuid/2653c6bb-396f-4911-b9ff-b68de8f9715d";
@@ -30,8 +29,12 @@
     fsType = "zfs";
   };
 
-  swapDevices = [ ];
+  swapDevices = [ {
+    device = "/var/swapfile";
+    size = 8192; # megabytes
+    randomEncryption = true;
+  } ];
 
-  nix.maxJobs = lib.mkDefault 32;
+  nix.settings.max-jobs = lib.mkDefault 32;
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }

morph/grid/testing/.gitignore

+private-keys

morph/grid/testing/config.json

-{ "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "../../PrivateStorageSecrets/privatestorageio-testing-stripe.secret"
+{ "domain": "privatestorage-staging.com"
+, "publicStoragePort": 8898
+, "privateKeyPath": "./private-keys"
+, "publicKeyPath": "./public-keys"
+, "monitoringvpnEndpoint": "monitoring.privatestorage-staging.com:51820"
 , "passValue": 1000000
-, "issuerDomain": "payments.privatestorage-staging.com"
+, "issuerDomains": [
+    "payments.privatestorage-staging.com"
+  , "payments.extra.privatestorage-staging.com"
+  ]
+, "monitoringDomains": [
+    "monitoring.privatestorage-staging.com"
+  , "monitoring.extra.privatestorage-staging.com"
+  ]
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
 , "allowedChargeOrigins": [
     "http://localhost:5000"
   , "https://privatestorage-staging.com"
-  , "https://www.privatestorage-staging.com"
   ]
+, "monitoringGoogleOAuthClientID": "802959152038-6esn1c6u2lm3j82lf29jvmn8s63hi8dc.apps.googleusercontent.com"
 }

morph/grid/testing/grid.nix

-# Load the helper function and call it with arguments tailored for the testing
-# grid.  It will make the morph configuration for us.  We share this function
-# with the production grid and have one fewer possible point of divergence.
-import ../../lib/make-grid.nix {
-  name = "Testing";
-  config = ./config.json;
-  nodes = cfg:
+# See morph/grid/local/grid.nix for additional commentary.
 let
-    sshUsers = import ../../../../PrivateStorageSecrets/staging-users.nix;
-  in {
-    "payments.privatestorage-staging.com" = import ../../lib/issuer.nix ({
-      inherit sshUsers;
-      hardware = ../../lib/issuer-aws.nix;
-      stateVersion = "19.03";
-    } // cfg);
+  gridlib = import ../../lib;
+  grid-config = builtins.fromJSON (builtins.readFile ./config.json);
+
+  # Module with per-grid configuration
+  grid-module = {config, ...}: {
+    imports = [
+      gridlib.base
+      # Allow us to remotely trigger updates to this system.
+      ../../../nixos/modules/deployment.nix
+      # Give it a good SSH configuration.
+      ../../../nixos/modules/ssh.nix
+    ];
+    services.private-storage.sshUsers = import ./public-keys/users.nix;
+    networking.domain = grid-config.domain;
+    # Convert relative paths to absolute so library code can resolve names
+    # correctly.
+    grid = {
+      publicKeyPath = toString ./. + "/${grid-config.publicKeyPath}";
+      privateKeyPath = toString ./. + "/${grid-config.privateKeyPath}";
+      inherit (grid-config) monitoringvpnEndpoint letsEncryptAdminEmail;
+    };
+    # Configure deployment management authorization for all systems in the grid.
+    services.private-storage.deployment = {
+      authorizedKey = builtins.readFile "${config.grid.publicKeyPath}/deploy_key.pub";
+      gridName = "testing";
+    };
+  };
 
-    "3.120.26.190" = import ../../lib/make-testing.nix (cfg // {
-      publicIPv4 = "3.120.26.190";
-      inherit sshUsers;
-      hardware = ./testing001-hardware.nix;
-      stateVersion = "19.03";
-    });
+  payments = {
+    imports = [
+      gridlib.issuer
+      gridlib.hardware-aws
+      grid-module
+    ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.11";
+      grid.issuer = {
+        inherit (grid-config) issuerDomains allowedChargeOrigins;
+      };
+    };
+  };
+
+  storage001 = {
+    imports = [
+      gridlib.storage
+      gridlib.hardware-aws
+      ./testing001-hardware.nix
+      grid-module
+    ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.12";
+      grid.storage = {
+        inherit (grid-config) passValue publicStoragePort;
+      };
+      system.stateVersion = "19.03";
+    };
+  };
+
+  monitoring = {
+    imports = [
+      gridlib.monitoring
+      gridlib.hardware-aws
+      grid-module
+    ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.1";
+      grid.monitoring = {
+        inherit paymentExporterTargets blackboxExporterHttpsTargets;
+        inherit (grid-config) monitoringDomains;
+        googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
+        enableZulipAlert = true;
+      };
+      system.stateVersion = "19.09";
+    };
+  };
+
+  # TBD: derive these automatically:
+  paymentExporterTargets = [ "payments.monitoringvpn" ];
+  blackboxExporterHttpsTargets = [
+    "https://privatestorage-staging.com/"
+    "https://www.privatestorage-staging.com/"
+    "https://extra.privatestorage-staging.com/"
+    "https://www.extra.privatestorage-staging.com/"
+    "https://payments.privatestorage-staging.com/"
+    "https://payments.extra.privatestorage-staging.com/"
+    "https://monitoring.privatestorage-staging.com/"
+    "https://monitoring.extra.privatestorage-staging.com/"
+  ];
+
+in {
+  network = {
+    description = "PrivateStorage.io Testing Grid";
+    inherit (gridlib) pkgs;
   };
+  inherit payments monitoring storage001;
 }