morph/grid/local/private-keys/payments-localdev-ssl/privkey.pem

+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDgQr5DKa3UYw/B
+AnsHjFUxU6SC7uVQPBwvFyteWOIhPBuPHEmBN5v3usOYOCb314BA/XmPtf2Ws0F1
+SOrKI53xy1Y/V6rFMMNyFbatmZ/tAfGE62zcXAx++5lMdJlM4gJtW4JZqDW3ePqt
+BXvBYSvxDSY+1KaUYw9s4lfTMO1E9SYzG30qO/+2TldnFpPoXszssLBPtwTOpo7t
+Wh222K8gHRM0cH0CnCP/TwvOAXJPXvrRIlkCJgX/A4LkPgobkjphrT9ayPoauR3w
+oph9DQgjUolHzVXLm8/dtBUQXgMfaDNBv7uH3nkvE+WtT04Wa3YYyMnBJlOcLDOx
+d+Ec5LhJAgMBAAECggEARI3in6FkFCLcNAJQHbSWbmfFSIlC7E4Tx4lrpoHBTquT
+OSJKjgez0/zxwdyYfPcRq8xQls/pX2IYxoOt0nEk3T9tdBuWhoUrmfptR5BIxSjs
+7dcSBiLVZxP+ftK98jS8zTVGGaZEFXwUFUQx2qGbzypX4Kkc6wuFMaHXeyXfwk4j
+v3lOTpT7kX/3iVXzQU9Y5m45W1bbt3lSV4yCndOt/4Xg5d4ue6UcUsyg/r8m5wsU
+nCc14L0HsY/VCCRISmDwa4UoqHGfQv6+XXxLT8gJM7H8PkZK8TRV/ZG2Yug63wDS
+xkhMZBodGoYuQpB19Y+NxjwG8Se7RxcCAyS7zcYcCQKBgQD/VWesc2/TplikifQf
+LJl+utiQ9G/o3wAquAKInxQOcUxOm1fsvjgsLfrjpAVj0D3qD0Sf3lSp7z3tpUMf
+MSi9MgNunSU7pKST7jex6BJNU0TTRcFnoqcIlUYiDoLLbkkVlf8Nome88gkwJRKZ
+RjI+6ES9hGaM85QEgjdtRNGXIwKBgQDg2JPfVXYyrOIITus/DHHv8em1RuGCIe6X
+T3M0+GgJ27hOEeneAyzk4aWvVzE3/3lxx55ePGRAz43jPrUxn0kfy/Jx4UMKsEW+
+XzR7CfxTxamUx/mq2bbqk+bbnXZZQedAip4eQ23GbWdrE4/v83JXzWj355yUQCQk
+uuIcda7fowKBgEY20CmmHOxQ5DNrFEy2UQd+jitebJ/XIw6cR2YWiMdn9JnxMf6S
+WJQdmM6cvjayfzQsOqzT0OhiN99wAMNFG3TbmgIDCMgcAH4Flh9AODg3W8fVeNfs
+7I35rq2S2/jhPQvIkbjIHkrhLBGnQDQSD6Mo8C5FiIXePaf3vxI3SIONAoGAZdOv
+pEUf8nM5KmoTP8pzDyePn/kpx7V2SDBDDIozE8PeA/043MKzYjSOxInIUIPyjATL
+RAI1pORabb/Ib2CjzTKf6dMKeZy6+SxEqDQtggLSef7WovlWTYYN1wfIwUOHZ0Nf
+uHTxEhwZ6fRCC3lFH153W04ZK0qhE8FPBXSGbeECgYBcY0QmOd3ao3v0xscKmPlM
+E9MICgwgEJ6pAsaOI30OHqUAtlqrlw5ph3skxlLUpHWW6OUczUUV6nwguk4piuee
+1J9uuA02FlIvvUy5Bsrgqlu0Lj5vJ8Im2Go9dJ8k/m9J5BUgDdPuNwnmjiyNQurd
+Fl50FWx/3WeJB2qK981vmw==
+-----END PRIVATE KEY-----

morph/grid/local/private-keys/ristretto.signing-key

+NAQBkEEUKPDtq8af5anlHvWMjeSVoH56RnpCTy70QwA=
\ No newline at end of file

morph/grid/local/private-keys/stripe.secret

+sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw

morph/grid/local/private-keys/stripe.webhook-secret

+whsec_12121212121212121212121212121212121212

morph/grid/local/public-keys/borgbackup/storage1.repopath

+abc123de@abc123de.repo.borgbase.com:repo

morph/grid/local/public-keys/borgbackup/storage2.repopath

+vwx789yz@vwx789yz.repo.borgbase.com:repo

morph/grid/local/public-keys/deploy_key.pub

+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANTUgFOHIfRuVYEbxp8gD+H9uZV1RCQUC4AhCABYT57 exarkun@baryon

morph/grid/local/public-keys/monitoringvpn/172.23.23.11.pub

+GYNjLkoyQ1d3OMymYbgq40WAHIUzrSEGBWXvxqceF00=

morph/grid/local/public-keys/monitoringvpn/172.23.23.12.pub

+veio/0E0sJYOjwp3E8EccCyME1pqjkZr4R6whFMdrhs=

morph/grid/local/public-keys/monitoringvpn/172.23.23.13.pub

+4VlUMl9FubrLWaN0pRvfdNjjRBQzfCVLMA2lU7OwPzA=

morph/grid/local/public-keys/monitoringvpn/server.pub

+ojo+p9ZE03GN66ewoIlrHmyV7ICt+2LV32Prs66JsA4=

morph/grid/local/public-keys/users.nix.example

+let
+# Add your public key. Example:
+# key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
+# You can use the following to get key from the local machine.
+# key = builtins.readFile ~/.ssh/id_ed25519.pub;
+  key = undefined;
+  keys = [key]
+in {
+  "root" = keys;
+  "vagrant" = keys;
+}

morph/grid/production/.gitignore

+private-keys

morph/grid/production/config.json

+{ "domain": "private.storage"
+, "publicStoragePort": 8898
+, "privateKeyPath": "./private-keys"
+, "publicKeyPath": "./public-keys"
+, "monitoringvpnEndpoint": "monitoring.private.storage:51820"
+, "passValue": 1000000
+, "issuerDomains": [
+    "payments.private.storage"
+  , "payments.privatestorage.io"
+  ]
+, "monitoringDomains": [
+    "monitoring.private.storage"
+  , "monitoring.privatestorage.io"
+  ]
+, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
+, "allowedChargeOrigins": [
+    "https://private.storage"
+  ]
+, "monitoringGoogleOAuthClientID": "802959152038-klpkk38sfnqmknn1ucg7pvs4hcc2k8ae.apps.googleusercontent.com"
+}

morph/grid/production/grid.nix

+# See morph/grid/local/grid.nix for additional commentary.
+let
+  gridlib = import ../../lib;
+  grid-config = builtins.fromJSON (builtins.readFile ./config.json);
+
+  # Module with per-grid configuration
+  grid-module = {config, ...}: {
+    imports = [
+      gridlib.base
+      # Allow us to remotely trigger updates to this system.
+      ../../../nixos/modules/deployment.nix
+      # Give it a good SSH configuration.
+      ../../../nixos/modules/ssh.nix
+    ];
+    services.private-storage.sshUsers = import ./public-keys/users.nix;
+    networking.domain = grid-config.domain;
+    # Convert relative paths to absolute so library code can resolve names
+    # correctly.
+    grid = {
+      publicKeyPath = toString ./. + "/${grid-config.publicKeyPath}";
+      privateKeyPath = toString ./. + "/${grid-config.privateKeyPath}";
+      inherit (grid-config) monitoringvpnEndpoint letsEncryptAdminEmail;
+    };
+    # Configure deployment management authorization for all systems in the grid.
+    services.private-storage.deployment = {
+      authorizedKey = builtins.readFile "${config.grid.publicKeyPath}/deploy_key.pub";
+      gridName = "production";
+    };
+  };
+
+  payments = {
+    imports = [
+      gridlib.issuer
+      gridlib.hardware-aws
+      grid-module
+    ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.11";
+      grid.issuer = {
+        inherit (grid-config) issuerDomains allowedChargeOrigins;
+      };
+    };
+  };
+
+  monitoring = {
+    imports = [
+      gridlib.monitoring
+      gridlib.hardware-aws
+      grid-module
+    ];
+    config = {
+      grid.monitoringvpnIPv4 = "172.23.23.1";
+      grid.monitoring = {
+        inherit paymentExporterTargets blackboxExporterHttpsTargets;
+        inherit (grid-config) monitoringDomains;
+        googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
+        enableZulipAlert = true;
+      };
+      system.stateVersion = "19.09";
+    };
+  };
+
+  defineStorageNode = name: { vpnIP, stateVersion }:
+  let
+    nodecfg = import (./. + "/${name}-config.nix");
+    hardware = (./. + "/${name}-hardware.nix");
+  in {
+    imports = [
+      # Get some of the very lowest-level system configuration for this
+      # node.  This isn't all *completely* hardware related.  Maybe some
+      # more factoring is in order, someday.
+      hardware
+
+      # Slightly awkwardly, enable some of our hardware / network / bootloader options.
+      ../../../nixos/modules/100tb.nix
+
+      # At least some of our storage nodes utilize MegaRAID storage controllers.
+      # Monitor their array status.
+      ../../../nixos/modules/monitoring/exporters/megacli2prom.nix
+
+      # Get all of the configuration that is common across all storage nodes.
+      gridlib.storage
+      # Also configure deployment management authorization
+      grid-module
+    ];
+
+    config = {
+      grid.monitoringvpnIPv4 = vpnIP;
+      grid.storage = {
+        inherit (grid-config) passValue publicStoragePort;
+      };
+      system.stateVersion = stateVersion;
+
+      # And supply configuration for those hardware / network / bootloader
+      # options.  See the 100tb module for handling of this value.  The module
+      # name is quoted because `1` makes `100tb` look an awful lot like a
+      # number.
+      "100tb".config = nodecfg;
+
+      # Enable statistics gathering for MegaRAID cards.
+      # TODO would be nice to enable only on machines that have such a device.
+      services.private-storage.monitoring.exporters.megacli2prom.enable = true;
+    };
+  };
+
+  # Define all of the storage nodes for this grid.
+  storageNodes = builtins.mapAttrs defineStorageNode {
+    storage001 = { vpnIP = "172.23.23.21"; stateVersion = "19.09"; };
+    storage002 = { vpnIP = "172.23.23.22"; stateVersion = "19.09"; };
+    storage003 = { vpnIP = "172.23.23.23"; stateVersion = "19.09"; };
+    storage004 = { vpnIP = "172.23.23.24"; stateVersion = "19.09"; };
+    storage005 = { vpnIP = "172.23.23.25"; stateVersion = "19.03"; };
+  };
+
+  paymentExporterTargets = [ "payments.monitoringvpn" ];
+  blackboxExporterHttpsTargets = [
+    "https://private.storage/"
+    "https://www.private.storage/"
+    "https://privatestorage.io/"
+    "https://www.privatestorage.io/"
+    "https://payments.private.storage/"
+    "https://payments.privatestorage.io/"
+    "https://monitoring.private.storage/"
+    "https://monitoring.privatestorage.io/"
+  ];
+
+in {
+  network = {
+    description = "PrivateStorage.io Production Grid";
+    inherit (gridlib) pkgs;
+  };
+  inherit payments;
+  inherit monitoring;
+} // storageNodes

morph/grid/production/public-keys/borgbackup/storage001.repopath

+gye1flhy@gye1flhy.repo.borgbase.com:repo

morph/grid/production/public-keys/borgbackup/storage002.repopath

+l4642x1g@l4642x1g.repo.borgbase.com:repo

morph/grid/production/public-keys/borgbackup/storage003.repopath

+c7400xl6@c7400xl6.repo.borgbase.com:repo

morph/grid/production/public-keys/borgbackup/storage004.repopath

+sbn13vf8@sbn13vf8.repo.borgbase.com:repo