# Similar to ``issuer.nix`` but for a "storage"-type system.  Holes are filled
# by ``customize-storage.nix``.
{ config, ...} :
{
  deployment = {
    secrets = {
      "ristretto-signing-key" = {
        destination = "/run/keys/ristretto.signing-key";
        owner.user = "root";
        owner.group = "root";
        permissions = "0400";
        # Service name here matches the name defined by our tahoe-lafs nixos
        # module.  It would be nice to not have to hard-code it here.  Can we
        # extract it from the tahoe-lafs nixos module somehow?
        action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
      };
      "monitoringvpn-secret-key" = {
        destination = "/run/keys/monitoringvpn/client.key";
        owner.user = "root";
        owner.group = "root";
        permissions = "0400";
        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
      };
      "monitoringvpn-preshared-key" = {
        destination = "/run/keys/monitoringvpn/preshared.key";
        owner.user = "root";
        owner.group = "root";
        permissions = "0400";
        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
      };
    };
  };

  # Any extra NixOS modules to load on this server.
  imports = [
    # Allow us to remotely trigger updates to this system.
    ../../nixos/modules/deployment.nix
    # Bring in our module for configuring the Tahoe-LAFS service and other
    # Private Storage-specific things.
    ../../nixos/modules/private-storage.nix
    # Connect to the monitoringvpn.
    ../../nixos/modules/monitoring/vpn/client.nix
    # Expose base system metrics over the monitoringvpn.
    ../../nixos/modules/monitoring/exporters/node.nix
  ];

  # Turn on the Private Storage (Tahoe-LAFS) service.
  services.private-storage = {
    # Yep.  Turn it on.
    enable = true;
    # Give it the Ristretto signing key to support authorization.
    ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
  };
}