rec {
deployment = {
secrets = {
"ristretto-signing-key" = {
# source = ...;
destination = "/run/keys/ristretto.signing-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
# Service name here matches the name defined by our tahoe-lafs nixos
# module. It would be nice to not have to hard-code it here. Can we
# extract it from the tahoe-lafs nixos module somehow?
action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
};
"monitoringvpn-secret-key" = {
# source = ...;
destination = "/run/keys/monitoringvpn/client.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
"monitoringvpn-preshared-key" = {
# source = ...;
destination = "/run/keys/monitoringvpn/preshared.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
};
};
# Any extra NixOS modules to load on this server.
imports = [
# Bring in our module for configuring the Tahoe-LAFS service and other
# Private Storage-specific things.
../../nixos/modules/private-storage.nix
# Connect to the monitoringvpn.
../../nixos/modules/monitoring/vpn/client.nix
# Expose base system metrics over the monitoringvpn.
../../nixos/modules/monitoring/exporters/node.nix
];
# Turn on the Private Storage (Tahoe-LAFS) service.
services.private-storage = {
# Yep. Turn it on.
enable = true;
# Get the public IPv4 address from the node configuration.
# inherit (cfg) publicIPv4;
# And the port to operate on is specified via parameter.
# inherit publicStoragePort;
# Give it the Ristretto signing key, too, to support authorization.
ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
# Assign the configured pass value.
# inherit passValue;
# It gets the users, too.
# sshUsers = ...;
};
# system.stateVersion = ...'
services.private-storage.monitoring.vpn.client = {
# enable = ...;
# ip = ...;
# endpoint = ...;
# endpointPublicKeyFile = ...;
};
}