# See morph/grid/local/grid.nix for additional commentary.
let
gridlib = import ../../lib;
grid-config = builtins.fromJSON (builtins.readFile ./config.json);
# Module with per-grid configuration
grid-module = {config, ...}: {
imports = [
gridlib.base
# Allow us to remotely trigger updates to this system.
../../../nixos/modules/deployment.nix
# Give it a good SSH configuration.
../../../nixos/modules/ssh.nix
];
services.private-storage.sshUsers = import ./public-keys/users.nix;
networking.domain = grid-config.domain;
# Convert relative paths to absolute so library code can resolve names
# correctly.
grid = {
publicKeyPath = toString ./. + "/${grid-config.publicKeyPath}";
privateKeyPath = toString ./. + "/${grid-config.privateKeyPath}";
inherit (grid-config) monitoringvpnEndpoint letsEncryptAdminEmail;
};
# Configure deployment management authorization for all systems in the grid.
services.private-storage.deployment = {
authorizedKey = builtins.readFile "${config.grid.publicKeyPath}/deploy_key.pub";
gridName = "production";
};
};
payments = {
imports = [
gridlib.issuer
gridlib.hardware-payments-ovh
grid-module
];
config = {
grid.monitoringvpnIPv4 = "172.23.23.11";
grid.issuer = {
inherit (grid-config) issuerDomains allowedChargeOrigins tokensPerVoucher;
};
};
};
monitoring = {
imports = [
gridlib.monitoring
gridlib.hardware-monitoring-ovh
grid-module
];
config = {
grid.monitoringvpnIPv4 = "172.23.23.1";
grid.monitoring = {
inherit paymentExporterTargets blackboxExporterHttpsTargets;
inherit (grid-config) monitoringDomains;
googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
enableSlackAlert = false;
};
system.stateVersion = "19.09";
};
};
defineStorageNode = name: { vpnIP, stateVersion }:
let
nodecfg = import (./. + "/${name}-config.nix");
hardware = (./. + "/${name}-hardware.nix");
in {
imports = [
# Get some of the very lowest-level system configuration for this
# node. This isn't all *completely* hardware related. Maybe some
# more factoring is in order, someday.
hardware
# Slightly awkwardly, enable some of our hardware / network / bootloader options.
../../../nixos/modules/100tb.nix
# At least some of our storage nodes utilize MegaRAID storage controllers.
# Monitor their array status.
../../../nixos/modules/monitoring/exporters/megacli2prom.nix
# Get all of the configuration that is common across all storage nodes.
gridlib.storage
# Also configure deployment management authorization
grid-module
];
config = {
grid.monitoringvpnIPv4 = vpnIP;
grid.storage = {
inherit (grid-config) passValue publicStoragePort;
};
system.stateVersion = stateVersion;
# And supply configuration for those hardware / network / bootloader
# options. See the 100tb module for handling of this value. The module
# name is quoted because `1` makes `100tb` look an awful lot like a
# number.
"100tb".config = nodecfg;
# Enable statistics gathering for MegaRAID cards.
# TODO would be nice to enable only on machines that have such a device.
services.private-storage.monitoring.exporters.megacli2prom.enable = true;
# Disable Borg Backup for this grid!
services.private-storage.borgbackup.enable = false;
};
};
# Define all of the storage nodes for this grid.
storageNodes = builtins.mapAttrs defineStorageNode {
storage001 = { vpnIP = "172.23.23.21"; stateVersion = "19.09"; };
storage002 = { vpnIP = "172.23.23.22"; stateVersion = "19.09"; };
storage003 = { vpnIP = "172.23.23.23"; stateVersion = "19.09"; };
};
paymentExporterTargets = [ "payments.monitoringvpn" ];
blackboxExporterHttpsTargets = [
"https://deerfield.leastauthority.com/"
"https://www.deerfield.leastauthority.com/"
"https://payments.deerfield.leastauthority.com/"
"https://monitoring.deerfield.leastauthority.com/"
];
in {
network = {
description = "HRO Grid";
inherit (gridlib) pkgs;
};
inherit payments;
inherit monitoring;
} // storageNodes