# This contains all of the NixOS system configuration necessary to specify an
# "storage"-type system.
{ lib, config, ...} :
let
inherit (config.grid) privateKeyPath;
in {
# Any extra NixOS modules to load on this server.
imports = [
./monitoringvpn-client.nix
./borgbackup.nix
];
options.grid.storage = {
passValue = lib.mkOption {
type = lib.types.int;
description = ''
An integer giving the value of a single pass in byte×months.
'';
};
publicStoragePort = lib.mkOption {
type = lib.types.port;
description = ''
An integer giving the port number to include in Tahoe storage service
advertisements and on which to listen for storage connections.
'';
};
};
config = {
deployment = {
secrets = {
"ristretto-signing-key" = {
destination = "/run/keys/ristretto.signing-key";
source = "${privateKeyPath}/ristretto.signing-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
# Service name here matches the name defined by our tahoe-lafs nixos
# module. It would be nice to not have to hard-code it here. Can we
# extract it from the tahoe-lafs nixos module somehow?
action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
};
};
};
services.private-storage.monitoring.exporters = {
node.enable = true;
tahoe.enable = true;
promtail.enable = true;
promtail.extraScrapeConfigs = [
{
job_name = "tahoe-corruption-advisories";
static_configs = [
{
targets = [ "localhost" ];
labels = {
job = "tahoe-corruption-advisories";
__path__ = "/storage/corruption-advisories/*";
};
}
];
}
];
};
services.private-storage.borgbackup.enable = true;
# Turn on the Private Storage (Tahoe-LAFS) service.
services.private-storage = {
# Yep. Turn it on.
enable = true;
# Give it the Ristretto signing key to support authorization.
ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
inherit (config.grid.storage) passValue publicStoragePort;
};
};
}