Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 0d391a8e5a11
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: c913f7155f6e
Choose a head ref
  • 3 commits
  • 1 file changed
  • 2 contributors

Commits on Sep 17, 2017

  1. glusterfs service: add support for TLS communication 

    TLS settings are implemented as submodule.
    @bachp
    bachp committed Sep 17, 2017

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    globin Robin Gloster
    GPG key ID: D5C458DF6DD97EDF
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    c68118c View commit details

Commits on Sep 21, 2017

  1. gluster service: use str instead of path for private key 

    This pervents the user from accidently commiting the key to the nix store.
If providing a path instead of a string.
    @bachp
    bachp committed Sep 21, 2017
    Copy the full SHA
    8ed7586 View commit details

  2. Merge pull request #27340 from bachp/glusterfs-tls 

    glusterfs service: add support for TLS communication
    @joachifm
    joachifm authored Sep 21, 2017
    Copy the full SHA
    c913f71 View commit details
Showing with 61 additions and 0 deletions.
  1. +61 −0 nixos/modules/services/network-filesystems/glusterfs.nix
61 changes: 61 additions & 0 deletions nixos/modules/services/network-filesystems/glusterfs.nix
View file
Original file line number Diff line number Diff line change
@@ -5,6 +5,22 @@ with lib;
let
inherit (pkgs) glusterfs rsync;

tlsCmd = if (cfg.tlsSettings != null) then
''
mkdir -p /var/lib/glusterd
touch /var/lib/glusterd/secure-access
''
else
''
rm -f /var/lib/glusterd/secure-access
'';

restartTriggers = if (cfg.tlsSettings != null) then [
config.environment.etc."ssl/glusterfs.pem".source
config.environment.etc."ssl/glusterfs.key".source
config.environment.etc."ssl/glusterfs.ca".source
] else [];

cfg = config.services.glusterfs;

in
@@ -30,6 +46,41 @@ in
description = "Extra flags passed to the GlusterFS daemon";
default = [];
};

tlsSettings = mkOption {
description = ''
Make the server communicate via TLS.
This means it will only connect to other gluster
servers having certificates signed by the same CA.
Enabling this will create a file <filename>/var/lib/glusterd/secure-access</filename>.
Disabling will delete this file again.
See also: https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/
'';
default = null;
type = types.nullOr (types.submodule {
options = {
tlsKeyPath = mkOption {
default = null;
type = types.str;
description = "Path to the private key used for TLS.";
};

tlsPem = mkOption {
default = null;
type = types.path;
description = "Path to the certificate used for TLS.";
};

caCert = mkOption {
default = null;
type = types.path;
description = "Path certificate authority used to sign the cluster certificates.";
};
};
});
};
};
};

@@ -40,7 +91,14 @@ in

services.rpcbind.enable = true;

environment.etc = mkIf (cfg.tlsSettings != null) {
"ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem;
"ssl/glusterfs.key".source = cfg.tlsSettings.tlsKeyPath;
"ssl/glusterfs.ca".source = cfg.tlsSettings.caCert;
};

systemd.services.glusterd = {
inherit restartTriggers;

description = "GlusterFS, a clustered file-system server";

@@ -57,6 +115,8 @@ in
+ ''
mkdir -p /var/lib/glusterd/hooks/
${rsync}/bin/rsync -a ${glusterfs}/var/lib/glusterd/hooks/ /var/lib/glusterd/hooks/
${tlsCmd}
''
# `glusterfind` needs dirs that upstream installs at `make install` phase
# https://github.com/gluster/glusterfs/blob/v3.10.2/tools/glusterfind/Makefile.am#L16-L17
@@ -75,6 +135,7 @@ in
};

systemd.services.glustereventsd = {
inherit restartTriggers;

description = "Gluster Events Notifier";