diff options
| author | Joachim F <joachifm@users.noreply.github.com> | 2017-09-21 20:27:25 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-21 20:27:25 +0000 |
| commit | c913f7155f6e48682499333c74b1dc4adcbda072 (patch) | |
| tree | c6887802f134f86273502972b589ae03da26fd6b /nixos/modules/services/network-filesystems | |
| parent | 0d391a8e5a11fdeac9dadf3e42d86c9be89b3c64 (diff) | |
| parent | 8ed758696c321a84b3d3d5d08b6bfa004779f211 (diff) | |
| download | nixlib-c913f7155f6e48682499333c74b1dc4adcbda072.tar nixlib-c913f7155f6e48682499333c74b1dc4adcbda072.tar.gz nixlib-c913f7155f6e48682499333c74b1dc4adcbda072.tar.bz2 nixlib-c913f7155f6e48682499333c74b1dc4adcbda072.tar.lz nixlib-c913f7155f6e48682499333c74b1dc4adcbda072.tar.xz nixlib-c913f7155f6e48682499333c74b1dc4adcbda072.tar.zst nixlib-c913f7155f6e48682499333c74b1dc4adcbda072.zip | |
Merge pull request #27340 from bachp/glusterfs-tls
glusterfs service: add support for TLS communication
Diffstat (limited to 'nixos/modules/services/network-filesystems')
| -rw-r--r-- | nixos/modules/services/network-filesystems/glusterfs.nix | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix index 7454eeef803f..e7f52bc4a7d1 100644 --- a/nixos/modules/services/network-filesystems/glusterfs.nix +++ b/nixos/modules/services/network-filesystems/glusterfs.nix @@ -5,6 +5,22 @@ with lib; let inherit (pkgs) glusterfs rsync; + tlsCmd = if (cfg.tlsSettings != null) then + '' + mkdir -p /var/lib/glusterd + touch /var/lib/glusterd/secure-access + '' + else + '' + rm -f /var/lib/glusterd/secure-access + ''; + + restartTriggers = if (cfg.tlsSettings != null) then [ + config.environment.etc."ssl/glusterfs.pem".source + config.environment.etc."ssl/glusterfs.key".source + config.environment.etc."ssl/glusterfs.ca".source + ] else []; + cfg = config.services.glusterfs; in @@ -30,6 +46,41 @@ in description = "Extra flags passed to the GlusterFS daemon"; default = []; }; + + tlsSettings = mkOption { + description = '' + Make the server communicate via TLS. + This means it will only connect to other gluster + servers having certificates signed by the same CA. + + Enabling this will create a file <filename>/var/lib/glusterd/secure-access</filename>. + Disabling will delete this file again. + + See also: https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/ + ''; + default = null; + type = types.nullOr (types.submodule { + options = { + tlsKeyPath = mkOption { + default = null; + type = types.str; + description = "Path to the private key used for TLS."; + }; + + tlsPem = mkOption { + default = null; + type = types.path; + description = "Path to the certificate used for TLS."; + }; + + caCert = mkOption { + default = null; + type = types.path; + description = "Path certificate authority used to sign the cluster certificates."; + }; + }; + }); + }; }; }; @@ -40,7 +91,14 @@ in services.rpcbind.enable = true; + environment.etc = mkIf (cfg.tlsSettings != null) { + "ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem; + "ssl/glusterfs.key".source = cfg.tlsSettings.tlsKeyPath; + "ssl/glusterfs.ca".source = cfg.tlsSettings.caCert; + }; + systemd.services.glusterd = { + inherit restartTriggers; description = "GlusterFS, a clustered file-system server"; @@ -57,6 +115,8 @@ in + '' mkdir -p /var/lib/glusterd/hooks/ ${rsync}/bin/rsync -a ${glusterfs}/var/lib/glusterd/hooks/ /var/lib/glusterd/hooks/ + + ${tlsCmd} '' # `glusterfind` needs dirs that upstream installs at `make install` phase # https://github.com/gluster/glusterfs/blob/v3.10.2/tools/glusterfind/Makefile.am#L16-L17 @@ -75,6 +135,7 @@ in }; systemd.services.glustereventsd = { + inherit restartTriggers; description = "Gluster Events Notifier"; |