glusterfs service: add support for TLS communication
TLS settings are implemented as submodule.
This commit is contained in:
parent
983d01421e
commit
c68118ce65
@ -5,6 +5,22 @@ with lib;
|
||||
let
|
||||
inherit (pkgs) glusterfs rsync;
|
||||
|
||||
tlsCmd = if (cfg.tlsSettings != null) then
|
||||
''
|
||||
mkdir -p /var/lib/glusterd
|
||||
touch /var/lib/glusterd/secure-access
|
||||
''
|
||||
else
|
||||
''
|
||||
rm -f /var/lib/glusterd/secure-access
|
||||
'';
|
||||
|
||||
restartTriggers = if (cfg.tlsSettings != null) then [
|
||||
config.environment.etc."ssl/glusterfs.pem".source
|
||||
config.environment.etc."ssl/glusterfs.key".source
|
||||
config.environment.etc."ssl/glusterfs.ca".source
|
||||
] else [];
|
||||
|
||||
cfg = config.services.glusterfs;
|
||||
|
||||
in
|
||||
@ -30,6 +46,41 @@ in
|
||||
description = "Extra flags passed to the GlusterFS daemon";
|
||||
default = [];
|
||||
};
|
||||
|
||||
tlsSettings = mkOption {
|
||||
description = ''
|
||||
Make the server communicate via TLS.
|
||||
This means it will only connect to other gluster
|
||||
servers having certificates signed by the same CA.
|
||||
|
||||
Enabling this will create a file <filename>/var/lib/glusterd/secure-access</filename>.
|
||||
Disabling will delete this file again.
|
||||
|
||||
See also: https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/
|
||||
'';
|
||||
default = null;
|
||||
type = types.nullOr (types.submodule {
|
||||
options = {
|
||||
tlsKey = mkOption {
|
||||
default = null;
|
||||
type = types.path;
|
||||
description = "Path to the private key used for TLS.";
|
||||
};
|
||||
|
||||
tlsPem = mkOption {
|
||||
default = null;
|
||||
type = types.path;
|
||||
description = "Path to the certificate used for TLS.";
|
||||
};
|
||||
|
||||
caCert = mkOption {
|
||||
default = null;
|
||||
type = types.path;
|
||||
description = "Path certificate authority used to sign the cluster certificates.";
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -40,7 +91,14 @@ in
|
||||
|
||||
services.rpcbind.enable = true;
|
||||
|
||||
environment.etc = mkIf (cfg.tlsSettings != null) {
|
||||
"ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem;
|
||||
"ssl/glusterfs.key".source = cfg.tlsSettings.tlsKey;
|
||||
"ssl/glusterfs.ca".source = cfg.tlsSettings.caCert;
|
||||
};
|
||||
|
||||
systemd.services.glusterd = {
|
||||
inherit restartTriggers;
|
||||
|
||||
description = "GlusterFS, a clustered file-system server";
|
||||
|
||||
@ -57,6 +115,8 @@ in
|
||||
+ ''
|
||||
mkdir -p /var/lib/glusterd/hooks/
|
||||
${rsync}/bin/rsync -a ${glusterfs}/var/lib/glusterd/hooks/ /var/lib/glusterd/hooks/
|
||||
|
||||
${tlsCmd}
|
||||
''
|
||||
# `glusterfind` needs dirs that upstream installs at `make install` phase
|
||||
# https://github.com/gluster/glusterfs/blob/v3.10.2/tools/glusterfind/Makefile.am#L16-L17
|
||||
@ -75,6 +135,7 @@ in
|
||||
};
|
||||
|
||||
systemd.services.glustereventsd = {
|
||||
inherit restartTriggers;
|
||||
|
||||
description = "Gluster Events Notifier";
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user