public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #27340 from bachp/glusterfs-tls 

glusterfs service: add support for TLS communication
This commit is contained in:
Joachim F 2017-09-21 20:27:25 +00:00 committed by GitHub
parent 0d391a8e5a 8ed758696c
commit c913f7155f
1 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
nixos/modules/services/network-filesystems/glusterfs.nix
View File

@ -5,6 +5,22 @@ with lib;
let let
inherit (pkgs) glusterfs rsync; inherit (pkgs) glusterfs rsync;
tlsCmd = if (cfg.tlsSettings != null) then
''
mkdir -p /var/lib/glusterd
touch /var/lib/glusterd/secure-access
''
else
''
rm -f /var/lib/glusterd/secure-access
'';
restartTriggers = if (cfg.tlsSettings != null) then [
config.environment.etc."ssl/glusterfs.pem".source
config.environment.etc."ssl/glusterfs.key".source
config.environment.etc."ssl/glusterfs.ca".source
] else [];
cfg = config.services.glusterfs; cfg = config.services.glusterfs;
in in
@ -30,6 +46,41 @@ in
description = "Extra flags passed to the GlusterFS daemon"; description = "Extra flags passed to the GlusterFS daemon";
default = []; default = [];
}; };
tlsSettings = mkOption {
description = ''
Make the server communicate via TLS.
This means it will only connect to other gluster
servers having certificates signed by the same CA.
Enabling this will create a file <filename>/var/lib/glusterd/secure-access</filename>.
Disabling will delete this file again.
See also: https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/
'';
default = null;
type = types.nullOr (types.submodule {
options = {
tlsKeyPath = mkOption {
default = null;
type = types.str;
description = "Path to the private key used for TLS.";
};
tlsPem = mkOption {
default = null;
type = types.path;
description = "Path to the certificate used for TLS.";
};
caCert = mkOption {
default = null;
type = types.path;
description = "Path certificate authority used to sign the cluster certificates.";
};
};
});
};
}; };
}; };
@ -40,7 +91,14 @@ in
services.rpcbind.enable = true; services.rpcbind.enable = true;
environment.etc = mkIf (cfg.tlsSettings != null) {
"ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem;
"ssl/glusterfs.key".source = cfg.tlsSettings.tlsKeyPath;
"ssl/glusterfs.ca".source = cfg.tlsSettings.caCert;
};
systemd.services.glusterd = { systemd.services.glusterd = {
inherit restartTriggers;
description = "GlusterFS, a clustered file-system server"; description = "GlusterFS, a clustered file-system server";
@ -57,6 +115,8 @@ in
+ '' + ''
mkdir -p /var/lib/glusterd/hooks/ mkdir -p /var/lib/glusterd/hooks/
${rsync}/bin/rsync -a ${glusterfs}/var/lib/glusterd/hooks/ /var/lib/glusterd/hooks/ ${rsync}/bin/rsync -a ${glusterfs}/var/lib/glusterd/hooks/ /var/lib/glusterd/hooks/
${tlsCmd}
'' ''
# `glusterfind` needs dirs that upstream installs at `make install` phase # `glusterfind` needs dirs that upstream installs at `make install` phase
# https://github.com/gluster/glusterfs/blob/v3.10.2/tools/glusterfind/Makefile.am#L16-L17 # https://github.com/gluster/glusterfs/blob/v3.10.2/tools/glusterfind/Makefile.am#L16-L17
@ -75,6 +135,7 @@ in
}; };
systemd.services.glustereventsd = { systemd.services.glustereventsd = {
inherit restartTriggers;
description = "Gluster Events Notifier"; description = "Gluster Events Notifier";