cluster/services/storage: mount external storage on prophet

cluster/services/storage/default.nix

@@ -1,8 +1,12 @@
 {
   services.storage = {
-    nodes.heresy = [ "VEGAS" ];
+    nodes = {
-    nixos.heresy = [
+      external = [ "prophet" ];
-      ./heresy.nix
+      heresy = [ "VEGAS" ];
-    ];
+    };
+    nixos = {
+      external = [ ./external.nix ];
+      heresy = [ ./heresy.nix ];
+    };
   };
 }

cluster/services/storage/external.nix

@@ -0,0 +1,15 @@
+{ config, ... }:
+
+{
+  services.external-storage = {
+    underlays.default = {
+      subUser = "sub1";
+      credentialsFile = ./secrets/storage-box-credentials.age;
+      path = "/fs/by-host/${config.networking.hostName}";
+    };
+    fileSystems.external = {
+      mountpoint = "/srv/storage";
+      encryptionKeyFile = ./secrets/external-storage-encryption-key-${config.networking.hostName}.age;
+    };
+  };
+}

cluster/services/storage/secrets/storage-box-credentials.age

@@ -1,11 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 NO562A tJRraicHm1ZsU4yrvK3R1xAiIX+0w1WL+maBEcfbZk0
+-> ssh-ed25519 NO562A zJvkOwBBlON92XKax+VTvXyqGFajgwzt091jNrRzjjI
-1IvOLKJVvt3lj44lIyDdHbnGzBiQQhfYh92HZYPz36Q
+1a8/gXx4DQu03Rewebxdz5BpEi3zI7DXTOcY2OLIUck
--> ssh-ed25519 5/zT0w a/LO69ZwMzoNUrr8fLR1lKDuYve6KXUZaQKN6ctwSjs
+-> ssh-ed25519 5/zT0w cR4KCvOxvEV5KhEL+4HEcwKv5dKC4dT+yVok8P6Y/1c
-E1OKbXuvynYwf0D9/APjFm3z+l8Y/l8TRkj+CeB04kI
+UCPh+WJ9opCFkDZgGBzyep8xZ58P6jLP1thMOpsx5rQ
--> ssh-ed25519 d3WGuA fUdpFXP5JDQwpk81dMR9agx8XgeJTP0sTESDadr9Zxk
+-> ssh-ed25519 d3WGuA nwgv+GeEw1Yc6gYCN39zfDyFg/NGxazU9tMkykmwhBc
-gPr4DnmX1CqpEnLvObCPuyiTIBJOT0cvoQize7Oe7U4
+b+1EyRRSCvUWdMKcsEZA5BAnqQHO703Bwp5xtLPYok4
--> &-grease r 8mj:pc~r
+-> ssh-ed25519 YIaSKQ FtSyO68mVkMEbMZV9w/H4tj7ms7gKOT+jB9n5MG5NAE
-DdZaL+KpxVOKEAQ0MZnpftL1hbOUffIaCsu4zMcafW+cnNzD1R0
+B8Id7KRU9a19oWfmDcCN4zUb04AMZ4Z+AETyCvxeC7c
---- jV/6H0YdytV3ik3wwoSurOWdugvJus1gbSCtJDJFJMw
+-> zAL;6ee-grease O]^kl 0`0G tf+sVH= `+K,h=HL
-Ž¾|à><^~n"iyD|¤I‰šD:Z”XݧVÃ<56>vOðàÄ£<C384>r‹z•¿j…Sþà‰·©x7c¹ÕÔ»½š «N<C2AB>i©·È`”¿¿ð‚
+ZO4H8I1upQszxI6GBalw1hUhSAhRRhhePbE
+--- lfbOCcNCO7rc1os2qEc9Bj0s6+bxJujVzmdL3lWdm3g
+‡ÎeýÒm1ùuUVÈÏò#ÍjTóq–‘e=2Ìo¢ò9y2«3 õ•á?ù©jT1©‹¤œüGBAôïÇ_ü¹À3øÂg1-rL)Ë–gR	<09>

secrets.nix

@@ -43,7 +43,8 @@ in with hosts;
   "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ];
   "cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ];
   "cluster/services/storage/secrets/heresy-encryption-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "cluster/services/storage/secrets/storage-box-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "cluster/services/storage/secrets/external-storage-encryption-key-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
+  "cluster/services/storage/secrets/storage-box-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/wireguard/mesh-keys/checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
   "cluster/services/wireguard/mesh-keys/thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
   "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];