about summary refs log tree commit diff
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-04-04 22:18:34 +0900
committersefidel <contact@sefidel.net>2023-04-04 22:18:34 +0900
commitba2f957f393596b4a569d2880a93ddb497163aa4 (patch)
tree4b2ecfd6702e2b1d75886ac09657540a65d3c0b8
parentce06f43476863da90dc60dcee606d2b6c5a89a8e (diff)
downloadinfra-ba2f957f393596b4a569d2880a93ddb497163aa4.tar.gz
infra-ba2f957f393596b4a569d2880a93ddb497163aa4.zip
feat(services/grafana): use proper secrets
-rw-r--r--modules/services/metrics.nix3
-rw-r--r--systems/cobalt/default.nix2
-rw-r--r--systems/cobalt/secrets/secrets.yaml5
3 files changed, 7 insertions, 3 deletions
diff --git a/modules/services/metrics.nix b/modules/services/metrics.nix
index 74f7e9a..145d1fe 100644
--- a/modules/services/metrics.nix
+++ b/modules/services/metrics.nix
@@ -9,6 +9,7 @@ in
     enable = mkEnableOption "metrics";
     domain = mkOption { type = types.str; };
     tls.acmeHost = mkOption { type = types.str; default = cfg.domain; };
+    secrets.adminPassword = mkOption { type = types.str; description = "path to the admin password"; };
   };
 
   config = mkIf cfg.enable {
@@ -138,7 +139,7 @@ in
       settings.server.http_addr = "127.0.0.1";
       settings.server.http_port = 2342;
       settings.server.domain = cfg.domain;
-      settings.security.admin_password = "supersecurepass";
+      settings.security.admin_password = "$__file{${cfg.secrets.adminPassword}}";
     };
 
     services.nginx.virtualHosts.${cfg.domain} = {
diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix
index 0a5cfe0..f369fec 100644
--- a/systems/cobalt/default.nix
+++ b/systems/cobalt/default.nix
@@ -134,6 +134,7 @@ in
     bsd-finger
   ];
 
+  sops.secrets.grafana-admin-pass = { owner = "grafana"; };
   sops.secrets.acme-envs = {
     owner = "acme";
   };
@@ -154,6 +155,7 @@ in
       enable = true;
       domain = "status.exotic.sh";
       tls.acmeHost = "exotic.sh";
+      secrets.adminPassword = config.sops.secrets.grafana-admin-pass.path;
     };
 
     services.coredns.enable = false;
diff --git a/systems/cobalt/secrets/secrets.yaml b/systems/cobalt/secrets/secrets.yaml
index 8e0c0e5..55418aa 100644
--- a/systems/cobalt/secrets/secrets.yaml
+++ b/systems/cobalt/secrets/secrets.yaml
@@ -8,6 +8,7 @@ turn-secret: ENC[AES256_GCM,data:JA5/BlGwH6yIjYsFZGa8Nm8XVbOBKpre+NFybniOtlmbSx8
 openldap-admin-key: ENC[AES256_GCM,data:WBBDPFDW6Q4sJ5+/pK8kAe6iFgJ8gGgi3eCVNvZB,iv:1rnmhu29UGsXLxD9Ptbv7P67EAYgKVk1dlkM6p0L4vA=,tag:yNRrHMI2yT8Oo7qkwxSeUg==,type:str]
 sefidel-imap-pass: ENC[AES256_GCM,data:rx9hZb+BARs9gB+XLLRMLWDSx67KqkKB1/4nOOtU9i56uagMprFEeDnh8pEaioZbNlqjJRO8kWTBBvWZ,iv:WxKLp0VmwfxVFZt9cnZUbp4wn5WEHubImp8fQy2bXyg=,tag:Vzh0Ntz8iFaSIEf2wjbOKg==,type:str]
 internal-imap-pass: ENC[AES256_GCM,data:ydjz/NthnJZFLrR1M+p0xEy5xhM8MbPtqE10r0s1DWDFZoyXwRRrIYefFZheW29EjY3VBfr3zWcRIbNm,iv:6hU/dHADbn4pNi0vlJG8BoyQW1ohByINSO6y+nJddfY=,tag:j67D2stmq2A+ulhFIYkZPA==,type:str]
+grafana-admin-pass: ENC[AES256_GCM,data:88z+mLcZ5s1u/8LWYcnOOhWTkff8sv1NIhQ=,iv:YdGaKCaq1bCCLsuYIug6NFO2rhqX/Xyt5yQ/hgWOfko=,tag:D+xWcN2bC2Q1Q2mjtpWqLg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -32,8 +33,8 @@ sops:
             cUpBZ01CMEFjNnNuWjlYejVKajkwcGMKehqYCZP0zZHDTfJrC/5LYiE/3doa0OiM
             OKXhOuUX8HF8RfkyiOSMpntxuNX2jSvd9sQRYnHkUvgm793+IuQjrg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-27T15:19:33Z"
-    mac: ENC[AES256_GCM,data:CyVH0paaTqnff98h5CSCas3YYYYAxEtyYdkjyFBfN/Nwfpe3e71O6YwLZgzAZoiaN+1FuF0kls5WmvDNdx95rEC4yvxQACA75iRyP95B5Q9iN9SGGld0Ii8wPY6s0QkJX+OL7mCllH/gC0J2gOpnPxRB9k5v5FXtKHmJtj5kfaI=,iv:ytWBOy2VTWtVlPbrXiHF5BNxbCmQ194x6aeMh1pd7vc=,tag:0J77TO1y8OTXzdODqANkEw==,type:str]
+    lastmodified: "2023-04-04T12:50:47Z"
+    mac: ENC[AES256_GCM,data:E7mzoKJ8K+exnMrC4EKkrBhO/pjWHQrWsctI9AFbVu78vHCcB9RLavdubJpHgEzMqSzPW35UylPM8X6cNTXNKtc7peYpMFvSttJxjfKDB1EY/op2gZ8H2XWpirbnY+NT3ty5HEzMZJOgTYFhtXXSnpsolqWhIERtq2SQ8s0OVog=,iv:WRviTHCjNd5u53LUvtV+mQop5MybNTeQF8wvj4EyvLQ=,tag:R6xd/wMaF50xbd9s4lxz4g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3