From ba2f957f393596b4a569d2880a93ddb497163aa4 Mon Sep 17 00:00:00 2001 From: sefidel Date: Tue, 4 Apr 2023 22:18:34 +0900 Subject: feat(services/grafana): use proper secrets --- modules/services/metrics.nix | 3 ++- systems/cobalt/default.nix | 2 ++ systems/cobalt/secrets/secrets.yaml | 5 +++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/modules/services/metrics.nix b/modules/services/metrics.nix index 74f7e9a..145d1fe 100644 --- a/modules/services/metrics.nix +++ b/modules/services/metrics.nix @@ -9,6 +9,7 @@ in enable = mkEnableOption "metrics"; domain = mkOption { type = types.str; }; tls.acmeHost = mkOption { type = types.str; default = cfg.domain; }; + secrets.adminPassword = mkOption { type = types.str; description = "path to the admin password"; }; }; config = mkIf cfg.enable { @@ -138,7 +139,7 @@ in settings.server.http_addr = "127.0.0.1"; settings.server.http_port = 2342; settings.server.domain = cfg.domain; - settings.security.admin_password = "supersecurepass"; + settings.security.admin_password = "$__file{${cfg.secrets.adminPassword}}"; }; services.nginx.virtualHosts.${cfg.domain} = { diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix index 0a5cfe0..f369fec 100644 --- a/systems/cobalt/default.nix +++ b/systems/cobalt/default.nix @@ -134,6 +134,7 @@ in bsd-finger ]; + sops.secrets.grafana-admin-pass = { owner = "grafana"; }; sops.secrets.acme-envs = { owner = "acme"; }; @@ -154,6 +155,7 @@ in enable = true; domain = "status.exotic.sh"; tls.acmeHost = "exotic.sh"; + secrets.adminPassword = config.sops.secrets.grafana-admin-pass.path; }; services.coredns.enable = false; diff --git a/systems/cobalt/secrets/secrets.yaml b/systems/cobalt/secrets/secrets.yaml index 8e0c0e5..55418aa 100644 --- a/systems/cobalt/secrets/secrets.yaml +++ b/systems/cobalt/secrets/secrets.yaml @@ -8,6 +8,7 @@ turn-secret: ENC[AES256_GCM,data:JA5/BlGwH6yIjYsFZGa8Nm8XVbOBKpre+NFybniOtlmbSx8 openldap-admin-key: ENC[AES256_GCM,data:WBBDPFDW6Q4sJ5+/pK8kAe6iFgJ8gGgi3eCVNvZB,iv:1rnmhu29UGsXLxD9Ptbv7P67EAYgKVk1dlkM6p0L4vA=,tag:yNRrHMI2yT8Oo7qkwxSeUg==,type:str] sefidel-imap-pass: ENC[AES256_GCM,data:rx9hZb+BARs9gB+XLLRMLWDSx67KqkKB1/4nOOtU9i56uagMprFEeDnh8pEaioZbNlqjJRO8kWTBBvWZ,iv:WxKLp0VmwfxVFZt9cnZUbp4wn5WEHubImp8fQy2bXyg=,tag:Vzh0Ntz8iFaSIEf2wjbOKg==,type:str] internal-imap-pass: ENC[AES256_GCM,data:ydjz/NthnJZFLrR1M+p0xEy5xhM8MbPtqE10r0s1DWDFZoyXwRRrIYefFZheW29EjY3VBfr3zWcRIbNm,iv:6hU/dHADbn4pNi0vlJG8BoyQW1ohByINSO6y+nJddfY=,tag:j67D2stmq2A+ulhFIYkZPA==,type:str] +grafana-admin-pass: ENC[AES256_GCM,data:88z+mLcZ5s1u/8LWYcnOOhWTkff8sv1NIhQ=,iv:YdGaKCaq1bCCLsuYIug6NFO2rhqX/Xyt5yQ/hgWOfko=,tag:D+xWcN2bC2Q1Q2mjtpWqLg==,type:str] sops: kms: [] gcp_kms: [] @@ -32,8 +33,8 @@ sops: cUpBZ01CMEFjNnNuWjlYejVKajkwcGMKehqYCZP0zZHDTfJrC/5LYiE/3doa0OiM OKXhOuUX8HF8RfkyiOSMpntxuNX2jSvd9sQRYnHkUvgm793+IuQjrg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-27T15:19:33Z" - mac: ENC[AES256_GCM,data:CyVH0paaTqnff98h5CSCas3YYYYAxEtyYdkjyFBfN/Nwfpe3e71O6YwLZgzAZoiaN+1FuF0kls5WmvDNdx95rEC4yvxQACA75iRyP95B5Q9iN9SGGld0Ii8wPY6s0QkJX+OL7mCllH/gC0J2gOpnPxRB9k5v5FXtKHmJtj5kfaI=,iv:ytWBOy2VTWtVlPbrXiHF5BNxbCmQ194x6aeMh1pd7vc=,tag:0J77TO1y8OTXzdODqANkEw==,type:str] + lastmodified: "2023-04-04T12:50:47Z" + mac: ENC[AES256_GCM,data:E7mzoKJ8K+exnMrC4EKkrBhO/pjWHQrWsctI9AFbVu78vHCcB9RLavdubJpHgEzMqSzPW35UylPM8X6cNTXNKtc7peYpMFvSttJxjfKDB1EY/op2gZ8H2XWpirbnY+NT3ty5HEzMZJOgTYFhtXXSnpsolqWhIERtq2SQ8s0OVog=,iv:WRviTHCjNd5u53LUvtV+mQop5MybNTeQF8wvj4EyvLQ=,tag:R6xd/wMaF50xbd9s4lxz4g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 -- cgit 1.4.1