diff options
author | Jörg Thalheim <joerg@thalheim.io> | 2018-09-20 23:01:40 +0100 |
---|---|---|
committer | Jörg Thalheim <joerg@thalheim.io> | 2018-09-20 23:06:10 +0100 |
commit | 7eb9c348fb600ff7d0098628ea663ae80d8732a3 (patch) | |
tree | 62e6ff04cbc0b015c1ff7b825ba1272fff04fc32 /nixos | |
parent | 74cd060c86982edf574fbac54a51c5305d2aeda1 (diff) | |
download | nixlib-7eb9c348fb600ff7d0098628ea663ae80d8732a3.tar nixlib-7eb9c348fb600ff7d0098628ea663ae80d8732a3.tar.gz nixlib-7eb9c348fb600ff7d0098628ea663ae80d8732a3.tar.bz2 nixlib-7eb9c348fb600ff7d0098628ea663ae80d8732a3.tar.lz nixlib-7eb9c348fb600ff7d0098628ea663ae80d8732a3.tar.xz nixlib-7eb9c348fb600ff7d0098628ea663ae80d8732a3.tar.zst nixlib-7eb9c348fb600ff7d0098628ea663ae80d8732a3.zip |
nixos/grafana: options to store secrets not in nix store
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/monitoring/grafana.nix | 61 |
1 files changed, 58 insertions, 3 deletions
diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index c30647f5460b..1f7d67daba70 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -134,11 +134,23 @@ in { }; password = mkOption { - description = "Database password."; + description = '' + Database password. + This option is mutual exclusive with the passwordFile option. + ''; default = ""; type = types.str; }; + passwordFile = mkOption { + description = '' + File that containts the database password. + This option is mutual exclusive with the password option. + ''; + default = null; + type = types.nullOr types.path; + }; + path = mkOption { description = "Database path."; default = "${cfg.dataDir}/data/grafana.db"; @@ -163,16 +175,34 @@ in { }; adminPassword = mkOption { - description = "Default admin password."; + description = '' + Default admin password. + This option is mutual exclusive with the adminPasswordFile option. + ''; default = "admin"; type = types.str; }; + adminPasswordFile = mkOption { + description = '' + Default admin password. + This option is mutual exclusive with the <literal>adminPassword</literal> option. + ''; + default = null; + type = types.nullOr types.path; + }; + secretKey = mkOption { description = "Secret key used for signing."; default = "SW2YcwTIb9zpOOhoPsMm"; type = types.str; }; + + secretKeyFile = mkOption { + description = "Secret key used for signing."; + default = null; + type = types.nullOr types.path; + }; }; users = { @@ -247,6 +277,21 @@ in { environment.systemPackages = [ cfg.package ]; + assertions = [ + { + assertion = cfg.database.password != opt.database.password.default -> cfg.database.passwordFile == null; + message = "Cannot set both password and passwordFile"; + } + { + assertion = cfg.security.adminPassword != opt.security.adminPassword.default -> cfg.security.adminPasswordFile == null; + message = "Cannot set both adminPassword and adminPasswordFile"; + } + { + assertion = cfg.security.secretKeyFile != opt.security.secretKeyFile.default -> cfg.security.secretKeyFile == null; + message = "Cannot set both secretKey and secretKeyFile"; + } + ]; + systemd.services.grafana = { description = "Grafana Service Daemon"; wantedBy = ["multi-user.target"]; @@ -254,8 +299,18 @@ in { environment = { QT_QPA_PLATFORM = "offscreen"; } // mapAttrs' (n: v: nameValuePair "GF_${n}" (toString v)) envOptions; + script = '' + ${optionalString (cfg.database.passwordFile != null) '' + export GF_DATABASE_PASSWORD="$(cat ${escapeShellArg cfg.database.passwordFile})" + ''} + ${optionalString (cfg.security.adminPasswordFile != null) '' + export GF_SECURITY_ADMIN_PASSWORD="$(cat ${escapeShellArg cfg.security.adminPasswordFile})" + ''} + ${optionalString (cfg.security.secretKeyFile != null) '' + export GF_SECURITY_SECRET_KEY="$(cat ${escapeShellArg cfg.security.secretKeyFile})" + ''} + exec ${cfg.package.bin}/bin/grafana-server -homepath ${cfg.dataDir} serviceConfig = { - ExecStart = "${cfg.package.bin}/bin/grafana-server -homepath ${cfg.dataDir}"; WorkingDirectory = cfg.dataDir; User = "grafana"; }; |