My Nix Configuration
[marvin.grafana] add secret-key secret and make new generation method for secrets
+45
-18
+23
-18
hosts/marvin/services/grafana.nix
+23
-18
hosts/marvin/services/grafana.nix
···
7
7
let
8
8
d = self.lib.data.services.grafana;
9
9
p = self.lib.data.services.pocket-id;
10
+
11
+
grafanaSecret = name: {
12
+
owner = "grafana";
13
+
group = "grafana";
14
+
file = ./secrets/grafana/${name}.age;
15
+
};
16
+
17
+
mkGrafanaSecrets =
18
+
secrets:
19
+
builtins.listToAttrs (
20
+
map (sec: {
21
+
name = "grafana-${sec}";
22
+
value = grafanaSecret sec;
23
+
}) secrets
24
+
);
10
25
in
11
26
{
12
27
services.grafana = {
···
30
45
};
31
46
security = {
32
47
admin_user = "pyrox";
33
-
admin_password = "$__file{${config.age.secrets.grafana-admin.path}}";
48
+
admin_password = "$__file{${config.age.secrets.grafana-admin-password.path}}";
49
+
secret_key = "$__file{${config.age.secrets.grafana-secret-key.path}}";
34
50
};
35
51
server = {
36
52
root_url = "https://${d.extUrl}";
···
47
63
};
48
64
};
49
65
};
50
-
age.secrets = {
51
-
grafana-admin = {
52
-
file = ./secrets/grafana/admin-password.age;
53
-
owner = "grafana";
54
-
group = "grafana";
55
-
};
56
-
grafana-smtp-password = {
57
-
file = ./secrets/grafana/smtp-password.age;
58
-
owner = "grafana";
59
-
group = "grafana";
60
-
};
61
-
grafana-oidc-secret = {
62
-
file = ./secrets/grafana/oidc-secret.age;
63
-
owner = "grafana";
64
-
group = "grafana";
65
-
};
66
-
};
66
+
age.secrets = mkGrafanaSecrets [
67
+
"admin-password"
68
+
"smtp-password"
69
+
"oidc-secret"
70
+
"secret-key"
71
+
];
67
72
services.anubis.instances.grafana = {
68
73
settings = {
69
74
BIND = ":${toString d.anubis}";
+21
hosts/marvin/services/secrets/grafana/secret-key.age
+21
hosts/marvin/services/secrets/grafana/secret-key.age
···
1
+
age-encryption.org/v1
2
+
-> ssh-ed25519 iqBxIA vgDEngwzctG2YRa5PF2lmW+1G7FGDzEz5kMJ1tw9Qxw
3
+
H+MLQpbDRv/LcUvMlUb4BnV9kR0Y9G9/9vmPBXtRfAc
4
+
-> ssh-rsa fFaiTA
5
+
qy9ko5llnHE3EA26CfHuGYn4kuTsz7cOOXRkH733gVEIfapBqD01hlLs0TrQ8MMJ
6
+
B/j7DPjvJb3q1qSHudDolR+xqyN09UP+SISwgxxVNvcPPLBlMzpYuXdiNHSLh3NJ
7
+
FSWf7A8klPPTvnxKIUzOFE4Bmz6NpKIOKCoS9Bp4hhtS4JbUt0cBAoDCm4RU/YkE
8
+
YU7s8ldJM5hM8vRuoFOUdEJuRJnjbe03sN3FIfO7qxs3nk6d6ucUKCDE31HhEfpk
9
+
I3gVAtrK2DHwW3+tvyBkKQNftfdXCFdg+a42gqQKoNqpbtupYdC7HscDXaPq3VTP
10
+
9FZBrktGWaytuQo/T9qxhr+Nnms1bKy+AZ59X2GoOX2L3KtsxKG7fG1j63xVaEv/
11
+
GBAfdMU44SRB8f+LRETd1RiPo2UjsxUsTHbrHeQq+n2JfCdR0gpxT72ybD5d0ONo
12
+
ywMPdeRVXwOHJAat/k6jTEfolxSIhMcJ6mcSt6cmFgZH/a/OQwThWZr9N3tkhds4
13
+
vx8C1nKK1MBiJf4VhEFDgpTOVSILsK/pbLTqEYdDsnHYfT4J7vq2P8cPF2Fy6yth
14
+
QCResLpC0XiRd3Tp/Fv4k/zjNPJ5BJKy8kXCIcp0eDInZeLB8iPU5c1AqpZnCEf+
15
+
l/U1CAFY+6deBTraF/iF8NA3N0Zd4ru/8tfoa2+bejA
16
+
-> ssh-ed25519 wpmdHA AnfuD1L6PhKjIELsaJ9xxqJ5f/qOTETUIxOmukcGLls
17
+
kwVjpYNnk40BHIsQNcYR96ny0IFCx7qGFomnAr3Z1kk
18
+
--- Z5811GzYT7IZpeyN7fAN3gaEdhfWyrYbHLYLZyGKBPg
19
+
��L|�M�FEx�yx��˞�9�
20
+
eY
�v9�������
��|������%�m
/:�(�=@\����OK*
�5�G/�7
21
+
��}�4�.�~�_�'�=��~
+1
hosts/marvin/services/secrets/secrets.nix
+1
hosts/marvin/services/secrets/secrets.nix
···
29
29
"grafana/admin-password.age".publicKeys = marvinDefault;
30
30
"grafana/oidc-secret.age".publicKeys = marvinDefault;
31
31
"grafana/smtp-password.age".publicKeys = marvinDefault;
32
+
"grafana/secret-key.age".publicKeys = marvinDefault;
32
33
"immich/oauth-secret.age".publicKeys = marvinDefault;
33
34
"immich/mail-pw.age".publicKeys = marvinDefault;
34
35
"jellyfin-exporter-config.age".publicKeys = marvinDefault;