diff --git a/.sops.yaml b/.sops.yaml index 5283dd80..55ae3a7f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -139,6 +139,12 @@ creation_rules: age: - *glotzbert - *polygon-snowflake + - path_regex: hosts/grafana/[^/]+\.yaml$ + key_groups: + - pgp: *admins + age: + - *grafana + - *polygon-snowflake - path_regex: hosts/hedgedoc/[^/]+\.yaml$ key_groups: - pgp: *admins diff --git a/flake.nix b/flake.nix index ddefee79..59a3f703 100644 --- a/flake.nix +++ b/flake.nix @@ -731,6 +731,7 @@ self.nixosModules.microvm ./hosts/grafana ]; + nixpkgs = nixos-unstable; }; hydra = nixosSystem' { diff --git a/hosts/grafana/default.nix b/hosts/grafana/default.nix index 5ca619f1..cb84dd9a 100644 --- a/hosts/grafana/default.nix +++ b/hosts/grafana/default.nix @@ -34,23 +34,28 @@ in { }; services.grafana = { enable = true; - domain = "grafana.hq.c3d2.de"; - auth.anonymous = { - enable = true; - org_name = "Chaos"; - }; - users.allowSignUp = false; provision = { enable = true; # curl https://root:SECRET@grafana.hq.c3d2.de/api/datasources | jq > hosts/grafana/datasources.json - datasources = map (datasource: { + datasources.settings.datasources = map (datasource: { inherit (datasource) name type access orgId url password user database isDefault jsonData; }) (with builtins; fromJSON (readFile ./datasources.json)); # for id in `curl https://root:SECRET@grafana.hq.c3d2.de/api/search | jq -j 'map(.uid) | join(" ")'`; do curl https://root:SECRET@grafana.hq.c3d2.de/api/dashboards/uid/$id | jq .dashboard > hosts/grafana/dashboards/$id.json;done - dashboards = [ - { options.path = ./dashboards; } - ]; + dashboards.path = ./dashboards; + }; + + settings = { + "auth.anonymous" = { + enabled = false; + org_name = "Chaos"; + }; + security = { + admin_password = "$__file{${config.sops.secrets."grafana/admin-password".path}}"; + secret_key = "$__file{${config.sops.secrets."grafana/secret-key".path}}"; + }; + server.domain = "grafana.hq.c3d2.de"; + users.allow_sign_up = false; }; }; services.influxdb = let @@ -86,11 +91,22 @@ in { influxdb.serviceConfig.LimitNOFILE = "1048576:1048576"; influxdb.serviceConfig.TimeoutStartSec = "infinity"; }; + environment.systemPackages = with pkgs; [ influxdb ]; - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "18.09"; # Did you read the comment? + sops = { + defaultSopsFile = ./secrets.yaml; + secrets = { + "grafana/admin-password" = { + group = config.systemd.services.grafana.serviceConfig.User; + owner = config.systemd.services.grafana.serviceConfig.User; + }; + "grafana/secret-key" = { + group = config.systemd.services.grafana.serviceConfig.User; + owner = config.systemd.services.grafana.serviceConfig.User; + }; + }; + }; + + system.stateVersion = "22.05"; } diff --git a/hosts/grafana/secrets.yaml b/hosts/grafana/secrets.yaml new file mode 100644 index 00000000..99a48bc5 --- /dev/null +++ b/hosts/grafana/secrets.yaml @@ -0,0 +1,184 @@ +grafana: + admin-password: ENC[AES256_GCM,data:eohgvOafD8g=,iv:7gYI4ITOOg+/ahP9OKJHd09dRC5ZbM8t4909IrAfHbY=,tag:6NJRgaWyKSvohfYZY1gHhg==,type:str] + secret-key: ENC[AES256_GCM,data:0FYJ2sEN6/tEf7v6eNvFtT2AX8xxqrU5rbolJTPLxG3WZ3ZV8GjC0zRmuy/zw7MOOB4UKKcHI+kR6WzBYRartw==,iv:ehA4KC3rE6QaiX0fbNTNiydk4Ly2zyASr3utGcWqkHE=,tag:muafXs36mdiT2rLDt9eldw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1yahhqn2620300n20k68az5lr2u42wdgtjwysgqyr99a4cj52ay0qjw02pl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdTlvNldjRGJUWWpMZkVJ + dGMxcXpTM1Z6aENIK1RiQXA2NTE0bFQ0aGt3CmExTDNEZFM5LzFqRm9wTG5JejdC + ZFJVcE5ubWp3dkIvNWxjcXJSMnZQYUkKLS0tIEJuWmNKeFdBY0NHRm4xV0RxOFpt + NEIrMnFDZlpNYUVBbWpZeitTYnNaTDQKS3iTlRI6wuYrjJgYcfMEBRM/SJHxlqd+ + RlNQb34ra9KHzB4rVe+a0RA0mDnDPkFG9bL4T9CaUTwobLEdpJW8aA== + -----END AGE ENCRYPTED FILE----- + - recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvWS9zN0RVWFNMTVlBYjFx + d3JQL2xmM0twdjRMM2owdng2QTQrcHd0cUFvCko1MHBnNkJhWjFWdUQ3cHNLMHNJ + SVQ4VndrTjdIUzlTNklXMVdWYzFYcGcKLS0tIDJYbjI4YTcvRnlFV0h5dituR1B2 + eVN5KzdSQktNNjRyekZUK1U5SnVwbzAKbEYEDJz+gBILvt8KWLzkZ3gQwdQCBAH6 + KSYuY9d0BrznamgUjNt9zCxWBuzIqZbL5PbTrK30EdVG66d5U+bkTg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-10-27T19:29:47Z" + mac: ENC[AES256_GCM,data:IuIBWaRQGtn+QSYRgRE2r3hYPSut9mO8rTb7Fz2pRcOjaitUD9jd1LpvGzRSsOHEfOArxJlv99njqVq9NA26cJUB7aWDxhL4DG4XXHf0vabUk8wSE1gdFwxDZRH5bvK11riuZnkoBSTGiFqlw9TvIZnASsHAmAgyI+WIGnNERfI=,iv:vUj8k1iyVAkYHVcQXOLXrE5QdFNpIxrDA6dNBisPpZE=,tag:DW671BahNqve1cKA6Yn0IQ==,type:str] + pgp: + - created_at: "2022-10-27T18:39:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA6j84+xkv3y7ARAAzf8vFbyF2ajzwpoGZU0IxZ+sT/Tw0cEIwD+BpNTGK7df + 1HnNPpGPdL/lEm2LpMjzgHO85DTbqaI9kJgLkUcsmzMs74fx8lnjADlAQiSm+twv + +nGsalFyW3+M8aqrPGy2dpjLaZVpa54kjfv6IvDGskk3lyQFulrXRO0fJBxBmKCo + +LiH0uPdK4H77AhG7cn07f8N/MO+89v0l/Ewdg+elbsIepZ/EIMHHrrGDX7PPUqw + hi/gr5g/GpY54F+FfIBjV21bucMySgirqx5JCtG8XNhP/nwN9n6hmTfTzmm/778l + UYVLcewhNt15yiGtFmUs5LH7wyR4uWiJtvRMzvfRYonA9OqGqxl4CwoLMf52pwnY + rJqs6IJfbKjtxFi8TQYea30nXv3UPLVcIlaFsqfGela67GJFdofVS5DrRNkg5t9I + KQYxOkd9tV3e+twOCwnf6Fk+J+Ltzd75ABBCotNMSPgje8JOzV+YrqMNttBDmSSE + 0WbA8aYhFbo9iVOJjXaua//MzxfyTC4+KLKeqh/kL4nGiCI3ebndhulqEJpGtb7F + pXNR24SdeKnMZJitfsZf9qGY/2nxD3J/l3nidwIzzJn4zZidFBwusi7aGg9mU1ld + AvEpeutLoqaGV7XFr38kXPeBzHlzrfvZTcLYVRDhgMXb5mPEnn54bqC7DJ7Fh+7S + XgGYR3qDixV1Akj/Uiuzb3k4bRgRPf27frauSOC3m0PPPx0obIsGNJDOn5Muncwu + h2GzY+rSrFOgyk2pQErTbkPlbS51lW06XDCrm7qznrf2bwLsUmdOsViFwxrfWLw= + =oho2 + -----END PGP MESSAGE----- + fp: A5EE826D645DBE35F9B0993358512AE87A69900F + - created_at: "2022-10-27T18:39:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA8zMZ+ak7y/zAQ/7BXPwyr7eVanyGCrsskqKLcuVwmh5RfVDu2zgAzjZ8bwM + dvuWJ57DkgDU8v1fjFG8xRXukmBxSMQrOM7OgacVDF0OSwxCjvfJcsQD8xA+/U1w + G02Y2LzSISiYy+Ci9khfhtpodqOqIvVKB2wIscPSk9KGcjTLUaCQega5OAYkqYWI + MGcwaWUxQ7QgUAPO33P0VV9oUKdn4DQ+1/JN9SKIxY0ICtOSEmAUCIcChMSmaGom + JzpCHujPxzBwCFkDd5u7ffqro3j4X0m0E8FTBj8eZFXr6cL5iT4BGLgoGw56BWOK + LyT9cwdPUPYre8pZ/Siy3cgS7ASHzF9oFJ0Emd9cP1hEph/D/xTa7W+8D5B+jAeG + PMiKD2N8hzKURv+OqJ/yzHdJkW2dcts4gcX5B/n7Qs6mH0TS99xXu9jjgBYZbZZM + p5ztpfH5dBq1W085P3VwpOGJpXhtH9mCy4MWk3Z9pVX/yoBXIN1HrXE0J4JFr1w8 + hmE/8j/NHTc+nnj1EeWjkayaHf2r+S5WI9xuQqtr6oZxovalW4Fr0px/BtNy1T+x + 85dOCQIireXQFfZqAWS+mHHdYAXkep4YMZB5xuvOUdNpxaqOlCUWyup2v8TtNC9N + 8691Etb5EPrOrJ2yrhze05m/MN0iOhI8QohKM+r5j5nfgldvIPy/KrRRvUx47bTS + XgGmfmSslJu/kKh2YXmAq/hMZCTlRt6Grdhvwp7u3Jcp4GFdA6QYcK+onGjw8Cx8 + htZVjL/gyYmkwSABkfx3jmiiJQo61wwaZLV3Yjasi7r4UDjvc95IPeXyOlhfNH8= + =8C23 + -----END PGP MESSAGE----- + fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A + - created_at: "2022-10-27T18:39:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA45bZkLXmBFpAQf+MIk2ysBQWPf1V04wc4vOptY2ME6VVN+zT16gqgCcbe09 + 7VoI1PJeQJqm7977tntxzyHCAGv7TBlhu7ictoNpBK1PGH0rhu72NPXWGGEY/ROu + 4qyZLReR4TYb6k7v1ZhsdtMLBQ7Sc64oNVBNlMeWW4RQKvs4jP0rZmw/wAHZm1nL + w1Bt/vcba5Eeo+PY9GznZMSzfO+9laP2uKqacVGc8FpxukQpOx/adPj2SFvFIu5V + bZ3E54nYGCo8d+e6qzbgqGmNIyv3q2Z2W6qTRkpe2j2vPk46fYjpmbmhZojBp/x5 + 1N42uJmvI0fVjOBktkXSOS8lYhZAC+o0BsuAL5C9H9JeAXQxOHQiJDR4VkTXUZ8j + 6ehlCU0DtiL22fkG3ot4qADIa7ymI/oY2TKNyWv13b4YeeOcS2Ps1bsoM4aeIehX + w/80QSteJMoH447q5DgB8r5merbVZJQvvhLVKBKXBg== + =6+Ej + -----END PGP MESSAGE----- + fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 + - created_at: "2022-10-27T18:39:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAwMCBBrc/JA6ARAAjJY77VdNwknWccEDoV/5kGmI/HDTqMHR0sXLuL2c27t2 + Wn/MJhEGCs4gsY8CKUeuEUeytZN9Lnd1liSdROOuT0SM5nZM+95Nmi8AlCXlKbKZ + fQpEBLJxQvkOmyUIDv9mZXORLtCrd2mP86s2HMIoOPrQ4aTpqg0MrgGPORqwOIUW + DoIemK1wgGmQRXuUnk1+cwMrhCzMP9MD9e9U95LDRAFev0ZjoqD+/i/LXfK+9MTY + naalOpUN8uhPopxCddFvUZX3JvArPmZJd2U/3wSjST997txeIpInaGtcH/rsKTNU + C8CNQKUNAH69RkTnM+r+08tcN++ZZpao2VZq/lMbzdKhyT4QYbHoyBSMbKwchriG + 5yF/yp+QBY62Y9LvSAlf5tg50KPAfVSQP9l46GLrnB8/KABuJsAt6vDbI9oM6qm2 + FstEKEjfgMMbVCT19S3sRAueJ7byJ/FPnxRklN0/O95aYsI8Pp2IG3Q1PiGGmuFW + JJYRtAtqqGGK7wYPN0gAuSqwgBQ7B6/GuxVItWYtKLcSIhsUtVWV0fi17LJlotxH + IWf3+yNS+WW2FRQNuXDqQWjFz5UcpJ0KWjZOzyvEAMlP9f0ahR8m0CePtYJp9fXD + j40vMij7Uwx1zZE/DcuEuiIjA45d0lxln8Wj8XtIcPq74J2XJsnA+vUD5ZCMbY3S + mAEdpFXc1gkm+aou4niU53/AcaTb7xWm/qBXrSPGCT00WcEamWvpwZheHoKE/YRU + UE9KVPdU1okhp/WTQKfN65z+Yz/mnqipVQdP2nQ5Y+im16Kf5fqVSzqzYmYBN56D + yLeNgZ2rvSt9ZQDUom0OWj0GrTrH+18ErEocxA7moYU2fWvWy3GQ5kQu1Lc1ZMFJ + jCLnlNRvHgbN + =0bt+ + -----END PGP MESSAGE----- + fp: 4F9F44A64CC2E438979329E1F122F05437696FCE + - created_at: "2022-10-27T18:39:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA9XEenRNYVGHARAAhPOUw9gFA613UeSZ0WkKED/ckuMNlg48RbcP9B9Cjqvs + IiEo4GsQliPEStH7X/5mXNYaKoyT1B5A6pHZrB6PD6AN3ZhDZ0c+HnsIRhxQ9zmk + 1BXibUxD2WRiWgreNw7yYV1/mfgQTOqh76epw70JiXfj/cabRB3DL0a1NsHUCEX0 + 8iq9ojjWlNDkVBEXO8/f2U1ygPNCZN7cKHl0Q0Dtf58xI8Nk5GTslCcABrhTlesj + X/xD3oVwdZn1YuJCyp74PDZkQAiMRsdRRq5xXGvmeq8poxCnM/mngpsJ2bRF2zCb + UloB3u9OuH2PcJSgLLxIQ25hIfRgn4oqGdwgup6w8qIeKcQqtByt9YhWueVEoQ1b + j13obTbe+60MjufumsHmo/T+r7igueFVhj7m2jm7r1hkzmU0b1j1vlS4ASl2Jvn9 + a1PSDTo18cYctG4lVS22MHx/cByA2MNHbQytTlHz2jPU1VKTWldlvP7nGxRPCEwh + H6XKrVQegKgT5jWLsd76WS6qt3gtj2cWlXQrezd3PUu6Qr/Hy5rpXLm5k4MrLlZh + 4/VLvY+EvXSpQjFE/C9p2mAU/vcT1qb8G5zWmLWOIekfdV77kXooLpnKxpFtH2Fw + hQiG4CVOaxhWheVCZkJgtL75WuuA2h+pzpOldCYnK4rLK6NO/E4TIzPdCXDf7evS + XgHKlocDpRIjkgbc6+25+I4fldxTUdt4kcjSOpUR9pM+muEd7CfXpBtURN3hJmm1 + o5Mi/zsYBVjOPEteT+0EFOYO03FFDvJgIVkHhOo511I/1eG5mhf8i/3yWSsND/Q= + =A0aZ + -----END PGP MESSAGE----- + fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA + - created_at: "2022-10-27T18:39:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA/Z87ylQaotQAQf+PAdWi8Vbul/ocENbQpT9AY0FoC4yfEkIpU7t/67f4QWM + UD8wDcY650+GXLk2+lUTx6edmlzFX6TZMVS2mgG0tmJ1hz5BH/7bO3pWS/TxMNDL + Mj1sFaxCM7Wk5Lg/m0+HU4mnNP0mWG+BU17yw8OOi5AhBieRGdBmyr9a6asVxgrz + EmCI3O+F/PMWtC8p1xpOKGCX8/21c14cKZfx3+Lgg5wrGF2YOUNhb/tdn9qkqOUi + jq0bpJiIahPOQYfIH1Bhm5WZVrhaLHKS+F4MlRX5cOE3SfWYvpCvjG4lGoOmMmdz + alY/R758Wlm262sV/nz+bP1VFeG0INwrfW8SO/5CftJRARgCrqS3w00OMTe/4Qi+ + NPvKChl+lL0LOTG5jPsDVFEZbfdIiSo7Sp/G9MKeIw38uN509o9F4G5171v2nxqY + FnFvC0JEOdNzf2Sj5P9HMV3O + =xVpJ + -----END PGP MESSAGE----- + fp: 9EA68B7F21204979645182E4287B083353C3241C + - created_at: "2022-10-27T18:39:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9qJIVK2WMV7AQ//UjuLRvYApGGN/jaCmkwd/DkFWdnrsfP+J8LgKqX0Ai5x + Cx1tEhV+Najy/c05hRMaLR8xyC9a+ToedSpJPbL2P6GWy4CvHnWmkG5zsmVVNx6P + Wu7pXK2sLBrqv2YOJxP79/M3miFW4p0K13UVP75FtKTDwnbuKVaey9CCBkAF5hXJ + lGBUu1HRkbz7SZzls/8Lyd7XbdeHvtIrt7ktT64zugNKJ2oLKZ9T3haUpBTXrsF1 + mw3b+3KkH/gXmV4z1IVAD9uvKh0W5PuNz/S9sJ+pJGJT3OSLz9EjwGtS2AkAufMJ + f2ArmfVfpL4toaY6IxyYO0z3vAdGJslVYvtf9G5d8e5VwgDh8Rdxvs5uWInv2cw+ + zc4Mf3RkTX3SGI2FNVIboaCpMdQzHuhCebLLlGv1pOT4FFR/K2ImtQn74hkQ/PKe + dDOyfLTh2DgLjX1aXdW2IT2Ejsz/SgiB208jqCAV/+rJ4LWdvaHo6ueqZKvC+sBJ + +nEwHBbPAZU0wtJS48iqZJ32w6vN3MwpWw8SLEiTKlDHdToZIhZT71FUkICppSWO + T/yffo5Ow7ydBQIWgMCzWL3NA5t3Mnah7uwoJ3yBhrFW8gRWWp1bvBPW9DnF7KTB + wFG8hfnolbV1UWKA3hNz2BdtqXAf89k/TFCw7EzUKSv3GR7fJCMRdCTIeyYGngPS + UQHlCCvH1QcEWbJbo2Ln1i1JwFZj72xbtM60HiaQFCBTO2N8GN2i04ArxlxBMscn + wrgycm+Kcs1l3dapQ1VpcXC5FDM7vTsyHFeTm18tkniEQA== + =gYCq + -----END PGP MESSAGE----- + fp: 53B26AEDC08246715E15504B236B6291555E8401 + - created_at: "2022-10-27T18:39:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJARAAwjpteNw/faft0j1dwEbKQrr79wB1MNv9ELLFzpQRoKkT + m/E++5W2UeIJW+FyVoK8ro1U3UZw1+0xNC9eBdzBn1gKR1dRvGF02tWbTwrecUXZ + T3yOB7KMlnxyBLnAbQ1OGb3wQ2s52PFoLoWrqf9wUetUPjdLUogdsB4jElY9JqLN + I9dar2souwBPrwM6JAsg544pPhCglRRiRTp2IPfbAmK6iFJ0UpBZaRYo+56zeR4P + kclHOVPs+Uj1CKpwtDE2KHfCwaHuKkM25tMAJhw2XR3gg1dP0WwbLwG4UmcAMdr6 + TkZRk5L8g40nbSWAtsFHZXlH8l4ScdClC/16GrbOwJFcz35ZNsRMZh3luujWkjWj + k77JzoDJZaqMppCIVAbFHvoUWmVlawKrZr6KLqC43VDqYoUCxk3xhz77DTkZhscd + tinz3cW0iVXulxN3rT1/RVIU2lRIrMeBEXqbP+Omc6z+te84GYQ5lp0KMUWVLxuy + cVqGc0Ww/gTy7zft/havQ4Vep0UUz/bK/VkTAugv2iLU+e2adw2jKtrws0akuRE/ + +tVapRLD83ZtBVs0odISeZzkJCUYgE3smH8T8Uk1tGKvh7PhJ3psm0trjT9fRkGS + 8vEea6p3/FhRHOAOmbjEokC5zbIb+Iwfdj1K8nA9Sz5c3vViOve4KR901ukuc/3S + XgEpNXLd+cCwWstLgKj6CscF8Z6nDIe0W38rQjRRPyt1XRX/kyFi+pZjUujoNUay + 7iuz6raFPM8Ki1HtOTDg6RD4+3mL8dkHvLJ/Ns/BJ/ueSsieK4s9rYH9aKlHtHE= + =7Tdr + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + unencrypted_suffix: _unencrypted + version: 3.7.3