diff --git a/config/hosts/metrics/grafana.nix b/config/hosts/metrics/grafana.nix index 7cf4dcf..05f80e3 100644 --- a/config/hosts/metrics/grafana.nix +++ b/config/hosts/metrics/grafana.nix @@ -11,14 +11,14 @@ cookie_secure = true; cookie_samesite = "strict"; admin_user = "yuri"; - admin_password = "$__file{/secrets/metrics-grafana-admin-password.secret}"; + admin_password = "$__file{/run/secrets/metrics-grafana-admin-password}"; admin_email = "yuri@nekover.se"; }; smtp = { enabled = true; host = "mail.grzb.de:465"; user = "grafana"; - password = "$__file{/secrets/metrics-grafana-smtp-password.secret}"; + password = "$__file{/run/secrets/metrics-grafana-smtp-password}"; from_address = "grafana@robot.grzb.de"; from_name = "Grafana"; startTLS_policy = "NoStartTLS"; @@ -33,4 +33,17 @@ } ]; }; + + sops.secrets."metrics-grafana-admin-password" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; + sops.secrets."metrics-grafana-smtp-password" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; } diff --git a/config/hosts/metrics/secrets.nix b/config/hosts/metrics/secrets.nix deleted file mode 100644 index fcf9baa..0000000 --- a/config/hosts/metrics/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "metrics-grafana-admin-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "metrics-grafana-smtp-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/metrics/secrets.yaml b/config/hosts/metrics/secrets.yaml new file mode 100644 index 0000000..154cc13 --- /dev/null +++ b/config/hosts/metrics/secrets.yaml @@ -0,0 +1,26 @@ +metrics-grafana-admin-password: ENC[AES256_GCM,data:vk5KwDxDvTtI/vycl+2XItCFadUQL7rDHZ+0e3WAXynkHq/gmP0Q4VBBjQQNnFwxumF/dIj+CxEqEDdCL6HpSqEOZm/SJCfBARSCxyNCXoYiI/0+NTlUdfhscrDVleLJcMNrBxmxKt3cnDotPWS8rwF5oA1A79OW6+eZm1RC8hA=,iv:JtV0/vZIIzIF+WtD9KRPmyfLI4sMSe7ff5KHG7PEXjY=,tag:A1RgqOOd6M2m1ueXWPxw2w==,type:str] +metrics-grafana-smtp-password: ENC[AES256_GCM,data:ledR3mYQaQndiXgWJSZCqwrar1d5LvnwfdAb0EYI40M=,iv:T6yV0KKz5MK8pLWQoO0xi/ZAdhpFgNvER17X5ZfCCe0=,tag:16lt0z4Gn4Gcc54ssF0W5w==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVWd2NHNWTElaTk42R1Qx + bmZxYnhoT3NqQ0I5ZWVsS0N4eHdWMDhRU0hFCmhlQ1hrZ3R5REt2ODV0dTA4VWl0 + R0dtNWIydzhCUmVMYk85d0ZETk8wQkEKLS0tIElFbXRhYWprVER4ZGZocTNzcGNv + RHN2MWJVTXFEZnhKeXNQdUlnQ0ZiYmMKXicuiR0ZlDNb4EX49y3NmAOk7onTcDEV + Ohe+Enl0dM+dMfCdcojIkdTln74KZ+h6yxVr5jDU3EnDZVZpczY5wQ== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bkFiY0x1TUFGYnExWnYz + QldDOW1oaWVEUDMvbUN2TmwxZVZEOVpZbW5JCjlnYklSSjV1OExObDl1QUhoZFls + V3cyVVBkYWwyT0lpTlVnb1kxTG9IM0UKLS0tIENGak1HaFZYT2ZCL0hleUVVUDZu + MTI5ZkhUK0RZdGhSYVFZMDNHaS9QaFEKyptwQi4pYw0zZ2F9LvwX4F18UUdjqVrz + aB4hZkakAI94qVz3JvIVlslWzsDtIKoBTobl3dBNFId7M8TQwwZUvg== + -----END AGE ENCRYPTED FILE----- + recipient: age1lrtengtdc0nzpagr8fkp5mwqda66jqr0s2h3wsxcdscmalp8n3js3r0e3n + lastmodified: "2026-05-23T22:14:10Z" + mac: ENC[AES256_GCM,data:w1pNlY6g/PxQcpY/0Jt02TL5oZ0gwB5fYIzd99PgJTU0X76tmvlAF1i58SubnyR6TWiO0Q4TYJcqgeKHHvWYkYtQZzV4MGc0UwY1+Ipw3q38fRTHqVNbiaCorYbWBMXUnewE4eXictnFfq+vIfFeWktoGws/NTrZEIQ4lY+NSiE=,iv:vP7vujgXGRSr/adBJu1SATryPbqF3Obcg885EZahMTg=,tag:HuRqc8wS1+geWmJMdRWNSA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0