Migrate metrics-nekomesh to sops-nix

2026-05-24 00:39:39 +02:00 · 2026-05-24 00:39:39 +02:00 · 7740eb01f2
commit 7740eb01f2
parent e04b5ac8e6
3 changed files with 57 additions and 41 deletions
--- a/config/hosts/metrics-nekomesh/grafana.nix
+++ b/config/hosts/metrics-nekomesh/grafana.nix
@ -11,15 +11,15 @@
        cookie_secure = true;
        cookie_samesite = "strict";
        admin_user = "admin";
-        admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}";
+        admin_password = "$__file{/run/secrets/metrics-nekomesh-grafana-admin-password}";
        admin_email = "fi@nekover.se";
-        secret_key = "$__file{/secrets/metrics-nekomesh-grafana-secret-key.secret}";
+        secret_key = "$__file{/run/secrets/metrics-nekomesh-grafana-secret-key}";
      };
      smtp = {
        enabled = true;
        host = "mail.grzb.de:465";
        user = "nekomesh@grzb.de";
-        password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}";
+        password = "$__file{/run/secrets/mail-nekomesh-nekover-se}";
        from_address = "nyareply@nekover.se";
        from_name = "Nekomesh";
        startTLS_policy = "NoStartTLS";
@ -29,7 +29,7 @@
        name = "Nekoverse ID";
        allow_sign_up = true;
        client_id = "nekomesh";
-        client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}";
+        client_secret = "$__file{/run/secrets/metrics-nekomesh-grafana-keycloak-client-secret}";
        scopes = "openid email profile offline_access roles";
        email_attribute_path = "email";
        login_attribute_path = "preferred_username";
@ -52,4 +52,29 @@
      }
    ];
  };
+
+  sops.secrets."metrics-nekomesh-grafana-admin-password" = {
+    mode = "0440";
+    owner = "grafana";
+    group = "grafana";
+    restartUnits = [ "grafana.service" ];
+  };
+  sops.secrets."metrics-nekomesh-grafana-keycloak-client-secret" = {
+    mode = "0440";
+    owner = "grafana";
+    group = "grafana";
+    restartUnits = [ "grafana.service" ];
+  };
+  sops.secrets."metrics-nekomesh-grafana-secret-key" = {
+    mode = "0440";
+    owner = "grafana";
+    group = "grafana";
+    restartUnits = [ "grafana.service" ];
+  };
+  sops.secrets."mail-nekomesh-nekover-se" = {
+    mode = "0440";
+    owner = "grafana";
+    group = "grafana";
+    restartUnits = [ "grafana.service" ];
+  };
 }