From ae13ab0c86fa3fb496fc522324c6f55b26e72228 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 17 Jul 2023 10:57:41 +0000
Subject: [PATCH 1/2] nixos: porthos: secrets: add grafana secret-key

The secret will be used in the next commit.
---
 .../porthos/secrets/monitoring/secret-key.age     | Bin 0 -> 507 bytes
 hosts/nixos/porthos/secrets/secrets.nix           |   4 ++++
 2 files changed, 4 insertions(+)
 create mode 100644 hosts/nixos/porthos/secrets/monitoring/secret-key.age

diff --git a/hosts/nixos/porthos/secrets/monitoring/secret-key.age b/hosts/nixos/porthos/secrets/monitoring/secret-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..4cef94fa385ae398c60f78536f661c35edf04631
GIT binary patch
literal 507
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn_Ri1BO;_*_F)T0+
z$oA8A@~-f+$n|vhEi?);3v+Q!sw%EBxA3g+Ob-pyFRRG+$mYsOHmgjv2y^qVu*~qt
zs0?%}@prVeOw)F&DE1D@&kIPb$nZ%jcFZbs4@9>uD<Ho-FI~ag!rvn@CEv_H)hj79
z*DJfwB)HNfD$(5}*v-Wx%eBHk%{;=VvclKUAd;)F&^W@?Si2&{%&Z{9TfeF@Qs1pS
z*C*ItKPbq<GBPBm(zzfo-zOl<(h+2vwt23OZhBE_VsWa1a;<`CutH|2t-86Ry#beJ
zVSaE?sfmHHUubz@afG3Es<)F_re9@Pp`~L*c8aNCiKm-)l6#newwr~aVQ#63qg$q*
zudzX5dW3UiUUm^zqH$n>qicz!uX#YRS45RzT5z^oWPn*|WPq=;kxQtvyGvA6UZQqN
zUVem^p=pUpgr!k#Nn%kJm#(g^f={BKMS4n(QEG^jzPm-ZQ&x$7g{y0bmw9n%NqJ#J
zctLJyYK3b=eyLA7*M6P()8b<$GbBds_j<$HsU&gXW^9%J1s0R7CxdfuioQE0v%67y
i$qNz5ce@K;OrO5?x=*9vHD2TJcPoBRP09Si^8f(Rs;wsg

literal 0
HcmV?d00001

diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix
index 821cc25..498aebf 100644
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@@ -42,6 +42,10 @@ in
     owner = "grafana";
     publicKeys = all;
   };
+  "monitoring/secret-key.age" = {
+    owner = "grafana";
+    publicKeys = all;
+  };
 
   "nextcloud/password.age" = {
     owner = "nextcloud";

From 47533f119e21b444c8ee62a3ab985ad4551886bd Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 17 Jul 2023 10:58:29 +0000
Subject: [PATCH 2/2] modules: services: monitoring: add 'secretKeyFile'

---
 hosts/nixos/porthos/services.nix        | 1 +
 modules/services/monitoring/default.nix | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix
index 76ea1ee..e4cae5e 100644
--- a/hosts/nixos/porthos/services.nix
+++ b/hosts/nixos/porthos/services.nix
@@ -80,6 +80,7 @@ in
       enable = true;
       grafana = {
         passwordFile = secrets."monitoring/password".path;
+        secretKeyFile = secrets."monitoring/secret-key".path;
       };
     };
     # FLOSS music streaming server
diff --git a/modules/services/monitoring/default.nix b/modules/services/monitoring/default.nix
index ece6cc1..829bfe0 100644
--- a/modules/services/monitoring/default.nix
+++ b/modules/services/monitoring/default.nix
@@ -27,6 +27,12 @@ in
         example = "/var/lib/grafana/password.txt";
         description = "Admin password stored in a file";
       };
+
+      secretKeyFile = mkOption {
+        type = types.str;
+        example = "/var/lib/grafana/secret_key.txt";
+        description = "Secret key stored in a file";
+      };
     };
 
     prometheus = {
@@ -61,6 +67,7 @@ in
         security = {
           admin_user = cfg.grafana.username;
           admin_password = "$__file{${cfg.grafana.passwordFile}}";
+          secret_key = "$__file{${cfg.grafana.secretKeyFile}}";
         };
       };