diff --git a/morph/grid/local/private-keys/README.rst b/morph/grid/local/private-keys/README.rst
new file mode 100644
index 0000000000000000000000000000000000000000..684bf942a8010129f49cfcf79f5df1b60965ae45
--- /dev/null
+++ b/morph/grid/local/private-keys/README.rst
@@ -0,0 +1,44 @@
+Deployment Secrets
+==================
+
+Deploying PrivateStorageio requires certain secrets.
+For the localdev grid these secrets are kept in this (public) directory.
+This is intended to help make it as easy as possible to launch a local deployment.
+It also serves as an example of what secrets are required for any other deployment.
+
+You can find more information about some of these secrets in ``ops/generating-keys.rst``.
+
+deploy_key
+----------
+
+This is an SSH private key which will be authorized to trigger a deployment update on the deployment hosts themselves.
+The corresponding SSH public key is kept in the ``public-keys`` location.
+
+grafana-admin.password
+----------------------
+
+This is the initial admin password for the Grafana web admin on the monitoring host.
+
+stripe.secret
+-------------
+
+This is the Stripe secret key which the payment server uses to finalize payment processing using Stripe.
+The corresponding Stripe public key is kept in the ``public-keys`` location.
+
+ristretto.signing-key
+---------------------
+
+This is the Ristretto-group private key used by the ZKAP issuer.
+
+monitoringvpn
+-------------
+
+This directory holds Wireguard private keys for each of the hosts so they can participate in the deployment VPN.
+The corresponding public keys are kept in the ``public-keys`` location.
+
+payments-localdev-ssl
+---------------------
+
+This secret is *only* present for the localdev grid.
+This contains a TLS certificate and private key for the payment server.
+Other deployments will automatically generate a key and obtain a certificate from Let's Encrypt.
diff --git a/morph/grid/local/private-keys/grafana-admin.password b/morph/grid/local/private-keys/grafana-admin.password
new file mode 100644
index 0000000000000000000000000000000000000000..a31f068f733c21aa08fe347fbd6780397c65541c
--- /dev/null
+++ b/morph/grid/local/private-keys/grafana-admin.password
@@ -0,0 +1 @@
+Naht3Pha
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 36bb564a3d26eca419c46dcdef070584e6ff5d7d..f5b820a272fcfd4ea7106af32ad2fd0ac5c8ece3 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -65,6 +65,14 @@
permissions = "0400";
action = ["sudo" "systemctl" "restart" "grafana.service"];
};
+ "grafana-admin-password" = {
+ source = "${privateKeyPath}/grafana-admin.password";
+ destination = "/run/keys/grafana-admin.password";
+ owner.user = config.systemd.services.grafana.serviceConfig.User;
+ owner.group = config.users.users.grafana.group;
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "grafana.service"];
+ };
};
monitoringvpn = {
"monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index d320907e8e71562b47829850ff85245c265d5040..2fd9e7f7c83217afc4943e644f6d3161e56c49f9 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -56,6 +56,12 @@ in {
default = /run/keys/grafana-google-sso.secret;
description = "The path to the GSuite SSO secret file.";
};
+ adminPasswordFile = lib.mkOption
+ { type = lib.types.path;
+ example = lib.literalExample "/var/secret/monitoring-admin-password";
+ default = /run/keys/grafana-admin.password;
+ description = "A file containing the password for the Grafana Admin account.";
+ };
};
config = {
@@ -81,33 +87,39 @@ in {
# Defend against DNS rebinding attacks.
SERVER_ENFORCE_DOMAIN = "true";
};
- };
- services.grafana.auth = {
- anonymous.org_role = "Admin";
- anonymous.org_name = "Main Org.";
- } // grafanaAuth;
+ auth = {
+ anonymous.org_role = "Admin";
+ anonymous.org_name = "Main Org.";
+ } // grafanaAuth;
- services.grafana.provision = {
- enable = true;
- # See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources
- datasources = [{
- name = "Prometheus";
- type = "prometheus";
- access = "proxy";
- url = cfg.prometheusUrl;
- isDefault = true;
- } {
- name = "Loki";
- type = "loki";
- access = "proxy";
- url = cfg.lokiUrl;
- }];
- # See https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
- dashboards = [{
- name = "provisioned";
- options.path = ./grafana-config;
- }];
+ # Give users that come through GSuite SSO the highest possible privileges:
+ users.autoAssignOrgRole = "Editor";
+
+ # Read the admin password from a file in our secrets folder:
+ security.adminPasswordFile = cfg.adminPasswordFile;
+
+ provision = {
+ enable = true;
+ # See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources
+ datasources = [{
+ name = "Prometheus";
+ type = "prometheus";
+ access = "proxy";
+ url = cfg.prometheusUrl;
+ isDefault = true;
+ } {
+ name = "Loki";
+ type = "loki";
+ access = "proxy";
+ url = cfg.lokiUrl;
+ }];
+ # See https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
+ dashboards = [{
+ name = "provisioned";
+ options.path = ./grafana-config;
+ }];
+ };
};
# nginx reverse proxy