Merge branch 'monitoring-set-admin-pw' into 'develop'

Monitoring: Set admin PW See merge request !123

Merge branch 'monitoring-set-admin-pw' into 'develop'
1b7252b5 · Jean-Paul Calderone · 0c2ed62e · d47a8798 · 1b7252b5 · 1b7252b5
Commit 1b7252b5 authored 3 years ago by Jean-Paul Calderone
--- a/morph/grid/local/private-keys/README.rst
+++ b/morph/grid/local/private-keys/README.rst
+Deployment Secrets
+==================
+
+Deploying PrivateStorageio requires certain secrets.
+For the localdev grid these secrets are kept in this (public) directory.
+This is intended to help make it as easy as possible to launch a local deployment.
+It also serves as an example of what secrets are required for any other deployment.
+
+You can find more information about some of these secrets in ``ops/generating-keys.rst``.
+
+deploy_key
+----------
+
+This is an SSH private key which will be authorized to trigger a deployment update on the deployment hosts themselves.
+The corresponding SSH public key is kept in the ``public-keys`` location.
+
+grafana-admin.password
+----------------------
+
+This is the initial admin password for the Grafana web admin on the monitoring host.
+
+stripe.secret
+-------------
+
+This is the Stripe secret key which the payment server uses to finalize payment processing using Stripe.
+The corresponding Stripe public key is kept in the ``public-keys`` location.
+
+ristretto.signing-key
+---------------------
+
+This is the Ristretto-group private key used by the ZKAP issuer.
+
+monitoringvpn
+-------------
+
+This directory holds Wireguard private keys for each of the hosts so they can participate in the deployment VPN.
+The corresponding public keys are kept in the ``public-keys`` location.
+
+payments-localdev-ssl
+---------------------
+
+This secret is *only* present for the localdev grid.
+This contains a TLS certificate and private key for the payment server.
+Other deployments will automatically generate a key and obtain a certificate from Let's Encrypt.
--- a/morph/grid/local/private-keys/grafana-admin.password
+++ b/morph/grid/local/private-keys/grafana-admin.password
+Naht3Pha
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -65,6 +65,14 @@
          permissions = "0400";
          action = ["sudo" "systemctl" "restart" "grafana.service"];
        };
+        "grafana-admin-password" = {
+          source = "${privateKeyPath}/grafana-admin.password";
+          destination = "/run/keys/grafana-admin.password";
+          owner.user = config.systemd.services.grafana.serviceConfig.User;
+          owner.group = config.users.users.grafana.group;
+          permissions = "0400";
+          action = ["sudo" "systemctl" "restart" "grafana.service"];
+        };
      };
    monitoringvpn = {
      "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";

--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -56,6 +56,12 @@ in {
      default = /run/keys/grafana-google-sso.secret;
      description = "The path to the GSuite SSO secret file.";
    };
+    adminPasswordFile = lib.mkOption
+    { type = lib.types.path;
+      example = lib.literalExample "/var/secret/monitoring-admin-password";
+      default = /run/keys/grafana-admin.password;
+      description = "A file containing the password for the Grafana Admin account.";
+    };
  };

  config = {
@@ -81,33 +87,39 @@ in {
        # Defend against DNS rebinding attacks.
        SERVER_ENFORCE_DOMAIN = "true";
      };
-    };

-    services.grafana.auth = {
-      anonymous.org_role = "Admin";
-      anonymous.org_name = "Main Org.";
-    } // grafanaAuth;
+      auth = {
+        anonymous.org_role = "Admin";
+        anonymous.org_name = "Main Org.";
+      } // grafanaAuth;

-    services.grafana.provision = {
-      enable = true;
-      # See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources
-      datasources = [{
-        name = "Prometheus";
-        type = "prometheus";
-        access = "proxy";
-        url = cfg.prometheusUrl;
-        isDefault = true;
-      } {
-        name = "Loki";
-        type = "loki";
-        access = "proxy";
-        url = cfg.lokiUrl;
-      }];
-      # See https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
-      dashboards = [{
-        name = "provisioned";
-        options.path = ./grafana-config;
-      }];
+      # Give users that come through GSuite SSO the highest possible privileges:
+      users.autoAssignOrgRole = "Editor";
+
+      # Read the admin password from a file in our secrets folder:
+      security.adminPasswordFile = cfg.adminPasswordFile;
+
+      provision = {
+        enable = true;
+        # See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources
+        datasources = [{
+          name = "Prometheus";
+          type = "prometheus";
+          access = "proxy";
+          url = cfg.prometheusUrl;
+          isDefault = true;
+        } {
+          name = "Loki";
+          type = "loki";
+          access = "proxy";
+          url = cfg.lokiUrl;
+        }];
+        # See https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
+        dashboards = [{
+          name = "provisioned";
+          options.path = ./grafana-config;
+        }];
+      };
    };

    # nginx reverse proxy