diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 36bb564a3d26eca419c46dcdef070584e6ff5d7d..f5b820a272fcfd4ea7106af32ad2fd0ac5c8ece3 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -65,6 +65,14 @@
permissions = "0400";
action = ["sudo" "systemctl" "restart" "grafana.service"];
};
+ "grafana-admin-password" = {
+ source = "${privateKeyPath}/grafana-admin.password";
+ destination = "/run/keys/grafana-admin.password";
+ owner.user = config.systemd.services.grafana.serviceConfig.User;
+ owner.group = config.users.users.grafana.group;
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "grafana.service"];
+ };
};
monitoringvpn = {
"monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index eed9a1a6eb045ef1570cb2adb150482abea6c0b4..2fd9e7f7c83217afc4943e644f6d3161e56c49f9 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -56,6 +56,12 @@ in {
default = /run/keys/grafana-google-sso.secret;
description = "The path to the GSuite SSO secret file.";
};
+ adminPasswordFile = lib.mkOption
+ { type = lib.types.path;
+ example = lib.literalExample "/var/secret/monitoring-admin-password";
+ default = /run/keys/grafana-admin.password;
+ description = "A file containing the password for the Grafana Admin account.";
+ };
};
config = {
@@ -87,6 +93,12 @@ in {
anonymous.org_name = "Main Org.";
} // grafanaAuth;
+ # Give users that come through GSuite SSO the highest possible privileges:
+ users.autoAssignOrgRole = "Editor";
+
+ # Read the admin password from a file in our secrets folder:
+ security.adminPasswordFile = cfg.adminPasswordFile;
+
provision = {
enable = true;
# See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources