From 652b01a58d72020ce649600ed5fee1271c0aea3e Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Sat, 17 Jul 2021 04:02:55 +0000
Subject: [PATCH] Grafana: Set admin PW

---
 morph/lib/customize-monitoring.nix          |  8 ++++++++
 nixos/modules/monitoring/server/grafana.nix | 12 ++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 36bb564a..f5b820a2 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -65,6 +65,14 @@
           permissions = "0400";
           action = ["sudo" "systemctl" "restart" "grafana.service"];
         };
+        "grafana-admin-password" = {
+          source = "${privateKeyPath}/grafana-admin.password";
+          destination = "/run/keys/grafana-admin.password";
+          owner.user = config.systemd.services.grafana.serviceConfig.User;
+          owner.group = config.users.users.grafana.group;
+          permissions = "0400";
+          action = ["sudo" "systemctl" "restart" "grafana.service"];
+        };
       };
     monitoringvpn = {
       "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index eed9a1a6..2fd9e7f7 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -56,6 +56,12 @@ in {
       default = /run/keys/grafana-google-sso.secret;
       description = "The path to the GSuite SSO secret file.";
     };
+    adminPasswordFile = lib.mkOption
+    { type = lib.types.path;
+      example = lib.literalExample "/var/secret/monitoring-admin-password";
+      default = /run/keys/grafana-admin.password;
+      description = "A file containing the password for the Grafana Admin account.";
+    };
   };
 
   config = {
@@ -87,6 +93,12 @@ in {
         anonymous.org_name = "Main Org.";
       } // grafanaAuth;
 
+      # Give users that come through GSuite SSO the highest possible privileges:
+      users.autoAssignOrgRole = "Editor";
+
+      # Read the admin password from a file in our secrets folder:
+      security.adminPasswordFile = cfg.adminPasswordFile;
+
       provision = {
         enable = true;
         # See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources
-- 
GitLab