From b233bc97015ce9bb79dec19a47adaef0a6630e78 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Fri, 16 Jul 2021 14:13:43 -0400
Subject: [PATCH] Allow Grafana to read the Google OAuth2 client secret

---
 morph/lib/customize-monitoring.nix          | 4 ++--
 nixos/modules/monitoring/server/grafana.nix | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 3080c364..36bb564a 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -60,8 +60,8 @@
         "grafana-google-sso-secret" = {
           source = "${privateKeyPath}/grafana-google-sso.secret";
           destination = "/run/keys/grafana-google-sso.secret";
-          owner.user = "root";
-          owner.group = "root";
+          owner.user = config.systemd.services.grafana.serviceConfig.User;
+          owner.group = config.users.users.grafana.group;
           permissions = "0400";
           action = ["sudo" "systemctl" "restart" "grafana.service"];
         };
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index b5719f2d..28c1b690 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -119,5 +119,8 @@ in {
         };
       };
     };
+
+    # Let Grafana read from keys, if necessary.
+    users.users.grafana.extraGroups = [ "keys" ];
   };
 }
-- 
GitLab