From bc8f13e061e177ac3dcb43e78a80e661abb8623e Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Wed, 29 Sep 2021 15:20:21 +0000
Subject: [PATCH] Alerting: Make auth configurable
This will store the supposedly secret URL in the Nix Store and
print a honking big warning about it.
---
morph/grid/local/grid.nix | 1 +
morph/lib/customize-monitoring.nix | 5 +++++
nixos/modules/monitoring/server/grafana.nix | 12 +++++++++---
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 46cb9c8e..75d0d7fd 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -108,6 +108,7 @@ let
inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
inherit (grid-config) letsEncryptAdminEmail;
googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
+ # slackAlertChannelSecretUrl = lib.readFile ;
monitoringvpnIPv4 = "172.23.23.1";
stateVersion = "19.09";
})
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 19a800f1..b3b21740 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -32,6 +32,10 @@
# logins to Grafana.
, googleOAuthClientID
+ # A (secret) Slack URL to post alerts to. Make one for your Slack channel
+ # at https://www.slack.com/apps/A0F7XDUAZ.
+, slackAlertChannelSecretUrl ? ""
+
# A string giving the NixOS state version for the system.
, stateVersion
, ...
@@ -96,6 +100,7 @@ in {
services.private-storage.monitoring.grafana = {
inherit letsEncryptAdminEmail;
inherit googleOAuthClientID;
+ inherit slackAlertChannelSecretUrl;
domain = "${config.networking.hostName}.${config.networking.domain}";
};
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index b42cebd8..3765983f 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -62,6 +62,12 @@ in {
default = /run/keys/grafana-admin.password;
description = "A file containing the password for the Grafana Admin account.";
};
+ slackAlertChannelSecretUrl = lib.mkOption
+ { type = lib.types.str;
+ default = "";
+ example = lib.literalExample "https://hooks.slack.com/services/x/y/z";
+ description = "If set, enables the slack alerter. Don't commit a secret URL to the repo, use readFile instead.";
+ };
};
config = {
@@ -122,7 +128,7 @@ in {
options.path = ./grafana-dashboards;
}];
# See https://grafana.com/docs/grafana/latest/administration/provisioning/#example-alert-notification-channels-config-file
- notifiers = [{
+ notifiers = [ ] ++ (lib.optionals ("" != cfg.slackAlertChannelSecretUrl) [{
uid = "slack-notifier-1";
name = "Slack";
type = "slack";
@@ -132,9 +138,9 @@ in {
uploadImage = true;
};
secure_settings = {
- url = "https://hooks.slack.com/services/...";
+ url = cfg.slackAlertChannelSecretUrl;
};
- }];
+ }]);
};
};
--
GitLab