From be3d389fe6010fa4659266a8a1104e9ca113b598 Mon Sep 17 00:00:00 2001
From: Tom Prince <tom.prince@private.storage>
Date: Fri, 1 Oct 2021 18:47:21 -0600
Subject: [PATCH] Use `$__file{}` for grafana's slack URL secret.

---
 DEPLOYMENT-NOTES.rst                            |  2 ++
 morph/grid/local/private-keys/README.rst        |  2 +-
 morph/grid/local/private-keys/grafana-slack-url |  2 +-
 nixos/modules/monitoring/server/grafana.nix     | 17 +++++------------
 4 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/DEPLOYMENT-NOTES.rst b/DEPLOYMENT-NOTES.rst
index 0a7ea52e..e48a8b52 100644
--- a/DEPLOYMENT-NOTES.rst
+++ b/DEPLOYMENT-NOTES.rst
@@ -1,6 +1,8 @@
 Deployment notes
 ================
 
+- 2021-10-XX The secret in ``private-keys/grafana-slack-url`` needs to be changed to remove the ``SLACKURL=`` prefix.
+
 - 2021-09-30 `Enable alerting <https://whetstone.privatestorage.io/privatestorage/PrivateStorageio/-/merge_requests/185>`_ needs a secret in ``private-keys/grafana-slack-url`` looking like the template in ``morph/grid/local/private-keys/grafana-slack-url`` and pointing to the secret API endpoint URL saved in `this 1Password entry <https://privatestorage.1password.com/vaults/7flqasy5hhhmlbtp5qozd3j4ga/allitems/cgznskz2oix2tyx5xyntwaos5i>`_ (or create a new secret URL at https://www.slack.com/apps/A0F7XDUAZ).
 
 - 2021-09-07 `Manage access to payment metrics <https://whetstone.privatestorage.io/privatestorage/PrivateStorageio/-/merge_requests/146>`_ requires moving and chown'ing the PaymentServer database on the ``payments`` host::
diff --git a/morph/grid/local/private-keys/README.rst b/morph/grid/local/private-keys/README.rst
index 91670ac1..8ecd2dd2 100644
--- a/morph/grid/local/private-keys/README.rst
+++ b/morph/grid/local/private-keys/README.rst
@@ -23,7 +23,7 @@ grafana-slack-url
 -----------------
 
 This file is read by Grafana's systemd service to set an environment variable with a secret Slack WebHook URL to post alerts to.
-The only line in the file should be ``SLACKURL=`` with the secret URL.
+The only line in the file should be the secret URL.
 Use the url from `this 1Password entry <https://privatestorage.1password.com/vaults/7flqasy5hhhmlbtp5qozd3j4ga/allitems/cgznskz2oix2tyx5xyntwaos5i>`_ or get a new secret URL for your Slack channel at https://www.slack.com/apps/A0F7XDUAZ.
 
 stripe.secret
diff --git a/morph/grid/local/private-keys/grafana-slack-url b/morph/grid/local/private-keys/grafana-slack-url
index cb7dd1ae..0885b7bf 100644
--- a/morph/grid/local/private-keys/grafana-slack-url
+++ b/morph/grid/local/private-keys/grafana-slack-url
@@ -1,2 +1,2 @@
-SLACKURL=https://hooks.slack.com/services/x/y/z
+https://hooks.slack.com/services/x/y/z
 
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index 1783782c..1b51abd4 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -67,17 +67,14 @@ in {
       default = false;
       description = ''
         Enables the slack alerter. Expects a file that contains
-        the definition of an environment variable named SLACKURL
-        pointing to the secret Slack Web Hook URL in
-        grafanaSlackUrlFile (see below).
+        the secret Slack Web Hook URL in grafanaSlackUrlFile (see below).
       '';
     };
     grafanaSlackUrlFile = lib.mkOption
     { type = lib.types.path;
       default = /run/keys/grafana-slack-url;
       description = ''
-        Where to find the Grafana Systemd EnvironmentFile that
-        sets the secret SLACKURL environment variable.
+        Where to find the file that containts the slack URL.
       '';
     };
   };
@@ -86,12 +83,6 @@ in {
     # Port 80 for ACME ssl retrieval only. 443 for nginx -> grafana.
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 
-    # We pass the secret Slack URL using an environment variable.
-    systemd.services.grafana.serviceConfig.EnvironmentFile =
-      if cfg.enableSlackAlert
-      then [ cfg.grafanaSlackUrlFile ]
-      else [ ];
-
     services.grafana = {
       enable = true;
       domain = cfg.domain;
@@ -157,7 +148,9 @@ in {
             uploadImage = true;
           };
           secure_settings = {
-            url = "$SLACKURL";
+            # `$__file{}` reads the value from the named file.
+            # See https://grafana.com/docs/grafana/latest/administration/configuration/#file-provider
+            url = "$__file{${toString cfg.grafanaSlackUrlFile}}";
           };
         }]);
       };
-- 
GitLab