From f230e643dca7fa1cb05efbc357b84aff8e7c3e77 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Fri, 16 Jul 2021 10:42:03 -0400
Subject: [PATCH] Shuffle the Grafana GSuite OAuth2 configuration around

This should let it work for both enabled and disabled configurations
---
 morph/lib/customize-monitoring.nix | 34 +++++++++++++++++++++++++-----
 morph/lib/monitoring.nix           |  7 ------
 2 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 6e19ff99..3080c364 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -43,11 +43,35 @@
   # See customize-issuer.nix for an explanatoin of targetHost value.
   deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
 
-  deployment.secrets = {
-    "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
-    "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
-    "grafana-google-sso-secret".source = "${privateKeyPath}/grafana-google-sso.secret";
-  };
+  deployment.secrets = let
+    # When Grafana SSO is disabled there is not necessarily any client secret
+    # available.  Avoid telling morph that there is one in this case (so it
+    # avoids trying to read it and then failing).  Even if the secret did
+    # exist, if SSO is disabled there's no point sending the secret to the
+    # server.
+    #
+    # Also, we have to define this whole secret here so that we can configure
+    # it completely or not at all.  morph gets angry if we half configure it
+    # (say, by just omitting the "source" value).
+    grafanaSSO =
+      if googleOAuthClientID == ""
+      then { }
+      else {
+        "grafana-google-sso-secret" = {
+          source = "${privateKeyPath}/grafana-google-sso.secret";
+          destination = "/run/keys/grafana-google-sso.secret";
+          owner.user = "root";
+          owner.group = "root";
+          permissions = "0400";
+          action = ["sudo" "systemctl" "restart" "grafana.service"];
+        };
+      };
+    monitoringvpn = {
+      "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
+      "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
+    };
+    in
+      grafanaSSO // monitoringvpn;
 
   networking.domain = domain;
   networking.hosts = hostsMap;
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index 7623c478..d8af93b2 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -17,13 +17,6 @@ rec {
         permissions = "0400";
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
-      "grafana-google-sso-secret" = {
-        destination = "/run/keys/grafana-google-sso.secret";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "grafana.service"];
-      };
     };
   };
 
-- 
GitLab