Shuffle the Grafana GSuite OAuth2 configuration around

This should let it work for both enabled and disabled configurations

Shuffle the Grafana GSuite OAuth2 configuration around
f230e643 · Jean-Paul Calderone · 7b74652b · f230e643 · f230e643
Commit f230e643 authored 3 years ago by Jean-Paul Calderone
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -43,11 +43,35 @@
  # See customize-issuer.nix for an explanatoin of targetHost value.
  deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
-  deployment.secrets = {
+  deployment.secrets = let
-    "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
+    # When Grafana SSO is disabled there is not necessarily any client secret
-    "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
+    # available.  Avoid telling morph that there is one in this case (so it
-    "grafana-google-sso-secret".source = "${privateKeyPath}/grafana-google-sso.secret";
+    # avoids trying to read it and then failing).  Even if the secret did
-  };
+    # exist, if SSO is disabled there's no point sending the secret to the
+    # server.
+    #
+    # Also, we have to define this whole secret here so that we can configure
+    # it completely or not at all.  morph gets angry if we half configure it
+    # (say, by just omitting the "source" value).
+    grafanaSSO =
+      if googleOAuthClientID == ""
+      then { }
+      else {
+        "grafana-google-sso-secret" = {
+          source = "${privateKeyPath}/grafana-google-sso.secret";
+          destination = "/run/keys/grafana-google-sso.secret";
+          owner.user = "root";
+          owner.group = "root";
+          permissions = "0400";
+          action = ["sudo" "systemctl" "restart" "grafana.service"];
+        };
+      };
+    monitoringvpn = {
+      "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
+      "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
+    };
+    in
+      grafanaSSO // monitoringvpn;
  networking.domain = domain;
  networking.hosts = hostsMap;

--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -17,13 +17,6 @@ rec {
        permissions = "0400";
        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
      };
-      "grafana-google-sso-secret" = {
-        destination = "/run/keys/grafana-google-sso.secret";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "grafana.service"];
-      };
    };
  };