From e7eb4f7ca47ec7dd69f497591ad94f3b23282618 Mon Sep 17 00:00:00 2001
From: Tom Prince <tom.prince@private.storage>
Date: Fri, 1 Oct 2021 18:47:21 -0600
Subject: [PATCH] Use `$__file{}` for grafana's slack URL secret.

---
 DEPLOYMENT-NOTES.rst                            | 2 ++
 morph/grid/local/private-keys/grafana-slack-url | 2 +-
 nixos/modules/monitoring/server/grafana.nix     | 8 +-------
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/DEPLOYMENT-NOTES.rst b/DEPLOYMENT-NOTES.rst
index 0a7ea52e..e48a8b52 100644
--- a/DEPLOYMENT-NOTES.rst
+++ b/DEPLOYMENT-NOTES.rst
@@ -1,6 +1,8 @@
 Deployment notes
 ================
 
+- 2021-10-XX The secret in ``private-keys/grafana-slack-url`` needs to be changed to remove the ``SLACKURL=`` prefix.
+
 - 2021-09-30 `Enable alerting <https://whetstone.privatestorage.io/privatestorage/PrivateStorageio/-/merge_requests/185>`_ needs a secret in ``private-keys/grafana-slack-url`` looking like the template in ``morph/grid/local/private-keys/grafana-slack-url`` and pointing to the secret API endpoint URL saved in `this 1Password entry <https://privatestorage.1password.com/vaults/7flqasy5hhhmlbtp5qozd3j4ga/allitems/cgznskz2oix2tyx5xyntwaos5i>`_ (or create a new secret URL at https://www.slack.com/apps/A0F7XDUAZ).
 
 - 2021-09-07 `Manage access to payment metrics <https://whetstone.privatestorage.io/privatestorage/PrivateStorageio/-/merge_requests/146>`_ requires moving and chown'ing the PaymentServer database on the ``payments`` host::
diff --git a/morph/grid/local/private-keys/grafana-slack-url b/morph/grid/local/private-keys/grafana-slack-url
index cb7dd1ae..0885b7bf 100644
--- a/morph/grid/local/private-keys/grafana-slack-url
+++ b/morph/grid/local/private-keys/grafana-slack-url
@@ -1,2 +1,2 @@
-SLACKURL=https://hooks.slack.com/services/x/y/z
+https://hooks.slack.com/services/x/y/z
 
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index 1783782c..a53718a2 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -86,12 +86,6 @@ in {
     # Port 80 for ACME ssl retrieval only. 443 for nginx -> grafana.
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 
-    # We pass the secret Slack URL using an environment variable.
-    systemd.services.grafana.serviceConfig.EnvironmentFile =
-      if cfg.enableSlackAlert
-      then [ cfg.grafanaSlackUrlFile ]
-      else [ ];
-
     services.grafana = {
       enable = true;
       domain = cfg.domain;
@@ -157,7 +151,7 @@ in {
             uploadImage = true;
           };
           secure_settings = {
-            url = "$SLACKURL";
+            url = "$__file{${toString cfg.grafanaSlackUrlFile}}";
           };
         }]);
       };
-- 
GitLab