stats-nixos-config/grafana.nix
2022-01-23 21:20:42 +01:00

54 lines
1.7 KiB
Nix

{ config, lib, pkgs, ... }:
{
services.grafana = {
enable = true;
analytics.reporting.enable = false;
protocol = "socket";
rootUrl = "https://stats.besaid.de/";
auth.anonymous.enable = false;
security = {
adminUser = "dfrank";
adminPasswordFile = "/var/lib/grafana/admin.pw";
secretKeyFile = "/var/lib/grafana/security.key";
};
};
systemd.services.grafana.serviceConfig = {
# upstream module already defines most hardening options
IPAddressDeny = "any";
IPAddressAllow = "localhost";
MemoryDenyWriteExecute = true;
PrivateUsers = true;
ExecStartPost = [
(pkgs.writeScript "grafana-socket-perms" ''
#!${pkgs.stdenv.shell}
until chmod -c 666 /run/grafana/grafana.sock ; do sleep 1; done
'')
];
};
systemd.services.grafana-init = {
description = "Grafana Service Daemon - initialize files";
wantedBy = [ "grafana.service" ];
before = [ "grafana.service" ];
serviceConfig.Type = "oneshot";
script = ''
#!${pkgs.stdenv.shell}
set -euo pipefail
# Make sure everything but the password ends up on stderr
exec 3>&1 >&2
mkdir -p /var/lib/grafana
if [ ! -s /var/lib/grafana/admin.pw ]; then
( tr -dc _A-Z-a-z-0-9 </dev/urandom || : ) | head -c32 > /var/lib/grafana/admin.pw
chmod 400 /var/lib/grafana/admin.pw
chown grafana:grafana /var/lib/grafana/admin.pw
fi
if [ ! -s /var/lib/grafana/security.key ]; then
( tr -dc _A-Z-a-z-0-9 </dev/urandom || : ) | head -c32 > /var/lib/grafana/security.key
chmod 400 /var/lib/grafana/security.key
chown grafana:grafana /var/lib/grafana/security.key
fi
'';
};
}