54 lines
1.7 KiB
Nix
54 lines
1.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
services.grafana = {
|
|
enable = true;
|
|
analytics.reporting.enable = false;
|
|
protocol = "socket";
|
|
rootUrl = "https://stats.besaid.de/";
|
|
auth.anonymous.enable = false;
|
|
security = {
|
|
adminUser = "dfrank";
|
|
adminPasswordFile = "/var/lib/grafana/admin.pw";
|
|
secretKeyFile = "/var/lib/grafana/security.key";
|
|
};
|
|
};
|
|
systemd.services.grafana.serviceConfig = {
|
|
# upstream module already defines most hardening options
|
|
IPAddressDeny = "any";
|
|
IPAddressAllow = "localhost";
|
|
MemoryDenyWriteExecute = true;
|
|
PrivateUsers = true;
|
|
ExecStartPost = [
|
|
(pkgs.writeScript "grafana-socket-perms" ''
|
|
#!${pkgs.stdenv.shell}
|
|
until chmod -c 666 /run/grafana/grafana.sock ; do sleep 1; done
|
|
'')
|
|
];
|
|
};
|
|
systemd.services.grafana-init = {
|
|
description = "Grafana Service Daemon - initialize files";
|
|
wantedBy = [ "grafana.service" ];
|
|
before = [ "grafana.service" ];
|
|
serviceConfig.Type = "oneshot";
|
|
script = ''
|
|
#!${pkgs.stdenv.shell}
|
|
set -euo pipefail
|
|
# Make sure everything but the password ends up on stderr
|
|
exec 3>&1 >&2
|
|
mkdir -p /var/lib/grafana
|
|
if [ ! -s /var/lib/grafana/admin.pw ]; then
|
|
( tr -dc _A-Z-a-z-0-9 </dev/urandom || : ) | head -c32 > /var/lib/grafana/admin.pw
|
|
chmod 400 /var/lib/grafana/admin.pw
|
|
chown grafana:grafana /var/lib/grafana/admin.pw
|
|
fi
|
|
if [ ! -s /var/lib/grafana/security.key ]; then
|
|
( tr -dc _A-Z-a-z-0-9 </dev/urandom || : ) | head -c32 > /var/lib/grafana/security.key
|
|
chmod 400 /var/lib/grafana/security.key
|
|
chown grafana:grafana /var/lib/grafana/security.key
|
|
fi
|
|
'';
|
|
|
|
};
|
|
}
|