fix monitoring profile for age

input-output-hk · Sep 28, 2021 · 1bef416 · 1bef416
1 parent 4d4adf8
commit 1bef416
Showing 1 changed file with 4 additions and 21 deletions.
diff --git a/profiles/monitoring.nix b/profiles/monitoring.nix
@@ -11,6 +11,9 @@ in {
     ./telegraf.nix
   ];
 
+  age.secrets.grafana-password.file = config.age.encryptedRoot
+    + "/grafana/password.age";
+
   services = {
     vault.enable = lib.mkForce false;
     consul.ui = true;
@@ -67,7 +70,7 @@ in {
         }];
       };
 
-      security = { adminPasswordFile = /var/lib/grafana/password; };
+      security.adminPasswordFile = config.age.secrets.grafana-password.path;
     };
 
     prometheus = {
@@ -87,24 +90,4 @@ in {
       };
     };
   };
-
-  secrets.generate.grafana-password = ''
-    export PATH="${lib.makeBinPath (with pkgs; [ coreutils sops xkcdpass ])}"
-
-    if [ ! -s encrypted/grafana-password.json ]; then
-      xkcdpass \
-      | sops --encrypt --kms '${kms}' /dev/stdin \
-      > encrypted/grafana-password.json
-    fi
-  '';
-
-  secrets.install.grafana-password.script = ''
-    export PATH="${lib.makeBinPath (with pkgs; [ sops coreutils ])}"
-
-    mkdir -p /var/lib/grafana
-
-    cat ${config.secrets.encryptedRoot + "/grafana-password.json"} \
-      | sops -d /dev/stdin \
-      > /var/lib/grafana/password
-  '';
 }