cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge pull request #197940 from KFearsoff/fix-grafana-secrets-warnings

Browse source
This commit is contained in:
Bernardo Meurer 2022-10-26 19:53:42 +02:00 committed by GitHub
commit 173b5614a5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
nixos/modules/services/monitoring/grafana.nix
View file

@ -852,7 +852,7 @@ in {
}; };
contactPoints = mkOption { contactPoints = mkOption {
description = lib.mdDoc "List of contact points to import or update."; description = lib.mdDoc "List of contact points to import or update. Please note that sensitive data will end up in world-readable Nix store.";
default = []; default = [];
type = types.listOf (types.submodule { type = types.listOf (types.submodule {
freeformType = provisioningSettingsFormat.type; freeformType = provisioningSettingsFormat.type;
@ -1158,17 +1158,23 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
warnings = flatten [ warnings = let
usesFileProvider = opt: defaultValue: builtins.match "^${defaultValue}$|^\\$__file\\{.*}$" opt != null;
in flatten [
(optional ( (optional (
cfg.settings.database.password != "" || ! usesFileProvider cfg.settings.database.password "" ||
cfg.settings.security.admin_password != "admin" ! usesFileProvider cfg.settings.security.admin_password "admin"
) "Grafana passwords will be stored as plaintext in the Nix store! Use file provider instead.") ) "Grafana passwords will be stored as plaintext in the Nix store! Use file provider instead.")
(optional ( (optional (
let let
checkOpts = opt: any (x: x.password != null || x.basicAuthPassword != null || x.secureJsonData != null) opt; checkOpts = opt: any (x: x.password != null || x.basicAuthPassword != null || x.secureJsonData != null) opt;
datasourcesUsed = if (cfg.provision.datasources.settings == null) then [] else cfg.provision.datasources.settings.datasources; datasourcesUsed = if (cfg.provision.datasources.settings == null) then [] else cfg.provision.datasources.settings.datasources;
in if (builtins.isList cfg.provision.datasources) then checkOpts cfg.provision.datasources else checkOpts datasourcesUsed in if (builtins.isList cfg.provision.datasources) then checkOpts cfg.provision.datasources else checkOpts datasourcesUsed
) "Datasource passwords will be stored as plaintext in the Nix store! Use file provider instead.") ) ''
Datasource passwords will be stored as plaintext in the Nix store!
It is not possible to use file provider in provisioning; please provision
datasources via `services.grafana.provision.datasources.path` instead.
'')
(optional ( (optional (
any (x: x.secure_settings != null) cfg.provision.notifiers any (x: x.secure_settings != null) cfg.provision.notifiers
) "Notifier secure settings will be stored as plaintext in the Nix store! Use file provider instead.") ) "Notifier secure settings will be stored as plaintext in the Nix store! Use file provider instead.")