ildkule: switch grafana db from sqlite to postgres

hosts/ildkule/services/metrics/grafana.nix

@@ -1,15 +1,41 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }: let
-
-let
   cfg = config.services.grafana;
 in {
+  sops.secrets = let
+    owner = "grafana";
+    group = "grafana";
+  in {
+    "keys/grafana/secret_key" = { inherit owner group; };
+    "keys/grafana/admin_password" = { inherit owner group; };
+    "keys/postgres/grafana" = { inherit owner group; };
+  };
+
   services.grafana = {
     enable = true;
-    settings.server = {
+
+    settings = let
+      # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
+      secretFile = path: "$__file{${path}}";
+    in {
+      server = {
         domain = "ildkule.pvv.ntnu.no";
         http_port = 2342;
         http_addr = "127.0.0.1";
       };
+
+      security = {
+        secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
+        admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
+      };
+
+      database = {
+        type = "postgres";
+        user = "grafana";
+        host = "${values.hosts.bicep.ipv4}:5432";
+        password = secretFile config.sops.secrets."keys/postgres/grafana".path;
+      };
+    };
+
     provision = {
       enable = true;
       datasources.settings.datasources = [

secrets/ildkule/ildkule.yaml

@@ -9,7 +9,11 @@
 #ENC[AES256_GCM,data:pHSDnojWTLYXIKk=,iv:ph2xCpxbP3OiWm+B/MDboykPa2gtCWpP0b3j96YCDh4=,tag:u5hmvxHaa/m8GaSeYvONmg==,type:comment]
 #ENC[AES256_GCM,data:Q0fCyyP0DJqUyJPo,iv:qwBE3c2VqF52Yq8POXhy2Qv2xJd82wL1aX4eVY6wL1w=,tag:IwmbD7XqIkemOTODBKpS0g==,type:comment]
 keys:
+    grafana:
+        secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
+        admin_password: ENC[AES256_GCM,data:ttKwfC4WuXeL/6x4,iv:x1X+e3z08CR992GzC62YnFIN7SGrE81/nDNrgcgVzx0=,tag:YajUoy61kYbpeGeC7yNrXQ==,type:str]
     postgres:
+        grafana: ENC[AES256_GCM,data:D6qkg98WZYzKYegSNBb31v8o+KHisGmJ+ab5Ut7EMtsJz36kUup5RS4EbtM=,iv:rfE1uH1QycKMTpSq2p1ntQ2BIvptAh2J3l/QcQhiuLo=,tag:QxmGFcekjFRPf6orN86IxQ==,type:str]
         postgres_exporter_env: ENC[AES256_GCM,data:8MEoikoA6tFNm9qZbk0DFWANd7nRs5QSqrsGLoLKPIc1xykJaXTlyP5v8ywVGR8j7bfPs4p6QfpUIWK8CCnfQ1QhsFPXUMksl8p+K+xuMakYZr9OoWigGqvOHpFb9blfBN1FBdRrk38REXWAMUn74KSRI9v+0i5lpC4=,iv:anpjWVUadKfSAm9XbkeAKu+jAk+LxcpVYQ+gUe5szYw=,tag:4tzb/8B/e1uVoqTsQGlcKA==,type:str]
 sops:
     kms: []
@@ -44,8 +48,8 @@ sops:
             a2hQVVprakt5NURpNXdQUjREczJKWTgKn60yrLqco9brlqigAolO8rEkww9z3y3u
             KmefLVZCGfoko+fnKLVE9UKFS/tAowqgPS1qE76u1Mmkk6yqZoG9rg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-21T23:46:53Z"
+    lastmodified: "2023-01-22T01:11:03Z"
-    mac: ENC[AES256_GCM,data:CNmF0R8LLQbemjk7YnavmQsDFD1XYNQzXmPMtOdwj9dAB4uRJS0/eEBF59u007ObSK8hfk+Qw3wpnJmNLj0MBo7lmwmnsVb7RC9DlB53UFFcKisb8s+kASBmJQqmVoHk97IZNWlMYmxxfwrCOe3dvzfWupYuuLpgZM7nGlJhz6E=,iv:IP7l48mtgcVdQRJcYDVi1Vd6MhSgeWYQyu/rm+TJWFo=,tag:r5yR2rB0ZuC8yUCPw1+OCg==,type:str]
+    mac: ENC[AES256_GCM,data:qR9M3jAIEsT/65yl6p12BQTHVvAu+oD2ufp7BSLk421mZYfQsKYFh//OZIe5wUE7XDDzhme/oIZGIQX8txaUuDDvFGQO8pQ/Oe19j7MoRG6o/UOTD9nlxcOf/oGekex2vkg5MUgfB1rotSp9Yq6fspVciKQKEawxPCHejqKQRNk=,iv:BkCoXNVAD6joueXkyWApeeZmYj2yopGGG+qK494Ah24=,tag:ax0AUfZdCA3saCYWLsYNrA==,type:str]
     pgp:
         - created_at: "2023-01-21T19:52:08Z"
           enc: |

values.nix

@@ -25,5 +25,9 @@ in rec {
       ipv4 = pvv-ipv4 187;
       ipv6 = pvv-ipv6 "1:187";
     };
+    bicep = {
+      ipv4 = pvv-ipv4 209;
+      ipv6 = pvv-ipv6 209;
+    };
   };
 }