diff --git a/modules/grafana/default.nix b/modules/grafana/default.nix index 624caf3..1080a1d 100644 --- a/modules/grafana/default.nix +++ b/modules/grafana/default.nix @@ -15,7 +15,6 @@ file = "${flake.self}/secrets/grafana-smtp-password.age"; mode = "440"; owner = "grafana"; - group = "prometheus"; }; age.secrets.grafana-keycloak-client-secret = { file = "${flake.self}/secrets/grafana-keycloak-client-secret.age"; diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index b1f8fdd..f77081a 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -11,6 +11,11 @@ mode = "600"; owner = "prometheus"; }; + age.secrets.alertmanager-envfile = { + file = "${flake.self}/secrets/alertmanager-envfile.age"; + mode = "600"; + owner = "alertmanager"; + }; services.caddy.virtualHosts."alerts.${config.pub-solar-os.networking.domain}" = { logFormat = lib.mkForce '' @@ -104,7 +109,7 @@ enable = true; # port = 9093; # Default webExternalUrl = "https://alerts.pub.solar"; - # environmentFile = "${config.age.secrets.nachtigall-alertmanager-envfile.path}"; + environmentFile = "${config.age.secrets.alertmanager-envfile.path}"; configuration = { route = { @@ -126,8 +131,8 @@ from = "alerts@pub.solar"; smarthost = "mail.greenbaum.zone:465"; auth_username = "admins@pub.solar"; - auth_password_file = "${config.age.secrets.grafana-smtp-password.path}"; - require_tls = true; + auth_password = "$SMTP_AUTH_PASSWORD"; + require_tls = false; } ]; # TODO: diff --git a/secrets/alertmanager-envfile.age b/secrets/alertmanager-envfile.age new file mode 100644 index 0000000..17191dc --- /dev/null +++ b/secrets/alertmanager-envfile.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw TsTaRLA+9WtN9+FJWpXeP12Af5EXMbo+ANTaLC9YlC8 +Yols084RY1C9gfOrDMwJcFRuGZ/5dgGuJey7RXqm7g0 +-> ssh-ed25519 uYcDNw ZLAINtv10PGMtK5TL5Tf0NyK/r1iww+vTC09ElMGoX0 +EgBB3aiHHdaDue9+Zdxg6mTV2VHeLoDN9wT+hlAzVMk +-> ssh-rsa f5THog +aiJqMs3/u06tzs8lx2ISlQm87TDatqEn47v3LB3HehPanRpZx9O1HUIRTeiWkMU9 +XroGe27HQCCPd63QunBHUH7WStA10IS4rHVpMcULB5IM4jwcbOhSYSiGyY2sbv8+ +Nn/04ZOwrfzTabC7moV1DqAw6hnlDqKWp/q5N6xMb780w5vn6Poni3OJfuLaBWaT +r6WhE5evVt3F4jyYI64fB2hFw4AR2N/zIMOMvBncLFwJf9lbIFdbsENZf94cYceF +Tj150xdMPuErBsSJQOlfDYSmyioNN3UJUWiYsDeM3nbPEVPHhfTk6b2/lMhSQkcY +KcuMj/mN/7w7i4HSxW6mUcK2sUMV1BcSSGYRH9ZFf7kq++KpyiP7vB8vaZkcKbfJ +qqrIcXTuXhR+/bWZWqf/GQOVwRwe1TnqN5MoZHipg3a/UCe0gMM617VwZcfhBzjA +eW6VUdjSewwA8YHEuDrAeoQ4CMs7y56EaIlr2IlQy6uzJPX9eeO0auO9RZ5AR40a +7un0FrlTJX9uorpCD/zi3tvd22W5qVoMGZ8vXJShZmT9he9K3Bv6XbzG4DJQ9/nv +xZ676HUYhWeyYZFBvt6DnEBneiDJFeaV2AeuQY+juHBOfBrbYmlE0S4Pd8uRSJ7w +u5UJTT+RV5TkZhpCqqYm7DphYocnrv7Ic+QKmvKE4ls +-> ssh-rsa kFDS0A +HhilpvIiUps80SXYUXg5vqNmcy8SACvxpC5dTVBU2n+4OVXQY/35Il5ZOrUX3U7a +arfVp/KaQF7Oncu3x8F6Tp1ibUwmoyAV6OYqqs128nEPwkNbJvwrLY3aEBm+NIzm +gMlLRjj6EP84TVWgOsenQCS4l957f0QoNVxQ3f+GWdOiZZJFsv//ndsflng8zPlF +bGZy8c1TxDZfOD0/kW3Nx05c9X0EHKOEoDUc0p4qntrWlflxcvLONCgv1gZuPMF+ +jMsPFP81eu3rkEUxefJ1qbvvGuW0cbzfwiStv7iGQ+Skh/vcoM0qw6p+csNKyHVO +8nYFcs9kD8067zMnyuqiUHASfZ4rPqTji0iiPC5kZn6N0YSgz2bybkXcoqmy3m6y +qs0S+RD99o2vCLhW46hZyKAgUyTU1DW42EmnZkPrLoqV7uin8fAwPO/98Q/b3Rkr +zBRtyTEbooHvOCL8limiRtDl+5LMcjRFNWk8AN+9vHMsYurXPNOCnd8n2Z4MbT2U +AhpoAD/+8HXp0InBJ/sclITVAc6tPb2CbJW6mrFezH8Ri+/6u+zSF84JDd9ZrCOz +oIshiGZmhP5mIuspVrxgKlm78a56vQrygpqzvuSSYk3zIJxmhEkZhw09/ga+rhyB +pkKn7GRyZTfKjwt5nnvW5/bmQndTa13j+7RhkRgBSvU +-> piv-p256 vRzPNw Awpc8paUfKnP6r0bYsaoeDE9GVSnads4/a3jCVScgS4V +YydKOS09kyZDYN843SHIsYUimtSQKvGhIuycPWOFojc +-> piv-p256 zqq/iw A54xbcufPkLpTD+N47AiIe/xZ/0vA5kDJ4p3rIZw0a4A +1WFP2K3tfUxtdKDBEmT3cx/u1i5nCzFR7cK4kN3WjC4 +-> ssh-ed25519 YFSOsg L0lPSkoPVRKGlJ9MzkJx+cQvnZw/5m/j/JO4aRzd52Q +o/N7zQkvbGGoadiJSvL6lfuP63uqzxEIxDtIg4tgKIo +-> ssh-ed25519 iHV63A qfLWZhbDisCSJ4vFFTR+XpRUR0WViuAqarf56M0ekT4 +ZSWW34pFRr0M2jFhnphIPJ5ch37ASM6OgTzyHSo0KAs +-> ssh-ed25519 BVsyTA JcFezSIfTF+AP8LYfFqz+wIpUrE0aoc1usiLtWxAPQE +F9uhFyCPK46kIy+ud4V5/ESacQgc9R0JV+JTEZO6nBI +-> ssh-ed25519 +3V2lQ G4yT1e7B5O2Gy6tusRMxuWOFScynWfFY5AjrJvxMK1o +n1OVFRqzijWlc+B93cBNdFPz+8CBYOsI5hpF1wz7xr0 +--- 61u55uUc7z59iHF1IeyBLmcR6u7STUhpOPb/ODf75Vc +<$kxp H:}*/T$bJ \F*Wz6 <̹>e?񼐟6ڵ~! \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 94a3b11..36202b5 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -60,6 +60,7 @@ in "grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ adminKeys; "grafana-smtp-password.age".publicKeys = flora6Keys ++ adminKeys; + "alertmanager-envfile.age".publicKeys = flora6Keys ++ adminKeys; "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys; "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ adminKeys;