···
grafanaTypes.datasourceConfig = types.submodule {
freeformType = provisioningSettingsFormat.type;
76
+
(mkRemovedOptionModule [ "password" ] ''
77
+
`services.grafana.provision.datasources.settings.datasources.<name>.password` has been removed
78
+
in Grafana 9. Use `secureJsonData` instead.
80
+
(mkRemovedOptionModule [ "basicAuthPassword" ] ''
81
+
`services.grafana.provision.datasources.settings.datasources.<name>.basicAuthPassword` has been removed
82
+
in Grafana 9. Use `secureJsonData` instead.
···
description = lib.mdDoc "Allow users to edit datasources from the UI.";
104
-
password = mkOption {
105
-
type = types.nullOr types.str;
107
-
description = lib.mdDoc ''
108
-
Database password, if used. Please note that the contents of this option
109
-
will end up in a world-readable Nix store. Use the file provider
110
-
pointing at a reasonably secured file in the local filesystem
111
-
to work around that. Look at the documentation for details:
112
-
<https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider>
115
-
basicAuthPassword = mkOption {
116
-
type = types.nullOr types.str;
118
-
description = lib.mdDoc ''
119
-
Basic auth password. Please note that the contents of this option
120
-
will end up in a world-readable Nix store. Use the file provider
121
-
pointing at a reasonably secured file in the local filesystem
122
-
to work around that. Look at the documentation for details:
123
-
<https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider>
secureJsonData = mkOption {
type = types.nullOr types.attrs;
···
description = lib.mdDoc "List of datasources to insert/update.";
type = types.listOf grafanaTypes.datasourceConfig;
592
+
apply = map (flip builtins.removeAttrs [ "password" "basicAuthPassword" ]);
deleteDatasources = mkOption {
···
contactPoints = mkOption {
861
-
description = lib.mdDoc "List of contact points to import or update. Please note that sensitive data will end up in world-readable Nix store.";
851
+
description = lib.mdDoc "List of contact points to import or update.";
type = types.listOf (types.submodule {
freeformType = provisioningSettingsFormat.type;
···
config = mkIf cfg.enable {
1168
-
usesFileProvider = opt: defaultValue: builtins.match "^${defaultValue}$|^\\$__file\\{.*}$" opt != null;
1158
+
doesntUseFileProvider = opt: defaultValue:
1160
+
regex = "${optionalString (defaultValue != null) "^${defaultValue}$|"}^\\$__(file|env)\\{.*}$|^\\$[^_\\$][^ ]+$";
1161
+
in builtins.match regex opt == null;
1163
+
# Ensure that no custom credentials are leaked into the Nix store. Unless the default value
1164
+
# is specified, this can be achieved by using the file/env provider:
1165
+
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
1171
-
! usesFileProvider cfg.settings.database.password "" ||
1172
-
! usesFileProvider cfg.settings.security.admin_password "admin"
1173
-
) "Grafana passwords will be stored as plaintext in the Nix store! Use file provider instead.")
1167
+
doesntUseFileProvider cfg.settings.database.password "" ||
1168
+
doesntUseFileProvider cfg.settings.security.admin_password "admin"
1170
+
Grafana passwords will be stored as plaintext in the Nix store!
1171
+
Use file/env provider or an env-var instead.
1173
+
# Warn about deprecated notifiers.
1174
+
++ (optional (cfg.provision.notifiers != []) ''
1175
+
Notifiers are deprecated upstream and will be removed in Grafana 10.
1176
+
Use `services.grafana.provision.alerting.contactPoints` instead.
1178
+
# Ensure that `secureJsonData` of datasources provisioned via `datasources.settings`
1179
+
# only uses file/env providers.
1176
-
checkOpts = opt: any (x: x.password != null || x.basicAuthPassword != null || x.secureJsonData != null) opt;
1177
-
datasourcesUsed = optionals (cfg.provision.datasources.settings != null) cfg.provision.datasources.settings.datasources;
1178
-
in checkOpts datasourcesUsed
1180
-
Datasource passwords will be stored as plaintext in the Nix store!
1181
-
It is not possible to use file provider in provisioning; please provision
1182
-
datasources via `services.grafana.provision.datasources.path` instead.
1182
+
datasourcesToCheck = optionals
1183
+
(cfg.provision.datasources.settings != null)
1184
+
cfg.provision.datasources.settings.datasources;
1185
+
declarationUnsafe = { secureJsonData, ... }:
1186
+
secureJsonData != null
1187
+
&& any (flip doesntUseFileProvider null) (attrValues secureJsonData);
1188
+
in any declarationUnsafe datasourcesToCheck
1190
+
Declarations in the `secureJsonData`-block of a datasource will be leaked to the
1191
+
Nix store unless a file/env-provider or an env-var is used!
any (x: x.secure_settings != null) cfg.provision.notifiers
1186
-
) "Notifier secure settings will be stored as plaintext in the Nix store! Use file provider instead.")
1188
-
cfg.provision.notifiers != []
1190
-
Notifiers are deprecated upstream and will be removed in Grafana 10.
1191
-
Use `services.grafana.provision.alerting.contactPoints` instead.
1195
+
) "Notifier secure settings will be stored as plaintext in the Nix store! Use file provider instead.");
environment.systemPackages = [ cfg.package ];
pyrox.dev