hmm

modules/nixos/services/grafana/default.nix

@@ -890,7 +890,24 @@ let
         restartUnits = [ "grafana.service" ];
       };
 
-      systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.templates."grafana.env".path;
+      systemd.services.grafana.serviceConfig = {
+        EnvironmentFile = config.sops.templates."grafana.env".path;
+        # Grafana downloads plugins at runtime and occasionally creates subdirectories
+        # with overly restrictive permissions (e.g. 0700 for locales/*), which causes
+        # the next startup to fail with "permission denied" during plugin discovery.
+        # Fix any such directories before Grafana starts.
+        ExecStartPre = [
+          (
+            "+"
+            + pkgs.writeShellScript "grafana-fix-plugin-perms" ''
+              pluginDir="${cfg.configDir}/grafana/plugins"
+              if [ -d "$pluginDir" ]; then
+                ${pkgs.coreutils}/bin/chmod -R a+rX "$pluginDir"
+              fi
+            ''
+          )
+        ];
+      };
 
       # The redis exporter needs AF_INET to reach TCP Redis instances.
       # The default systemd hardening only allows AF_UNIX.