init xrt and fflm

2026-03-25 20:46:42 -05:00
parent 2013804b17
commit ab81e78b60
4 changed files with 404 additions and 28 deletions
--- a/modules/nixos/services/grafana/default.nix
+++ b/modules/nixos/services/grafana/default.nix
@@ -400,34 +400,30 @@ let
              # ntfy via the Grafana webhook contact point.  Grafana POSTs a JSON
              # body; ntfy accepts any body as the message text.  We use the
              # message template below to format it nicely.
-              # Basic auth credentials are read from the SOPS secret at runtime
-              # via Grafana's $__file{} provider.
-              contactPoints.settings = {
-                apiVersion = 1;
-                contactPoints = [
-                  {
-                    name = "ntfy";
-                    receivers = [
-                      {
-                        uid = "ntfy-webhook";
-                        type = "webhook";
-                        settings = {
-                          url = "https://ntfy.mjallen.dev/grafana-alerts";
-                          httpMethod = "POST";
-                          username = "$__file{${config.sops.secrets."jallen-nas/ntfy/user".path}}";
-                          password = "$__file{${config.sops.secrets."jallen-nas/ntfy/password".path}}";
-                          # Pass alert title and state as ntfy headers via the
-                          # custom message template (defined below).
-                          httpHeaders = {
-                            "Tags" = "chart,bell";
-                          };
-                        };
-                        disableResolveMessage = false;
-                      }
-                    ];
-                  }
-                ];
-              };
+              #
+              # Credentials are injected via Grafana's $__env{} provider, which
+              # reads from the process environment.  The GRAFANA_NTFY_USER and
+              # GRAFANA_NTFY_PASSWORD variables are set via the SOPS-managed
+              # grafana.env EnvironmentFile on the grafana.service unit.
+              #
+              # Note: $__file{} only works in grafana.ini settings, not in
+              # provisioning YAML files — using it here causes a parse error.
+              contactPoints.path = pkgs.writeTextDir "contactPoints.yaml" ''
+                apiVersion: 1
+                contactPoints:
+                  - name: ntfy
+                    receivers:
+                      - uid: ntfy-webhook
+                        type: webhook
+                        disableResolveMessage: false
+                        settings:
+                          url: https://ntfy.mjallen.dev/grafana-alerts
+                          httpMethod: POST
+                          username: $__env{GRAFANA_NTFY_USER}
+                          password: $__env{GRAFANA_NTFY_PASSWORD}
+                          httpHeaders:
+                            Tags: "chart,bell"
+              '';

              # ── Notification message template ───────────────────────────────────
              # Grafana sends the rendered template body as the POST body.
@@ -878,6 +874,11 @@ let
        };
      };

+      # Inject ntfy credentials into Grafana's environment so the $__env{}
+      # provider in contactPoints.yaml can resolve them at runtime.
+      # The grafana.env template is managed by SOPS and owned by grafana:grafana.
+      systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.templates."grafana.env".path;
+
      # The redis exporter needs AF_INET to reach TCP Redis instances.
      # The default systemd hardening only allows AF_UNIX.
      systemd.services.prometheus-redis-exporter.serviceConfig.RestrictAddressFamilies = [