Unverified Commit b8893e2c authored by Maximilian Bosch's avatar Maximilian Bosch Committed by GitHub
Browse files

nixos/grafana: update instructions on secret rotation (#497976)

parents a1a5d881 ec7dc46b

nixos/doc/manual/release-notes/rl-2605.section.md

+7 −1
Original line number Diff line number Diff line
@@ -121,11 +121,17 @@ of pulling the upstream container image from Docker Hub. If you want the old beh 
- `services.oauth2-proxy.clientSecret` and `services.oauth2-proxy.cookie.secret` have been replaced with `services.oauth2-proxy.clientSecretFile` and `services.oauth2-proxy.cookie.secretFile` respectively. This was done to ensure secrets don't get made world-readable.



- [`services.grafana.settings.security.secret_key`](#opt-services.grafana.settings.security.secret_key) doesn't have a

  default value anymore. Please generate your own key or hard-code the old one explicitly.

  default value anymore. Please generate your own key or hard-code the old one ("SW2YcwTIb9zpOOhoPsMm") explicitly.

  See the [upstream docs](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#secret_key) and

  the [instructions on how to rotate](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-database-encryption/#re-encrypt-secrets)

  for further information.



  Please do note that there's no official way to rotate. On a single-node instance with the database and the secret-key being

  on the same filesystem with the same permissions for Grafana only to read it's most likely OK to keep using the old key.



  If you need to rotate, a [3rd-party tool, `grafana-secretkey-rotation-tool`](https://github.com/erooke/grafana-secretkey-rotation-tool/tree/d9dc788902fa5185e15cb15ce6129f7237ab6138) is a tested option.

  When using a secret for this value, make sure to use [Grafana's variable expansion to inject secrets](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion).



- Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.



- `services.cgit` before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable `services.cgit.gitHttpBackend.checkExportOkFiles` (or disable the git-http-backend).

nixos/modules/services/monitoring/grafana.nix

+5 −0
Original line number Diff line number Diff line
@@ -2070,6 +2070,11 @@ in 
          for more information.



          See https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-database-encryption/#re-encrypt-secrets on how to re-encrypt.



          As stated in the NixOS changelog for 26.05, there's no official way to rotate.

          Either hard-code the old key ("SW2YcwTIb9zpOOhoPsMm") if your setup doesn't have any secrets in the DB that need

          special protection or perform a rotation with a 3rd-party tool

          (https://github.com/erooke/grafana-secretkey-rotation-tool/tree/d9dc788902fa5185e15cb15ce6129f7237ab6138).

        '';

      }

    ];