Enable jungle robot emails for Grafana in tent

Reviewed-by: Aleix Boné <abonerib@bsc.es> Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
2025-06-12 13:25:43 +02:00 · 2025-06-12 13:25:43 +02:00 · e4c22e91b2
commit e4c22e91b2
parent 27d4f4f272
3 changed files with 17 additions and 1 deletions
--- a/m/tent/monitoring.nix
+++ b/m/tent/monitoring.nix
@ -6,6 +6,12 @@
    ../module/upc-qaire-exporter.nix
  ];

+  age.secrets.grafanaJungleRobotPassword = {
+    file = ../../secrets/jungle-robot-password.age;
+    owner = "grafana";
+    mode = "400";
+  };
+
  services.grafana = {
    enable = true;
    settings = {
@ -16,6 +22,16 @@
        http_port = 2342;
        http_addr = "127.0.0.1";
      };
+      smtp = {
+        enabled = true;
+        from_address = "jungle-robot@bsc.es";
+        user = "jungle-robot";
+        # Read the password from a file, which is only readable by grafana user
+        # https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
+        password = "$__file{${config.age.secrets.grafanaJungleRobotPassword.path}}";
+        host = "mail.bsc.es:465";
+        startTLS_policy = "NoStartTLS";
+      };
      feature_toggles.publicDashboards = true;
      "auth.anonymous".enabled = true;
      log.level = "warn";
--- a/secrets/jungle-robot-password.age
+++ b/secrets/jungle-robot-password.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -12,7 +12,7 @@ in
  "gitlab-runner-shell-token.age".publicKeys = hut;
  "gitlab-bsc-docker-token.age".publicKeys = hut;
  "nix-serve.age".publicKeys = mon;
-  "jungle-robot-password.age".publicKeys = hut;
+  "jungle-robot-password.age".publicKeys = mon;
  "ipmi.yml.age".publicKeys = mon;

  "ceph-user.age".publicKeys = safe;