From e0c6ba2bd3b0d04120f6388d229a44fc76d51802 Mon Sep 17 00:00:00 2001 From: Brooklyn Zelenka Date: Thu, 4 Jun 2026 18:46:15 -0700 Subject: [PATCH 1/2] Bup deps --- flake.lock | 16 ++++++++-------- flake.nix | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index 6f23c9e..a2b9c6b 100644 --- a/flake.lock +++ b/flake.lock @@ -135,16 +135,16 @@ ] }, "locked": { - "lastModified": 1779506708, - "narHash": "sha256-QOD/CNm196nCJRheux/URi4/HE66fthdOMqCJoPP1Y0=", + "lastModified": 1780361225, + "narHash": "sha256-wnV9ttf4fPWNonBIQmvlrSlNpQYgx5HgWWd007mwIFA=", "owner": "nix-community", "repo": "home-manager", - "rev": "3ee51fbdac8c8bdfe1e7e1fcaba6520a563f394f", + "rev": "e28654b71096e08c019d4861ca26acb646f583d8", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-25.11", + "ref": "release-26.05", "repo": "home-manager", "type": "github" } @@ -181,16 +181,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1779796641, - "narHash": "sha256-ZsIrKmhp4vbBXoXXmR/tBXA/UCsAQiJL9vsgZEduhVY=", + "lastModified": 1780453794, + "narHash": "sha256-bXMRa9VTsHSPXL4Cw8R6JJLQeY3Y/IP4+YJCYVmQ7FY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "25f538306313eae3927264466c70d7001dcea1df", + "rev": "6b316287bae2ee04c9b93c8c858d930fd07d7338", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.11", + "ref": "nixos-26.05", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 5375497..e88ea44 100644 --- a/flake.nix +++ b/flake.nix @@ -9,10 +9,10 @@ flake-utils.url = "github:numtide/flake-utils"; - home-manager.url = "github:nix-community/home-manager/release-25.11"; + home-manager.url = "github:nix-community/home-manager/release-26.05"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-26.05"; subduction.url = "github:inkandswitch/subduction"; subduction.inputs.nixpkgs.follows = "nixpkgs"; From 821636778c4740496b17541b840fa9d84b9cbf22 Mon Sep 17 00:00:00 2001 From: Brooklyn Zelenka Date: Thu, 4 Jun 2026 18:46:27 -0700 Subject: [PATCH 2/2] Update grafana confoh --- configuration.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/configuration.nix b/configuration.nix index 50eb7b5..934c838 100644 --- a/configuration.nix +++ b/configuration.nix @@ -321,6 +321,8 @@ http_port = 3939; }; + settings.security.secret_key = "$__file{/var/lib/grafana/secret_key}"; + provision.datasources.settings.datasources = [ { name = "Prometheus"; @@ -381,6 +383,20 @@ } ''; + systemd.services.grafana.serviceConfig.ExecStartPre = let + secretKey = "/var/lib/grafana/secret_key"; + script = pkgs.writeShellScript "ensure-grafana-secret-key" '' + if [ ! -f "${secretKey}" ]; then + ${pkgs.coreutils}/bin/install -d -m 0700 -o grafana -g grafana /var/lib/grafana + ${pkgs.coreutils}/bin/head -c 32 /dev/urandom \ + | ${pkgs.coreutils}/bin/base64 \ + > "${secretKey}" + ${pkgs.coreutils}/bin/chmod 0400 "${secretKey}" + ${pkgs.coreutils}/bin/chown grafana:grafana "${secretKey}" + fi + ''; + in "+${script}"; + systemd.services.subduction.serviceConfig = { # Generate the signing-key seed on first boot so the server can start # without manual intervention. The "+" prefix runs the script as