nixos/grafana: Drop hardcoded default secret

This reflects the upstream change https://github.com/grafana/grafana/pull/115676 .
It is too easy to accidentally ship this key in a production setup, so just
require the user to provide it instead.
This commit is contained in:
Tony Wasserka 2026-01-27 13:20:04 +01:00
commit 8129a2d1fa
3 changed files with 10 additions and 2 deletions

View file

@ -876,13 +876,19 @@ in
secret_key = mkOption {
description = ''
Secret key used for signing. Please note that the contents of this option
Secret key used for signing data source settings like secrets and passwords.
Set this to a unique, random string in production, generated for example by running `openssl rand -hex 32`.
If you change this later you will need to update data source settings to re-encode them.
<https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#secret_key>
Please note that the contents of this option
will end up in a world-readable Nix store. Use the file provider
pointing at a reasonably secured file in the local filesystem
to work around that. Look at the documentation for details:
<https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider>
'';
default = "SW2YcwTIb9zpOOhoPsMm";
type = types.str;
};

View file

@ -18,6 +18,7 @@ import ../make-test-python.nix (
security = {
admin_user = "testadmin";
admin_password = "snakeoilpwd";
secret_key = "11111111111111111111";
};
};
};

View file

@ -19,6 +19,7 @@ import ../../make-test-python.nix (
security = {
admin_user = "testadmin";
admin_password = "$__file{${pkgs.writeText "pwd" "snakeoilpwd"}}";
secret_key = "11111111111111111111";
};
};
};