From 382d6435730dff58d7cb11bf80103f448fb9d5e7 Mon Sep 17 00:00:00 2001
From: Henry-Hiles <henry@henryhiles.com>
Date: Wed, 29 Oct 2025 13:51:50 -0400
Subject: [PATCH] use credentials to fix perms

---
 clients/quadraticserver/stats/grafana.nix | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/clients/quadraticserver/stats/grafana.nix b/clients/quadraticserver/stats/grafana.nix
index 652c0f1..900ebd4 100644
--- a/clients/quadraticserver/stats/grafana.nix
+++ b/clients/quadraticserver/stats/grafana.nix
@@ -1,5 +1,16 @@
 { config, pkgs, ... }:
+
+let
+  secretName = "grafanaSecret";
+  passwordName = "grafanaPassword";
+  credentialDirectory = "/run/credentials/grafana.service/";
+in
 {
+  systemd.services.grafana.serviceConfig.LoadCredential = [
+    "${secretName}:${config.age.secrets."grafanaSecret.age".path}"
+    "${passwordName}:${config.age.secrets."grafanaPassword.age".path}"
+  ];
+
   services =
     let
       domain = "status.federated.nexus";
@@ -20,10 +31,10 @@
 
           security = {
             cookie_secure = true;
-            secret_key = "$__file{${config.age.secrets."grafanaSecret.age".path}}";
+            secret_key = "$__file{${credentialDirectory}${secretName}}";
 
             admin_user = "quadradical";
-            admin_password = "$__file{${config.age.secrets."grafanaPassword.age".path}}";
+            admin_password = "$__file{${credentialDirectory}${passwordName}}";
           };
         };