cluster/services/monitoring: switch grafana to postgres

cluster/services/monitoring/server.nix

@@ -11,8 +11,12 @@ let
   login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
 in
 {
-  age.secrets.grafana-secrets = {
-    file = ./secrets/grafana-secrets.age;
+  age.secrets = {
+    grafana-db-credentials = {
+      file = ./secrets/grafana-db-credentials.age;
+      owner = "grafana";
+    };
+    grafana-secrets.file = ./secrets/grafana-secrets.age;
   };
 
   links = {
@@ -28,6 +32,12 @@ in
         root_url = "https://monitoring.${domain}/";
         http_port = links.grafana.port;
       };
+      database = {
+        type = "postgres";
+        host = cluster.config.links.patroni-pg-access.tuple;
+        user = "grafana";
+        password = "$__file{${config.age.secrets.grafana-db-credentials.path}}";
+      };
       analytics.reporting_enabled = false;
       "auth.generic_oauth" = {
         enabled = true;

secrets.nix

@@ -23,6 +23,7 @@ in with hosts;
   "cluster/services/ipfs/cluster-secret.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/ipfs/cluster-pinsvc-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/monitoring/secrets/grafana-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/monitoring/secrets/grafana-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ];
   "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ];