grafana+prometheus: initial setup

2025-03-14 16:43:56 +01:00 · 2025-03-14 16:43:56 +01:00 · efb17ea7fa
commit efb17ea7fa
parent a10111a791
9 changed files with 147 additions and 1 deletions
--- a/machines/gerd/services/monitoring/grafana.nix
+++ b/machines/gerd/services/monitoring/grafana.nix
@ -0,0 +1,91 @@
+{ config, ... }:
+
+let
+  svc_domain = "grafana.${config.mine.shared.settings.domain}";
+
+  auth_domain = config.mine.shared.settings.authelia.domain;
+
+  grafana_user = config.systemd.services.grafana.serviceConfig.User;
+in {
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        http_addr = "127.0.0.1";
+        http_port = 3010;
+        root_url = "https://${svc_domain}";
+      };
+
+      # only allow signun with oauth
+      auth.disable_login_form = true;
+
+      "auth.generic_oauth" = {
+        enabled = true;
+        name = "Authelia";
+        icon = "signin";
+        client_id = "grafana";
+        client_secret = "$__file{${config.age.secrets.grafana-authelia-secret.path}}";
+        scopes = "openid profile email groups";
+        empty_scopes = false;
+        auth_url = "https://${auth_domain}/api/oidc/authorization";
+        token_url = "https://${auth_domain}/api/oidc/token";
+        api_url = "https://${auth_domain}/api/oidc/userinfo";
+        login_attribute_path = "preferred_username";
+        groups_attribute_path = "groups";
+        name_attribute_path = "name";
+        use_pkce = true;
+
+        role_attribute_path = config.mine.shared.lib.ldap.mkScope (lconfig: llib:
+          "contains(groups, '${lconfig.groups.grafana_admin}') && 'Admin' || contains(groups, 'editor') && 'Editor' || 'Viewer'"
+        );
+      };
+    };
+
+    provision = {
+      enable = true;
+      
+      # dashboards.settings.providers = [{
+      # name = "my dashboards";
+      # options.path = "/etc/grafana-dashboards";
+      # }];
+      
+      datasources.settings.datasources = [
+        {
+          name = "Prometheus";
+          type = "prometheus";
+          url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
+        }
+      ];
+    };
+  };
+
+  # authelia
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
+    client_id = "grafana";
+    client_name = "Grafana";
+    client_secret = "$pbkdf2-sha512$310000$81MV1.67njuS/5H2UvVsnA$vaNO3/tzVA76Jho4ngS.xFjDuYn1sDn/9qo7cD0ueMnVvzaoJj00ND5wCGzVSUnvLuxNE/enC1K5r7xKAe/Hrg";
+    redirect_uris = [ "https://${svc_domain}/login/generic_oauth" ];
+    scopes = [
+      "openid"
+      "email"
+      "profile"
+      "groups"
+    ];
+  }];
+
+  environment.persistence.root.directories = [
+    config.services.grafana.dataDir
+  ];
+
+  systemd.tmpfiles.rules = [
+    "Z ${config.services.grafana.dataDir} 0770 ${grafana_user} ${grafana_user} -"
+  ];
+
+  age.secrets.grafana-authelia-secret.owner = grafana_user;
+
+  services.nginx.virtualHosts."${svc_domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.grafana.settings.server.http_port}";
+  };
+}