fricloud/server-configs
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions
server-configs/machines/gerd/services/monitoring/grafana.nix
eyjhb 39bc977cf6
authelia: set consent mode to implicit, we only use fricloud.dk anyways 
And rasmus is lazy
2025-03-14 17:13:47 +01:00

92 lines
2.7 KiB
Nix
Raw Blame History

{ config, ... }:
let
svc_domain = "grafana.${config.mine.shared.settings.domain}";
auth_domain = config.mine.shared.settings.authelia.domain;
grafana_user = config.systemd.services.grafana.serviceConfig.User;
in {
services.grafana = {
enable = true;
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3010;
root_url = "https://${svc_domain}";
};
# only allow signun with oauth
auth.disable_login_form = true;
"auth.generic_oauth" = {
enabled = true;
name = "Authelia";
icon = "signin";
client_id = "grafana";
client_secret = "$__file{${config.age.secrets.grafana-authelia-secret.path}}";
scopes = "openid profile email groups";
empty_scopes = false;
auth_url = "https://${auth_domain}/api/oidc/authorization";
token_url = "https://${auth_domain}/api/oidc/token";
api_url = "https://${auth_domain}/api/oidc/userinfo";
login_attribute_path = "preferred_username";
groups_attribute_path = "groups";
name_attribute_path = "name";
use_pkce = true;
role_attribute_path = config.mine.shared.lib.ldap.mkScope (lconfig: llib:
"contains(groups, '${lconfig.groups.grafana_admin}') && 'Admin' || contains(groups, 'editor') && 'Editor' || 'Viewer'"
);
};
};
provision = {
enable = true;
# dashboards.settings.providers = [{
# name = "my dashboards";
# options.path = "/etc/grafana-dashboards";
# }];
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
}
];
};
};
# authelia
services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
client_id = "grafana";
client_name = "Grafana";
client_secret = "$pbkdf2-sha512$310000$81MV1.67njuS/5H2UvVsnA$vaNO3/tzVA76Jho4ngS.xFjDuYn1sDn/9qo7cD0ueMnVvzaoJj00ND5wCGzVSUnvLuxNE/enC1K5r7xKAe/Hrg";
consent_mode = "implicit";
redirect_uris = [ "https://${svc_domain}/login/generic_oauth" ];
scopes = [
"openid"
"email"
"profile"
"groups"
];
}];
environment.persistence.root.directories = [
config.services.grafana.dataDir
];
systemd.tmpfiles.rules = [
"Z ${config.services.grafana.dataDir} 0770 ${grafana_user} ${grafana_user} -"
];
age.secrets.grafana-authelia-secret.owner = grafana_user;
services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.grafana.settings.server.http_port}";
};
}
Reference in a new issue View git blame Copy permalink