about summary refs log tree commit diff
path: root/nix/hosts/corrino/www/grafana.emile.space.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nix/hosts/corrino/www/grafana.emile.space.nix')
-rw-r--r--nix/hosts/corrino/www/grafana.emile.space.nix281
1 files changed, 78 insertions, 203 deletions
diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix
index 8e7d529..b521c05 100644
--- a/nix/hosts/corrino/www/grafana.emile.space.nix
+++ b/nix/hosts/corrino/www/grafana.emile.space.nix
@@ -1,6 +1,8 @@
 { config, ... }:
 
 {
+  systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana_env_vars.path;
+
   services = {
     nginx.virtualHosts = {
       "grafana.emile.space" = {
@@ -11,16 +13,48 @@
           proxyWebsockets = true;
         };
       };
-      "prometheus.emile.space" = {
-        addSSL = true;
-        enableACME = true;
-        locations."/" = {
-          proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}/";
-          proxyWebsockets = true;
-        };
-      };
     };
 
+    authelia.instances.main.settings.identity_providers.oidc.clients = [
+      {
+        id = "Grafana";
+
+        # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+        secret = "$pbkdf2-sha512$310000$S.RE0jcmr7Sn/tjJDNxV/A$1tsYhQ/YEcVfE4JyzszHemrcUqy.84Fb6xVSmz87if5C9N46Mz2lRWB5l8s4EIrLsiumPnt4HQMkYZ4MoovJzA";
+        public = false;
+        authorization_policy = "two_factor";
+        redirect_uris = [ "https://grafana.emile.space/login/generic_oauth" ];
+        scopes = [
+          "openid"
+          "email"
+          "profile"
+        ];
+        grant_types = [
+          "refresh_token"
+          "authorization_code"
+        ];
+        response_types = [ "code" ];
+        response_modes = [
+          "form_post"
+          "query"
+          "fragment"
+        ];
+      }
+    ];
+
+    # example from md.emile.space
+    # CMD_OAUTH2_PROVIDERNAME=Authelia
+    # CMD_OAUTH2_CLIENT_ID=HedgeDoc
+    # CMD_OAUTH2_CLIENT_SECRET=
+    # CMD_OAUTH2_SCOPE=openid email profile
+    # CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=sub
+    # CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
+    # CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
+    # CMD_OAUTH2_USER_PROFILE_URL=https://sso.emile.space/api/oidc/userinfo
+    # CMD_OAUTH2_TOKEN_URL=https://sso.emile.space/api/oidc/token
+    # CMD_OAUTH2_AUTHORIZATION_URL=https://sso.emile.space/api/oidc/authorize
+    # CMD_DOCUMENT_MAX_LENGTH=1000000
+
     grafana = {
       enable = true;
       settings = {
@@ -30,6 +64,37 @@
           domain = "grafana.emile.space";
           root_url = "https://grafana.emile.space/";
         };
+
+        "auth.generic_oauth" = let
+          sso = "https://sso.emile.space/api/oidc";
+        in {
+          enabled = true;
+          client_id = "Grafana";
+
+          # [auth.generic_oauth]
+          # client_secret = ... 
+          #   set in env var as 
+          #   GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET 
+          client_secret = "set in env var this is just a placeholder";
+
+          token_url = "${sso}/token";
+          auth_url = "${sso}/authorization";
+          api_url = "${sso}/userinfo";
+          scopes = [
+            "openid"
+            "email"
+            "profile"
+          ];
+          use_refresh_token = true;
+
+          # scopes = "openid email profile offline_access roles";
+          # email_attribute_path = "email";
+          # login_attribute_path = "username";
+          # name_attribute_path = "full_name";
+          # role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
+
+          role_attribute_path = "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'";
+        };
       };
 
       provision = {
@@ -43,205 +108,15 @@
                 editable = false;
                 access = "proxy"; # server = "proxy", browser = "direct"
               }
-              # {
-              #   name = "loki";
-              #   url = "http://localhost:${toString config.services.loki.configuration.server.http_listen_port}";
-              #   type = "loki";
-              # }
+              {
+                name = "loki";
+                url = "http://localhost:${toString config.services.loki.configuration.server.http_listen_port}";
+                type = "loki";
+              }
             ];
           };
         };
       };
     };
-
-    prometheus = {
-      enable = true;
-      retentionTime = "356d";
-
-      listenAddress = "[::1]";
-      port = config.emile.ports.prometheus;
-
-      exporters = {
-        node = {
-          enable = true;
-          enabledCollectors = [ "systemd" ];
-          port = config.emile.ports.prometheus_node_exporter;
-        };
-        systemd = {
-          enable = true;
-          port = config.emile.ports.prometheus_systemd_exporter;
-        };
-        smartctl = {
-          enable = true;
-          port = config.emile.ports.prometheus_smartctl_exporter;
-        };
-      };
-      scrapeConfigs = [
-        {
-          job_name = "corrino";
-          static_configs = [
-            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }
-            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.systemd.port}" ]; }
-            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}" ]; }
-          ];
-        }
-        {
-          job_name = "lampadas";
-          static_configs = [
-            { targets = [ "lampadas:9100" ]; }
-            { targets = [ "lampadas:9558" ]; }
-            { targets = [ "lampadas:9633" ]; }
-          ];
-        }
-      ];
-    };
-
-    # loki = {
-    #   enable = true;
-    #   configuration = {
-    #     auth_enabled = false;
-    #     server = {
-    #       http_listen_port = ports.loki;
-    #     };
-
-    #     limits_config = {
-    #       reject_old_samples = true;
-    #       reject_old_samples_max_age = "7d";
-    #       max_global_streams_per_user = 100000;
-    #     };
-
-    #     common = {
-    #       instance_addr = "127.0.0.1";
-    #       ring = {
-    #         instance_addr = "127.0.0.1";
-    #         kvstore.store = "inmemory";
-    #       };
-    #       replication_factor = 1;
-    #       path_prefix = "/tmp/loki";
-    #     };
-
-    #     schema_config.configs = [{
-    #       from = "2023-05-09";
-    #       store = "boltdb-shipper";
-    #       object_store = "filesystem";
-    #       schema = "v11";
-    #       index = {
-    #         prefix = "index_";
-    #         period = "24h";
-    #       };
-    #     }];
-    #   };
-    # };
   };
-
-  # # allow the promtail user to read the nginx access files
-  # users.users.promtail.extraGroups = [ "nginx" ];
-
-  # services = {
-  #   promtail = {
-  #     enable = true;
-  #     configuration = {
-  #       server = {
-  #         http_listen_port = ports.promtail;
-  #         grpc_listen_port = 0;
-  #       };
-  #       positions.filename = "/tmp/positions.yml";
-  #       clients = [{
-  #         url = "http://localhost:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
-  #       }];
-  #       scrape_configs = [
-
-  #         # systemd
-  #         {
-  #           job_name = "journal";
-  #           journal = {
-  #             max_age = "12h";
-  #             labels = {
-  #               job = "systemd-journal";
-  #               host = config.networking.hostName;
-  #             };
-  #           };
-  #           relabel_configs = [
-  #             {
-  #               source_labels = [ "__journal__systemd_unit" ];
-  #               target_label = "unit";
-  #             }
-  #           ];
-  #         }
-
-  #         # nginx error log
-  #         {
-  #           job_name = "nginx-error-logs";
-  #           static_configs = [{
-  #             targets = [ "localhost" ];
-  #             labels = {
-  #               job = "nginx-error-logs";
-  #               host = "corrino";
-  #               __path__ = "/var/log/nginx/*error.log";
-  #             };
-  #           }];
-  #         }
-
-  #         # nginx
-  #         {
-  #           job_name = "nginx";
-  #           static_configs = [
-  #             {
-  #               targets = [ "localhost" ];
-  #               labels = {
-  #                 job = "nginx";
-  #                 host = "corrino";
-  #                 __path__ = "/var/log/nginx/*access.log";
-  #               };   
-  #             }
-  #           ];
-  #           pipeline_stages = [
-  #             # {
-  #             #   regex = {
-  #             #     expression = "(?:[0-9]{1,3}\.){3}([0-9]{1,3})";
-  #             #     replace = "***";
-  #             #   };
-  #             # }
-  #             {
-  #               regex = {
-  #                 expression = ''(?P<remote_addr>.+) - - \[(?P<time_local>.+)\] "(?P<method>.+) (?P<url>.+) (HTTP\/(?P<version>\d.\d))" (?P<status>\d{3}) (?P<body_bytes_sent>\d+) (["](?P<http_referer>(\-)|(.+))["]) (["](?P<http_user_agent>.+)["])'';
-  #               };
-  #             }
-  #             {
-  #               labels = {
-  #                 remote_addr = null;
-  #                 time_local = null;
-  #                 method = null;
-  #                 url = null;
-  #                 status = null;
-  #                 body_bytes_sent = null;
-  #                 http_referer = null;
-  #                 http_user_agent = null;
-  #               };
-  #             }
-  #             # {
-  #             #   timestamp = {
-  #             #     source = "time_local";
-  #             #     format = "02/Jan/2006:15:04:05 -0700";
-  #             #   };
-  #             # }
-  #             {
-  #               drop = {
-  #                 source = "url";
-  #                 expression = ''/(_matrix|.well-known|notifications|api|identity).*'';
-  #               };
-  #             }
-  #             {
-  #               drop = {
-  #                 source = "url";
-  #                 expression = ''grafana.*'';
-  #               };
-  #             }
-  #           ];
-  #         }
-
-  #       ];
-  #     };
-  #   };
-  # };
 }