diff options
Diffstat (limited to 'nix/hosts/corrino/www/grafana.emile.space.nix')
| -rw-r--r-- | nix/hosts/corrino/www/grafana.emile.space.nix | 256 |
1 files changed, 127 insertions, 129 deletions
diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix index f8674a2..2caa4d4 100644 --- a/nix/hosts/corrino/www/grafana.emile.space.nix +++ b/nix/hosts/corrino/www/grafana.emile.space.nix @@ -3,145 +3,143 @@ { systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana_env_vars.path; - services = { - nginx.virtualHosts = { - "grafana.emile.space" = { - addSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; - proxyWebsockets = true; - }; + + services.nginx.virtualHosts = { + "grafana.emile.space" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; + proxyWebsockets = true; }; }; + }; - authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "Grafana"; - - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$S.RE0jcmr7Sn/tjJDNxV/A$1tsYhQ/YEcVfE4JyzszHemrcUqy.84Fb6xVSmz87if5C9N46Mz2lRWB5l8s4EIrLsiumPnt4HQMkYZ4MoovJzA"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ "https://grafana.emile.space/login/generic_oauth" ]; - scopes = [ - "openid" - "email" - "profile" - "groups" - ]; - grant_types = [ - "refresh_token" - "authorization_code" - ]; - response_types = [ "code" ]; - response_modes = [ - "form_post" - "query" - "fragment" - ]; - } - ]; - - grafana = { - enable = true; - settings = { - server = { - http_addr = "127.0.0.1"; - http_port = config.emile.ports.grafana; - domain = "grafana.emile.space"; - root_url = "https://grafana.emile.space/"; - }; + age.secrets.grafana_oidc_client_secret.owner = "authelia-main"; + age.secrets.grafana_oidc_client_secret.group = "authelia-main"; - "auth.generic_oauth" = - let - sso = "https://sso.emile.space/api/oidc"; - in - { - enabled = true; - client_id = "Grafana"; - - # [auth.generic_oauth] - # client_secret = ... - # set in env var as - # GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET - client_secret = "set in env var this is just a placeholder"; - - use_refresh_token = true; - token_url = "${sso}/token"; - auth_url = "${sso}/authorization"; - api_url = "${sso}/userinfo"; - - scopes = [ - "openid" - "email" - "profile" - "groups" - ]; - - email_attribute_path = "email"; - login_attribute_path = "preferred_username"; - name_attribute_path = "name"; - - role_attribute_path = "contains(groups[*], 'grafana_server_admin') && 'GrafanaAdmin' || contains(groups[*], 'grafana_admin') && 'Admin' || contains(groups[*], 'grafana_editor') && 'Editor' || 'Viewer'"; - - }; + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + client_id = "Grafana"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + client_secret = "{{ secret \"${config.age.secrets.grafana_oidc_client_secret.path}\" }}"; + + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ "https://grafana.emile.space/login/generic_oauth" ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_types = [ "code" ]; + response_modes = [ + "form_post" + "query" + "fragment" + ]; + } + ]; + + services.grafana = { + enable = true; + settings = { + server = { + http_addr = "127.0.0.1"; + http_port = config.emile.ports.grafana; + domain = "grafana.emile.space"; + root_url = "https://grafana.emile.space/"; }; - provision = { - dashboards.settings = { }; - datasources.settings = { - deleteDatasources = [ - { name = "Prometheus"; orgId = 1; } - { name = "Lampadas"; orgId = 1; } - ]; - datasources = [ - { - url = "http://localhost:${toString config.services.prometheus.port}"; - type = "prometheus"; - name = "Prometheus Corrino"; - editable = false; - access = "proxy"; # server = "proxy", browser = "direct" - } - { - url = "http://lampadas:9009"; - type = "prometheus"; - name = "Prometheus Lampadas"; - editable = false; - access = "proxy"; # server = "proxy", browser = "direct" - } - # { - # name = "loki"; - # url = "http://${config.services.loki.configuration.common.instance_addr}:${toString config.services.loki.configuration.server.http_listen_port}"; - # type = "loki"; - # } + "auth.generic_oauth" = + let + sso = "https://sso.emile.space/api/oidc"; + in + { + enabled = true; + client_id = "Grafana"; + + # [auth.generic_oauth] + # client_secret = ... + # set in env var as + # GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + client_secret = "set in env var this is just a placeholder"; + + use_refresh_token = true; + token_url = "${sso}/token"; + auth_url = "${sso}/authorization"; + api_url = "${sso}/userinfo"; + + scopes = [ + "openid" + "email" + "profile" + "groups" ]; + + email_attribute_path = "email"; + login_attribute_path = "preferred_username"; + name_attribute_path = "name"; + + role_attribute_path = "contains(groups[*], 'grafana_server_admin') && 'GrafanaAdmin' || contains(groups[*], 'grafana_admin') && 'Admin' || contains(groups[*], 'grafana_editor') && 'Editor' || 'Viewer'"; + }; + }; - # TODO(emile): finish setting up the grafana notifier filling out the settings section - # notifiers = [ - # { - # uid = "2ad1c1d1-bcd9-4cb8-8897-c89c5820ffb1"; - # type = "email"; - # settings = {}; - # org_name = "Main Org."; - # org_id = 1; - # name = "email"; - # id_default = true; - # frequency = "5m"; - # disable_resolve_message = false; - # } - # ]; - - # TODO(emile): finish setting up the alerting stuff within here - # alerting = { - # templates.settings = { }; - # rules.settings = {}; - # policies.settings = {}; - # muteTimings.settings = {}; - # contactPoints.settings = {}; - # }; + provision = { + dashboards.settings = { }; + datasources.settings = { + deleteDatasources = [ + { name = "Prometheus"; orgId = 1; } + { name = "Lampadas"; orgId = 1; } + ]; + datasources = [ + { + url = "http://localhost:${toString config.services.prometheus.port}"; + type = "prometheus"; + name = "Prometheus Corrino"; + editable = false; + access = "proxy"; # server = "proxy", browser = "direct" + } + { + url = "http://lampadas:9009"; + type = "prometheus"; + name = "Prometheus Lampadas"; + editable = false; + access = "proxy"; # server = "proxy", browser = "direct" + } + ]; }; + + # TODO(emile): finish setting up the grafana notifier filling out the settings section + # notifiers = [ + # { + # uid = "2ad1c1d1-bcd9-4cb8-8897-c89c5820ffb1"; + # type = "email"; + # settings = {}; + # org_name = "Main Org."; + # org_id = 1; + # name = "email"; + # id_default = true; + # frequency = "5m"; + # disable_resolve_message = false; + # } + # ]; + + # TODO(emile): finish setting up the alerting stuff within here + # alerting = { + # templates.settings = { }; + # rules.settings = {}; + # policies.settings = {}; + # muteTimings.settings = {}; + # contactPoints.settings = {}; + # }; }; }; } |
