Grafana OAuth config

2023-10-30 12:27:14 +00:00 · 2023-10-30 12:27:14 +00:00 · 12dd979483
parent 541a1f9721
commit 12dd979483
3 changed files with 39 additions and 0 deletions
--- a/nix/monitoring/configuration.nix
+++ b/nix/monitoring/configuration.nix
@ -32,6 +32,11 @@
    owner = "prometheus";
  };

+  age.secrets.grafana-client-secret = {
+    file = ../../secrets/monitoring-grafana-client-secret.age;
+    owner = "grafana";
+  };
+
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  networking.hostName = "monitoring";
@ -48,10 +53,30 @@
      feature_toggles = {
        publicDashboards = true;
      };
+      log = {
+        filters = "oauth.generic_oauth:debug";
+      };
      server = {
        domain = "grafana.gmem.ca";
        http_port = 2342;
        http_addr = "127.0.0.1";
+        root_url = "https://grafana.gmem.ca";
+      };
+      auth = {
+        signout_redirect_url = "https://authentik.gmem.ca/application/o/grafana/end-session/";
+        oauth_auto_login = true;
+      };
+      "auth.generic_oauth" = {
+        name = "authentik";
+        client_id = "VbOQzwuf0UK9AUGrWvaVaWWHvX2fJsZChxJNGt61";
+        client_secret = "$__file{${config.age.secrets.grafana-client-secret.path}}";
+        auth_url = "https://authentik.gmem.ca/application/o/authorize/";
+        api_url = "https://authentik.gmem.ca/application/o/userinfo/";
+        token_url = "https://authentik.gmem.ca/application/o/token/";
+        enabled = true;
+        scopes = "openid email grafana-user";
+        role_attribute_path = "contains(info.groups[*], 'Grafana Admins') && 'Admin' || contains(info.groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
+        role_attribute_strict = true;
      };
    };
  };
--- a/secrets.nix
+++ b/secrets.nix
@ -18,4 +18,6 @@ in
  "secrets/fastmail-smtp.age".publicKeys = machines ++ users;
  "secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ];
  "secrets/cloudflare-dns.age".publicKeys = machines ++ users;
+  "secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer ];
+
 }
--- a/secrets/monitoring-grafana-client-secret.age
+++ b/secrets/monitoring-grafana-client-secret.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 J+a91w MspB+ESDy17zh+NaXVVvkDzJwmd6xvDZRLKLknI0HD0
+lbDHx++2KiLriLPS7xen9gUBio3qhvTTjmRfsneY3jw
+-> ssh-ed25519 qbziOw IYugyWtXbgT+Vog5LxA1uIBDuiUt9sHhl0y3raBbMjU
+eXdKqKoNyvySpdwWz5iN1wMQQFS8ywsw0ewxZ0uPLIk
+-> *k0)-grease
+zR3oS3o1GDM0/uiHjtSfaxUemA+d8W3NITQqLIo74pxWnGcTNrBj9dfRVWrf6oBp
+0p/FspjSLfruaATq9bU/REl+zLICKAy1oIpeq8gMA5yWsqh3lfiHntNF1lO3iGFn
+
+--- 6FsNkLYmYMYsJ8Ao4fUoJ9lJqm2k+mXM6lLepEzO/h0
+³<EFBFBD>”?@p«2~øCŠ˜
+óÎ1ôÂÆxâfiÏLÚ@õž}®ÃËJ¨V×ÖËòk¯ÜÎà´m`V€'˜œÜéÂzÔ.Ïþ”ëú n&g²Ó
Î›ïG1îUz©èLâ¸qÇæ >÷<>#ø¨´*°ê<C2B0>•ïrYèyú|Ñ–RYP£%ônÛç!œzÇòºBË£Q#Ôüõv¾ëÌ<C3AB><C38C>yË‚