Grafana OAuth config

nix/monitoring/configuration.nix

@@ -32,6 +32,11 @@
     owner = "prometheus";
   };
 
+  age.secrets.grafana-client-secret = {
+    file = ../../secrets/monitoring-grafana-client-secret.age;
+    owner = "grafana";
+  };
+
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
   networking.hostName = "monitoring";
@@ -48,10 +53,30 @@
       feature_toggles = {
         publicDashboards = true;
       };
+      log = {
+        filters = "oauth.generic_oauth:debug";
+      };
       server = {
         domain = "grafana.gmem.ca";
         http_port = 2342;
         http_addr = "127.0.0.1";
+        root_url = "https://grafana.gmem.ca";
+      };
+      auth = {
+        signout_redirect_url = "https://authentik.gmem.ca/application/o/grafana/end-session/";
+        oauth_auto_login = true;
+      };
+      "auth.generic_oauth" = {
+        name = "authentik";
+        client_id = "VbOQzwuf0UK9AUGrWvaVaWWHvX2fJsZChxJNGt61";
+        client_secret = "$__file{${config.age.secrets.grafana-client-secret.path}}";
+        auth_url = "https://authentik.gmem.ca/application/o/authorize/";
+        api_url = "https://authentik.gmem.ca/application/o/userinfo/";
+        token_url = "https://authentik.gmem.ca/application/o/token/";
+        enabled = true;
+        scopes = "openid email grafana-user";
+        role_attribute_path = "contains(info.groups[*], 'Grafana Admins') && 'Admin' || contains(info.groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
+        role_attribute_strict = true;
       };
     };
   };

secrets.nix

@@ -18,4 +18,6 @@ in
   "secrets/fastmail-smtp.age".publicKeys = machines ++ users;
   "secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ];
   "secrets/cloudflare-dns.age".publicKeys = machines ++ users;
+  "secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer ];
+
 }