From 12dd979483c5d550dd68355e13f2704f2be202a5 Mon Sep 17 00:00:00 2001
From: Gabriel Simmer <g@gmem.ca>
Date: Mon, 30 Oct 2023 12:27:14 +0000
Subject: [PATCH] Grafana OAuth config

---
 nix/monitoring/configuration.nix             | 25 ++++++++++++++++++++
 secrets.nix                                  |  2 ++
 secrets/monitoring-grafana-client-secret.age | 12 ++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 secrets/monitoring-grafana-client-secret.age

diff --git a/nix/monitoring/configuration.nix b/nix/monitoring/configuration.nix
index 548601b..b6eee03 100644
--- a/nix/monitoring/configuration.nix
+++ b/nix/monitoring/configuration.nix
@@ -32,6 +32,11 @@
     owner = "prometheus";
   };
 
+  age.secrets.grafana-client-secret = {
+    file = ../../secrets/monitoring-grafana-client-secret.age;
+    owner = "grafana";
+  };
+
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
   networking.hostName = "monitoring";
@@ -48,10 +53,30 @@
       feature_toggles = {
         publicDashboards = true;
       };
+      log = {
+        filters = "oauth.generic_oauth:debug";
+      };
       server = {
         domain = "grafana.gmem.ca";
         http_port = 2342;
         http_addr = "127.0.0.1";
+        root_url = "https://grafana.gmem.ca";
+      };
+      auth = {
+        signout_redirect_url = "https://authentik.gmem.ca/application/o/grafana/end-session/";
+        oauth_auto_login = true;
+      };
+      "auth.generic_oauth" = {
+        name = "authentik";
+        client_id = "VbOQzwuf0UK9AUGrWvaVaWWHvX2fJsZChxJNGt61";
+        client_secret = "$__file{${config.age.secrets.grafana-client-secret.path}}";
+        auth_url = "https://authentik.gmem.ca/application/o/authorize/";
+        api_url = "https://authentik.gmem.ca/application/o/userinfo/";
+        token_url = "https://authentik.gmem.ca/application/o/token/";
+        enabled = true;
+        scopes = "openid email grafana-user";
+        role_attribute_path = "contains(info.groups[*], 'Grafana Admins') && 'Admin' || contains(info.groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
+        role_attribute_strict = true;
       };
     };
   };
diff --git a/secrets.nix b/secrets.nix
index 7e02fe5..a12fd1b 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -18,4 +18,6 @@ in
   "secrets/fastmail-smtp.age".publicKeys = machines ++ users;
   "secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ];
   "secrets/cloudflare-dns.age".publicKeys = machines ++ users;
+  "secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer ];
+
 }
diff --git a/secrets/monitoring-grafana-client-secret.age b/secrets/monitoring-grafana-client-secret.age
new file mode 100644
index 0000000..76b38a6
--- /dev/null
+++ b/secrets/monitoring-grafana-client-secret.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 J+a91w MspB+ESDy17zh+NaXVVvkDzJwmd6xvDZRLKLknI0HD0
+lbDHx++2KiLriLPS7xen9gUBio3qhvTTjmRfsneY3jw
+-> ssh-ed25519 qbziOw IYugyWtXbgT+Vog5LxA1uIBDuiUt9sHhl0y3raBbMjU
+eXdKqKoNyvySpdwWz5iN1wMQQFS8ywsw0ewxZ0uPLIk
+-> *k0)-grease
+zR3oS3o1GDM0/uiHjtSfaxUemA+d8W3NITQqLIo74pxWnGcTNrBj9dfRVWrf6oBp
+0p/FspjSLfruaATq9bU/REl+zLICKAy1oIpeq8gMA5yWsqh3lfiHntNF1lO3iGFn
+
+--- 6FsNkLYmYMYsJ8Ao4fUoJ9lJqm2k+mXM6lLepEzO/h0
+³”?@p«2~øCŠ˜
+óÎ1ôÂÆxâfiÏLÚ@õž}®ÃËJ¨V×ÖËòk¯ÜÎà´m`V€'˜œÜéÂzÔ.Ïþ”ëú n&g²ÓÎ›ïG1îUz©èLâ¸qÇæ >÷#ø¨´*°ê•ïrYèyú|Ñ–RYP£%ônÛç!œzÇòºBË£Q#Ôüõv¾ëÌyË‚
\ No newline at end of file