From 12dd979483c5d550dd68355e13f2704f2be202a5 Mon Sep 17 00:00:00 2001
From: Gabriel Simmer <g@gmem.ca>
Date: Mon, 30 Oct 2023 12:27:14 +0000
Subject: [PATCH] Grafana OAuth config

---
 nix/monitoring/configuration.nix             |  25 +++++++++++++++++++
 secrets.nix                                  |   2 ++
 secrets/monitoring-grafana-client-secret.age | Bin 0 -> 597 bytes
 3 files changed, 27 insertions(+)
 create mode 100644 secrets/monitoring-grafana-client-secret.age

diff --git a/nix/monitoring/configuration.nix b/nix/monitoring/configuration.nix
index 548601b..b6eee03 100644
--- a/nix/monitoring/configuration.nix
+++ b/nix/monitoring/configuration.nix
@@ -32,6 +32,11 @@
     owner = "prometheus";
   };
 
+  age.secrets.grafana-client-secret = {
+    file = ../../secrets/monitoring-grafana-client-secret.age;
+    owner = "grafana";
+  };
+
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
   networking.hostName = "monitoring";
@@ -48,10 +53,30 @@
       feature_toggles = {
         publicDashboards = true;
       };
+      log = {
+        filters = "oauth.generic_oauth:debug";
+      };
       server = {
         domain = "grafana.gmem.ca";
         http_port = 2342;
         http_addr = "127.0.0.1";
+        root_url = "https://grafana.gmem.ca";
+      };
+      auth = {
+        signout_redirect_url = "https://authentik.gmem.ca/application/o/grafana/end-session/";
+        oauth_auto_login = true;
+      };
+      "auth.generic_oauth" = {
+        name = "authentik";
+        client_id = "VbOQzwuf0UK9AUGrWvaVaWWHvX2fJsZChxJNGt61";
+        client_secret = "$__file{${config.age.secrets.grafana-client-secret.path}}";
+        auth_url = "https://authentik.gmem.ca/application/o/authorize/";
+        api_url = "https://authentik.gmem.ca/application/o/userinfo/";
+        token_url = "https://authentik.gmem.ca/application/o/token/";
+        enabled = true;
+        scopes = "openid email grafana-user";
+        role_attribute_path = "contains(info.groups[*], 'Grafana Admins') && 'Admin' || contains(info.groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
+        role_attribute_strict = true;
       };
     };
   };
diff --git a/secrets.nix b/secrets.nix
index 7e02fe5..a12fd1b 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -18,4 +18,6 @@ in
   "secrets/fastmail-smtp.age".publicKeys = machines ++ users;
   "secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ];
   "secrets/cloudflare-dns.age".publicKeys = machines ++ users;
+  "secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer ];
+
 }
diff --git a/secrets/monitoring-grafana-client-secret.age b/secrets/monitoring-grafana-client-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..76b38a6fcfbe2390d235f7b108a2c586847fd57b
GIT binary patch
literal 597
zcmZ9_OKZ~r007{F;3OggpA0XRq2fZ;q*=S>GS@6?n>Ov%rfHj<OxGk$^G@34fjaRh
z$UICLI7QfHBB<yN;=#iP?oinfhl1`PJLq)aU~V{uh<Nq;10N^y5U-6}p3#tWtyj0i
zU<(1Dfq-q-Aif$3hY>800yzwE0vX%D!C{*4kbb`gX1Q{)*pdl9<*3z&+akvDRGN}C
z5>65@pj3#Y3xc7vL|GCwO82|GhKUR=>8M$26$*7VFW4H-qIKv0&8+y+h!Y^$rs$O#
z<%(DUi@F%5+!)d%aiS?P4a`o~6xc&84zFbD48WJGX)~>7y_QECRj1^Kr7YrPa=ADi
z^&H!QdB+`to1+vd|J!<G_yQzaJZJNOpGS2X)sX~|frCvcS#Qt+=Q6w+1FO*znk5T4
zlOpy0KEo|(iSa_#!s}R7$QMhN5Ycf1fQ?|>HtIAbSWPZgFtG{~%nvJ|Pmx3En1|@3
z!JAPr6AODK+pM9AASJa%HjXGGsFa9n002QyAQHE;GR3NFhP6}CnBFHadJ0ogrW%q#
zwVa746mJasBf%OBJij${anN`ax_WqT=*BegvvV2QSvdIGT^FPSE7Zrq-TPM_FCK5F
z=87NQw>u}c<tJ;)pXa;OOT}yFr)So_E%>XwD}Sao_aA8I#Aol0EZ^NqAU_!Y;l@eo
z*!s~I=F;gefq`F>-FtKMJx{++-rlm<jT48uy#32>@8sFh*^aY2+NZB)W;*<(?U$$U
V_H3?u_4jV;)#jU<_q_JR^}ikr=LP@(

literal 0
HcmV?d00001