arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

Grafana OAuth config
All checks were successful
Lint / lint (push) Successful in 21s
Details

Browse source
This commit is contained in:
Gabriel Simmer 2023-10-30 12:27:14 +00:00
parent 541a1f9721
commit 12dd979483
Signed by: arch
SSH key fingerprint: SHA256:m3OEcdtrnBpMX+2BDGh/byv3hrCekCLzDYMdvGEKPPQ
3 changed files with 39 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
nix/monitoring/configuration.nix
View file

@ -32,6 +32,11 @@
owner = "prometheus"; owner = "prometheus";
}; };
age.secrets.grafana-client-secret = {
file = ../../secrets/monitoring-grafana-client-secret.age;
owner = "grafana";
};
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
networking.hostName = "monitoring"; networking.hostName = "monitoring";
@ -48,10 +53,30 @@
feature_toggles = { feature_toggles = {
publicDashboards = true; publicDashboards = true;
}; };
log = {
filters = "oauth.generic_oauth:debug";
};
server = { server = {
domain = "grafana.gmem.ca"; domain = "grafana.gmem.ca";
http_port = 2342; http_port = 2342;
http_addr = "127.0.0.1"; http_addr = "127.0.0.1";
root_url = "https://grafana.gmem.ca";
};
auth = {
signout_redirect_url = "https://authentik.gmem.ca/application/o/grafana/end-session/";
oauth_auto_login = true;
};
"auth.generic_oauth" = {
name = "authentik";
client_id = "VbOQzwuf0UK9AUGrWvaVaWWHvX2fJsZChxJNGt61";
client_secret = "$__file{${config.age.secrets.grafana-client-secret.path}}";
auth_url = "https://authentik.gmem.ca/application/o/authorize/";
api_url = "https://authentik.gmem.ca/application/o/userinfo/";
token_url = "https://authentik.gmem.ca/application/o/token/";
enabled = true;
scopes = "openid email grafana-user";
role_attribute_path = "contains(info.groups[*], 'Grafana Admins') && 'Admin' || contains(info.groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
role_attribute_strict = true;
}; };
}; };
}; };

2
secrets.nix
View file

@ -18,4 +18,6 @@ in
"secrets/fastmail-smtp.age".publicKeys = machines ++ users; "secrets/fastmail-smtp.age".publicKeys = machines ++ users;
"secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ]; "secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ];
"secrets/cloudflare-dns.age".publicKeys = machines ++ users; "secrets/cloudflare-dns.age".publicKeys = machines ++ users;
"secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer ];
} }

12
secrets/monitoring-grafana-client-secret.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 J+a91w MspB+ESDy17zh+NaXVVvkDzJwmd6xvDZRLKLknI0HD0
lbDHx++2KiLriLPS7xen9gUBio3qhvTTjmRfsneY3jw
-> ssh-ed25519 qbziOw IYugyWtXbgT+Vog5LxA1uIBDuiUt9sHhl0y3raBbMjU
eXdKqKoNyvySpdwWz5iN1wMQQFS8ywsw0ewxZ0uPLIk
-> *k0)-grease
zR3oS3o1GDM0/uiHjtSfaxUemA+d8W3NITQqLIo74pxWnGcTNrBj9dfRVWrf6oBp
0p/FspjSLfruaATq9bU/REl+zLICKAy1oIpeq8gMA5yWsqh3lfiHntNF1lO3iGFn
--- 6FsNkLYmYMYsJ8Ao4fUoJ9lJqm2k+mXM6lLepEzO/h0
³<EFBFBD>”?@p«2~ øCŠ˜
óÎ1ôÂÆxâfiÏLÚ@õž}®ÃËJ¨V×ÖËòk¯ÜÎà´m`V€'˜œÜéÂzÔ.Ïþ”ëú n&g²Ó ÎïG1îUz©èLâ¸æ >÷<>#ø¨´*°ê<C2B0>•ïrYèyú|ÑRYP£%ônÛç!œzÇòºBË£Q#Ôüõv¾ëÌ<C3AB><C38C>