From 94025116d054b12d2c70d6c598ba33d7010817b5 Mon Sep 17 00:00:00 2001
From: Raphael <rparodi@student.42.fr>
Date: Tue, 23 Dec 2025 20:49:58 +0100
Subject: [PATCH] feat(self_host/sso): adding the reproductible sso for grafana

---
 services/self_host/sso.nix | 73 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 72 insertions(+), 1 deletion(-)

diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix
index d43f1c8..0de69b7 100644
--- a/services/self_host/sso.nix
+++ b/services/self_host/sso.nix
@@ -26,7 +26,6 @@ in
         package = pkgs.kanidmWithSecretProvisioning_1_8;
         enableServer = true;
         serverSettings = {
-          role = "WriteReplica";
           domain = "enium.eu";
           origin = "https://auth.enium.eu";
           bindaddress = "127.0.0.1:9000";
@@ -47,14 +46,86 @@ in
               mailAddresses = [
                 "raphael@enium.eu"
               ];
+              groups = [
+                "grafana_superadmins"
+                "nextcloud_user"
+              ];
             };
           };
           groups = {
+            grafana_superadmins = {
+              present = true;
+            };
+            grafana_admins = {
+              present = true;
+            };
+            grafana_editors = {
+              present = true;
+            };
+            grafana_user = {
+              present = true;
+            };
             nextcloud_user = {
               present = true;
             };
           };
           systems.oauth2 = {
+            grafana = {
+              present = true;
+              displayName = "Grafana";
+              originUrl = "https://monitor.enium.eu";
+              originLanding = "https://monitor.enium.eu/login/generic_oauth";
+              basicSecretFile = config.age.secrets.grafana-oidc-secret.path;
+              public = false;
+              enableLocalhostRedirects = false;
+              allowInsecureClientDisablePkce = false;
+              preferShortUsername = true;
+              scopeMaps = {
+                grafana_superadmins = [
+                  "email"
+                  "openid"
+                  "profile"
+                  "groups"
+                ];
+                grafana_admins = [
+                  "email"
+                  "openid"
+                  "profile"
+                  "groups"
+                ];
+                grafana_editors = [
+                  "email"
+                  "openid"
+                  "profile"
+                  "groups"
+                ];
+                grafana_user = [
+                  "email"
+                  "openid"
+                  "profile"
+                  "groups"
+                ];
+              };
+              claimMaps = {
+                groups = {
+                  joinType = "array";
+                  valuesByGroup = {
+                    grafana_superadmins = [
+                      "grafana_superadmins"
+                    ];
+                    grafana_admins = [
+                      "grafana_admins"
+                    ];
+                    grafana_editors = [
+                      "grafana_editors"
+                    ];
+                    grafana_user = [
+                      "grafana_user"
+                    ];
+                  };
+                };
+              };
+            };
             nextcloud = {
               present = true;
               displayName = "Nextcloud";