feat(self_host/monitoring): adding SSO to grafana

2025-12-23 20:49:29 +01:00 · 2025-12-23 20:49:29 +01:00 · beafc15d79
commit beafc15d79
parent 3b3e2c9b57
1 changed files with 22 additions and 5 deletions
--- a/services/self_host/monitor.nix
+++ b/services/self_host/monitor.nix
@ -56,16 +56,33 @@ in
          serve_from_sub_path = false;
        };
-        users = {
+        "auth.generic_oauth" = {
-          auto_assign_org = true;
+          enabled = true;
-          auto_assign_org_role = "Viewer";
+          name = "Enium";
          allow_sign_up = true;
          client_id = "grafana";
          client_secret = "$__file{${config.age.secrets.grafana-oidc-secret.path}}";
          scopes = "openid profile email groups";
          auth_url = "https://auth.enium.eu/ui/oauth2";
          token_url = "https://auth.enium.eu/oauth2/token";
          api_url = "https://auth.enium.eu/oauth2/openid/grafana/userinfo";
          redirect_uri = "https://monitor.enium.eu/login/generic_oauth";
          use_pkce = true;
          use_refresh_token = true;
          login_attribute_path = "preferred_username";
          name_attribute_path = "name";
          email_attribute_path = "email";
          groups_attribute_path = "groups";
          role_attribute_path = "contains(groups, 'grafana_superadmins@enium.eu') && 'GrafanaAdmin' || contains(groups, 'grafana_admins@enium.eu') && 'Admin' || contains(groups, 'grafana_editors@enium.eu') && 'Editor' || 'Viewer'";
          allow_assign_grafana_admin = true;
          role_attribute_strict = false;
          skip_org_role_sync = false;
        };
-
+        log.level = "debug";
        auth = {
          disable_login_form = true;
          disable_signout_menu = false;
        };
        security = {
          cookie_secure = true;
          cookie_samesite = "none";