From e94bf59c230ce992fb45b6a3820de0c80ba39c15 Mon Sep 17 00:00:00 2001 From: Raphael Date: Fri, 17 Oct 2025 16:38:19 +0200 Subject: [PATCH] feat(self_host/monitor): adding the sso to grafana --- secrets/auth-grafana-id.age | 7 +++++ secrets/auth-grafana-secret.age | Bin 0 -> 451 bytes services/self_host/monitor.nix | 54 +++++++++++++++++++++++++++++++- 3 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 secrets/auth-grafana-id.age create mode 100644 secrets/auth-grafana-secret.age diff --git a/secrets/auth-grafana-id.age b/secrets/auth-grafana-id.age new file mode 100644 index 0000000..40a3d5a --- /dev/null +++ b/secrets/auth-grafana-id.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 eRdPLg sizbeKIH5VEhRyLSh4vsetSWjG3AQy4kAJuoz+vceRw +/xKSxsI1WgoF3B62hDDuderO9N+50fu1n/VpigXVSXo +-> ssh-ed25519 KUgDMA 7Y3EyWnFPXAJKl4qQ4c7nwBV+sIFFIS+qu+KHbqFK0s +8F/iFAIspcGx3Zsi5TMlIIpgLd7wQ9hBDzszqHkYCNE +--- Vyq3HcDfXdyfLuYzbVS4PGRuLI8pVLTGjTe8b4i7mos +RkZCgDsÒvêz®<„($ÝS×û¶×j{å³u+`þÛ\I¯F$&ý­²÷í9½3RøT>ˆ§‹5¨°N2 ëûšp©væ—‰ \ No newline at end of file diff --git a/secrets/auth-grafana-secret.age b/secrets/auth-grafana-secret.age new file mode 100644 index 0000000000000000000000000000000000000000..12cec2929e86e5fda68f12b97c527b42cf716570 GIT binary patch literal 451 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn4N3{{NmoeB@pOqy z4o(d=PPZrzC`n3>@-58>*3NS*_ee4|cJU|;^~v{2%1kr%FyS&!Nz5(^NpnhaPO>n} zj>;_XElD!Z3&`@T%ulNF_Dd-YFmreJb+kcJ=xnl*T_e|G$}d2!!)xjzhGoDr~|GzLM`9`ziqFM$aSrLik z)=dio&a8|2^02OjA=&n`*}kj4wc<`$G&!m<-^%7V?J}d4;R2_mQeXM5tl#r^#cWco z4KvG>4JWE-ak;hjJ{9%wdJzBZ>1q4iZC-UrDvArLw#gQH|8lva@x5r`)0;0`c72}e jtTN-;t3r`WuRN1A9Crt=?=Q7F`X;(<^5w9Ax*zKRhv%rI literal 0 HcmV?d00001 diff --git a/services/self_host/monitor.nix b/services/self_host/monitor.nix index 4c47c2f..67d1301 100644 --- a/services/self_host/monitor.nix +++ b/services/self_host/monitor.nix @@ -11,7 +11,8 @@ let "nginx" "grafana" ]; - email = "raphael@enium.eu"; + authentik-grafana-id = config.age.secrets."auth-grafana-id".path; + authentik-grafana-secret =config.age.secrets."auth-grafana-secret".path; in { config = lib.mkIf cfg { @@ -19,6 +20,57 @@ in enable = true; package = pkgs.grafana; dataDir = "/var/lib/grafana"; + + settings = { + log = { + mode = "console"; + level = "debug"; + }; + + server = { + root_url = "https://monitor.enium.eu"; + domain = "monitor.enium.eu"; + serve_from_sub_path = true; + }; + + users = { + auto_assign_org = true; + auto_assign_org_role = "Viewer"; + }; + + auth = { + disable_login_form = false; + disable_signout_menu = false; + }; + + "auth.generic_oauth" = { + enabled = true; + name = "Authentik"; + allow_sign_up = true; + + client_id = "$__file{${authentik-grafana-id}}"; + client_secret = "$__file{${authentik-grafana-secret}}"; + + scopes = "openid profile email groups"; + auth_url = "https://auth.enium.eu/application/o/authorize/"; + token_url = "https://auth.enium.eu/application/o/token/"; + api_url = "https://auth.enium.eu/application/o/userinfo/"; + redirect_uri = "https://monitor.enium.eu/login/generic_oauth"; + + use_pkce = true; + use_refresh_token = true; + login_attribute_path = "preferred_username"; + name_attribute_path = "name"; + email_attribute_path = "email"; + groups_attribute_path = "groups[*]"; + + role_attribute_path = "has(groups, 'grafana_admins') && 'Admin' || has(groups, 'EquipeIT') && 'Editor' || 'Viewer'"; allow_assign_grafana_admin = true; + skip_org_role_sync = false; + + # org_attribute_path = ""; + # org_mapping = []; + }; + }; }; environment.etc."process-exporter.json".text = builtins.toJSON {