raphael/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(self_host/monitor): adding the sso to grafana

Browse source
This commit is contained in:
Raphael 2025-10-17 16:38:19 +02:00
parent 3585423458
commit e94bf59c23
No known key found for this signature in database
3 changed files with 60 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
secrets/auth-grafana-id.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 eRdPLg sizbeKIH5VEhRyLSh4vsetSWjG3AQy4kAJuoz+vceRw
/xKSxsI1WgoF3B62hDDuderO9N+50fu1n/VpigXVSXo
-> ssh-ed25519 KUgDMA 7Y3EyWnFPXAJKl4qQ4c7nwBV+sIFFIS+qu+KHbqFK0s
8F/iFAIspcGx3Zsi5TMlIIpgLd7wQ9hBDzszqHkYCNE
--- Vyq3HcDfXdyfLuYzbVS4PGRuLI8pVLTGjTe8b4i7mos
RkZCgDsÒvêz®<„($ÝS×û¶×j<C397>{å³u+`þÛ\I¯F$&ý­²÷í9½3RøT>ˆ§5¨°N2 ëûšp©væ—‰

BIN
secrets/auth-grafana-secret.age Normal file
View file

Binary file not shown.

54
services/self_host/monitor.nix
View file

@ -11,7 +11,8 @@ let
"nginx" "nginx"
"grafana" "grafana"
]; ];
email = "raphael@enium.eu"; authentik-grafana-id = config.age.secrets."auth-grafana-id".path;
authentik-grafana-secret =config.age.secrets."auth-grafana-secret".path;
in in
{ {
config = lib.mkIf cfg { config = lib.mkIf cfg {
@ -19,6 +20,57 @@ in
enable = true; enable = true;
package = pkgs.grafana; package = pkgs.grafana;
dataDir = "/var/lib/grafana"; dataDir = "/var/lib/grafana";
settings = {
log = {
mode = "console";
level = "debug";
};
server = {
root_url = "https://monitor.enium.eu";
domain = "monitor.enium.eu";
serve_from_sub_path = true;
};
users = {
auto_assign_org = true;
auto_assign_org_role = "Viewer";
};
auth = {
disable_login_form = false;
disable_signout_menu = false;
};
"auth.generic_oauth" = {
enabled = true;
name = "Authentik";
allow_sign_up = true;
client_id = "$__file{${authentik-grafana-id}}";
client_secret = "$__file{${authentik-grafana-secret}}";
scopes = "openid profile email groups";
auth_url = "https://auth.enium.eu/application/o/authorize/";
token_url = "https://auth.enium.eu/application/o/token/";
api_url = "https://auth.enium.eu/application/o/userinfo/";
redirect_uri = "https://monitor.enium.eu/login/generic_oauth";
use_pkce = true;
use_refresh_token = true;
login_attribute_path = "preferred_username";
name_attribute_path = "name";
email_attribute_path = "email";
groups_attribute_path = "groups[*]";
role_attribute_path = "has(groups, 'grafana_admins') && 'Admin' || has(groups, 'EquipeIT') && 'Editor' || 'Viewer'"; allow_assign_grafana_admin = true;
skip_org_role_sync = false;
# org_attribute_path = "";
# org_mapping = [];
};
};
}; };
environment.etc."process-exporter.json".text = builtins.toJSON { environment.etc."process-exporter.json".text = builtins.toJSON {