blob: bc33c11653f94a343329234eeed27ae4be7815ca (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
{ config, ... }:
{
services.victoriametrics.enable = true;
services.grafana.enable = true;
services.grafana.declarativePlugins = [ ];
services.grafana.provision.enable = true;
services.grafana.provision.datasources.settings = {
datasources = [
{
name = "VictoriaMetrics";
type = "prometheus";
url = "http://localhost:8428";
isDefault = true;
jsonData = {
httpMethod = "POST";
manageAlerts = true;
};
}
];
};
services.grafana.settings = {
server = {
enable_gzip = true;
http_port = 3000;
http_addr = "10.100.0.60";
domain = "dash.fcuny.net";
root_url = "https://dash.fcuny.net/";
};
analytics = {
reporting_enabled = false;
check_for_updates = false;
};
users = {
allow_signup = false;
};
"auth.generic_oauth" = {
enabled = true;
allow_sign_up = true;
auto_login = true;
name = "Authelia";
icon = "signin";
client_id = "grafana";
# nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
client_secret = "$__file{/run/credentials/grafana.service/oauth2-client-secret}";
scopes = [
"openid"
"profile"
"email"
"groups"
];
empty_scopes = false;
auth_url = "https://auth.fcuny.net/api/oidc/authorization";
token_url = "https://auth.fcuny.net/api/oidc/token";
api_url = "https://auth.fcuny.net/api/oidc/userinfo";
login_attribute_path = "preferred_username";
groups_attribute_path = "groups";
name_attribute_path = "name";
email_attribute_path = "email";
use_pkce = true;
allow_assign_grafana_admin = true;
# Refrain from adding trailing or, see github:grafana/grafana#106686
role_attribute_path = builtins.concatStringsSep " || " [
"contains(groups, 'grafana-admins') && 'GrafanaAdmin'"
"contains(groups, 'grafana-editors') && 'Editor'"
"contains(groups, 'grafana-viewers') && 'Viewer'"
];
role_attribute_strict = true;
skip_org_role_sync = false;
};
};
systemd.services.grafana.serviceConfig.LoadCredential = [
"oauth2-client-secret:${config.age.secrets.grafana-oidc.path}"
];
services.authelia.instances.main.settings.identity_providers.oidc.clients = [
{
id = "grafana";
description = "Grafana";
client_secret = "$pbkdf2-sha512$310000$yDK1zYFV8y9Zo5iHCv.eQQ$mDpNy3lQ27uqtsbssUaOb8t0rtxD5MBce4sFUqJKE.5y3mVWZir0a1B2q1RaRK/KfgyWxKtNyKRT21Kx7C56Tw";
public = false;
authorization_policy = "two_factor";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [ "https://dash.fcuny.net/login/generic_oauth" ];
scopes = [
"openid"
"profile"
"email"
"groups"
];
response_types = [ "code" ];
grant_types = [
"authorization_code"
];
access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
}
|
