Add basic OIDC for grafana

2022-12-23 08:22:28 +01:00 · 2022-12-23 08:22:28 +01:00 · e017135180
parent 97da620ef6
commit e017135180
5 changed files with 49 additions and 15 deletions
--- a/hosts/auth/default.nix
+++ b/hosts/auth/default.nix
@ -13,6 +13,8 @@
  };

  services = {
+    dex.settings.oauth2.skipApprovalScreen = true;
+
    nginx = {
      enable = true;
      virtualHosts."auth.c3d2.de" = {
@ -29,7 +31,11 @@
    portunus = {
      enable = true;
      dex = {
-        # enable = true;
+        enable = true;
+        oidcClients = [ {
+          callbackURL = "https://grafana.hq.c3d2.de/login/generic_oauth";
+          id = "grafana";
+        } ];
      };
      domain = "auth.c3d2.de";
      ldap = {
@ -43,6 +49,22 @@

  sops = {
    defaultSopsFile = ./secrets.yaml;
+    secrets."dex/environment" = libz.sops.permissionForUser "dex";
    secrets."portunus/seed" = libz.sops.permissionForUser "portunus";
  };
+
+  systemd.services.dex.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    EnvironmentFile = config.sops.secrets."dex/environment".path;
+    StateDirectory = "dex";
+    User = "dex";
+  };
+
+  users = {
+    groups.dex = { };
+    users.dex = {
+      group = "dex";
+      isSystemUser = true;
+    };
+  };
 }
--- a/hosts/auth/secrets.yaml
+++ b/hosts/auth/secrets.yaml
@ -1,3 +1,5 @@
+dex:
+    environment: ENC[AES256_GCM,data:X213Nj0ftMSdEG7Z18hceghX3w9wBV2q4Z/q7enbZm/rbZKM2L2SBZnCtf7NGoFuZbePe95HR+puKCzmHKHt891So6Uq11OA5DvMvl3IdNKkXpHwS8HicIZWTGwtle0CaESzJqI7LJl1ajzXFX/fo3RClGz8V9D5cFza54N/29xKrxyRd+vu9zlXN6ZX/w==,iv:wHLq9shvvrzImMRoYInlWQVACNGqazDEHqkcp25zHHw=,tag:xhaX0oK0qxuQigWXrwRfwQ==,type:str]
 portunus:
    seed: ENC[AES256_GCM,data:bF4cxon5Wy9+i9jib+JfzW7++mMWYbt5U85S9b1YK6YYsvF2/4LKW8BwsCBsECKCqicSvejDID9DEGMXRhcojUWu07q/LBI8ADYhw8siBeTMYgb5V433Nt8EODJa8XUhpxWSl/PgLNZKw0+vSK4hQRZjAcmWl6Djy01LD0kyhU4rAwxY8FozlfaLtJN007LHhhGFA+r/l+nHuW+wBg7XVC3/7d0THS6krf44USBEyIdoYPbpLOhkyitcmGxHlT+AknUvgghyTnqxUIsPdhFq9LWPRSpxaCcH6mbFFsqBfQwfZ58BOW3Oqz3e7RDm4Z8LOJSL/3RDgEBJ3sNKHvPZp8x6lCaV9PZZGSKIOhp6534fY2s1LuPqIQGW+Qf+08j3XlpUuFkEURP+IdkEiJtk952cMN6SnN/QFhxM6Nr+s1JRzwbtuvmjQSPWQHC484XsizqVbyiLFMjX9QsKvnHeZeACspnZKdFSTWRZ2reRa1Lv6acIjWn+uv8S4sUt1o3zfcWFb5xG95NYhyBLFExsVzC/RWD/fD4jR/1ZAUF+vGl20SZzlj7MbRLg7JIwxVFoFgZLz915ZTbHbxDeX/OOhqd+GOBe8wsm+DJf8H939jNo+iPTWlHfY8zZOFQpdtkpt3uISpGBsBfMFtYInrBDXDNPr1SEbQPEAgjbYJWPC/FIgcIkGtRu4mN8Cl4IgPnTgSJ9WYpGkfuxb/PNvR4XN9bbjE4h9i7bCeA7nNPSFa3vItbVps0jM7TyWyha168K/gJ+nk9+iqK79m6SxaAHQ6A5P60V7XZpIDteWKuxV/I/1Tty1JLsN8khiHnrrqMqrxX3vyjXCwX1N16w7gMwLnQJkMO3M5pRhUsfaRm+lyBLWDVrN8o5PqZ+KZtldvqeZW+tknmvvUtYB6lYbcEdy9/4W6oNLBvINodKijQmOO66/RhiAu8q4qNI6JIpqdzl0CdKI86xoykfUGXbqm1heEloutcNxkEfR8D3Vn98rKc0IVB+uD8XROD53ZV1w2LbpzjHNJMITCebKufRjBZvVfMl8Q==,iv:xIAxj2D3HurNzQg/JjKCQ4KEwjKJ/PuDGM2RLRFuMX4=,tag:i5s0OMkvIgY4rgLQygVsaQ==,type:str]
 sops:
@ -24,8 +26,8 @@ sops:
            OHlKSmZ0WGpJNTNlbGJZdWsvV2JVSjQKChNZeeT4l/ZiBMC0SZXY8wsNnZBtM9vw
            WfVljqnQTMODkoLjfxcvET2xZjSHSI0wjULjMAgg67lRUEG2bxMp3g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-08-01T23:50:16Z"
-    mac: ENC[AES256_GCM,data:P7fUSy+q+jXqKq3uYLVZmOIh4WT19bd59zPel6ltuq9SpUTkrybr+AFqRdQs+DhADKF45X98lNUCvsyAXaXyP2ADQCcCeuWx/AQNjUaGiZ39LnHXAfn9r3o2xml8sXD7yri6BHDnCoaCNA/caAsaOz+yKB3vJw3PU5hWmm4os7s=,iv:nFSPrHTl/lJQkFJktkgkAbQVdQ6sqxFWbwl+dPwSfag=,tag:vk44cvyxy89dh+nonnKe7A==,type:str]
+    lastmodified: "2022-12-23T05:29:41Z"
+    mac: ENC[AES256_GCM,data:PgiZ9mg5ffLrkLO4RhxRScDiL0SQoF60cTMzxITOx1UtIjXWqmB/OM7rnOwlwVtyHY0OLe5XTVQ+yjVRD2Zv6ri0EJKU/0NZperunFdp/91iIswmzWJjwxD9luRw2h5Fjnq64xgWDJtpIMDIJy5PtxiTh1hO3p38m572BWiQPFI=,iv:8IXRzC61ZXZBnxoiULTWO6dnAPUAEqOuuLnBWHCrQ5k=,tag:N7zTvbL8qTJOi8YC6DKNGA==,type:str]
    pgp:
        - created_at: "2022-07-31T16:18:25Z"
          enc: |
--- a/hosts/grafana/default.nix
+++ b/hosts/grafana/default.nix
@ -41,9 +41,18 @@
      };

      settings = {
-        "auth.anonymous" = {
-          enabled = false;
-          org_name = "Chaos";
+        analytics.reporting_enabled = false;
+        "auth.generic_oauth" = {
+          enabled = true;
+          allow_sign_up = true;
+          api_url = "https://auth.c3d2.de/dex/userinfo";
+          auth_url = "https://auth.c3d2.de/dex/auth";
+          client_id = "grafana";
+          client_secret = "$__file{${config.sops.secrets."grafana/client-secret".path}}";
+          icon = "signin";
+          name = "auth.c3d2.de";
+          scopes = "openid profile email";
+          token_url = "https://auth.c3d2.de/dex/token";
        };
        security = {
          admin_password = "$__file{${config.sops.secrets."grafana/admin-password".path}}";
@ -89,15 +98,15 @@

  sops = {
    defaultSopsFile = ./secrets.yaml;
-    secrets = {
-      "grafana/admin-password" = {
-        group = config.systemd.services.grafana.serviceConfig.User;
-        owner = config.systemd.services.grafana.serviceConfig.User;
-      };
-      "grafana/secret-key" = {
+    secrets = let
+      grafanaUser = {
        group = config.systemd.services.grafana.serviceConfig.User;
        owner = config.systemd.services.grafana.serviceConfig.User;
      };
+    in {
+      "grafana/admin-password" = grafanaUser;
+      "grafana/client-secret" = grafanaUser;
+      "grafana/secret-key" = grafanaUser;
    };
  };

--- a/hosts/grafana/secrets.yaml
+++ b/hosts/grafana/secrets.yaml
@ -1,5 +1,6 @@
 grafana:
    admin-password: ENC[AES256_GCM,data:eohgvOafD8g=,iv:7gYI4ITOOg+/ahP9OKJHd09dRC5ZbM8t4909IrAfHbY=,tag:6NJRgaWyKSvohfYZY1gHhg==,type:str]
+    client-secret: ENC[AES256_GCM,data:1Ijj2s3tT0U/bkVUlu0hUKDvrOrEvR/cywPwSpsUCacBH+7jUyLdq2xg6yAKjX/IOgtH0ZMHHN9aIRbq7JugBQ==,iv:tTA8zPUEzuptn6SxMQ2RJSG+OmRw9T+gAzVBp344pkc=,tag:PqN/uW8yoMrX0SaKODAFhg==,type:str]
    secret-key: ENC[AES256_GCM,data:0FYJ2sEN6/tEf7v6eNvFtT2AX8xxqrU5rbolJTPLxG3WZ3ZV8GjC0zRmuy/zw7MOOB4UKKcHI+kR6WzBYRartw==,iv:ehA4KC3rE6QaiX0fbNTNiydk4Ly2zyASr3utGcWqkHE=,tag:muafXs36mdiT2rLDt9eldw==,type:str]
 sops:
    kms: []
@ -25,8 +26,8 @@ sops:
            eVN5KzdSQktNNjRyekZUK1U5SnVwbzAKbEYEDJz+gBILvt8KWLzkZ3gQwdQCBAH6
            KSYuY9d0BrznamgUjNt9zCxWBuzIqZbL5PbTrK30EdVG66d5U+bkTg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-10-27T19:29:47Z"
-    mac: ENC[AES256_GCM,data:IuIBWaRQGtn+QSYRgRE2r3hYPSut9mO8rTb7Fz2pRcOjaitUD9jd1LpvGzRSsOHEfOArxJlv99njqVq9NA26cJUB7aWDxhL4DG4XXHf0vabUk8wSE1gdFwxDZRH5bvK11riuZnkoBSTGiFqlw9TvIZnASsHAmAgyI+WIGnNERfI=,iv:vUj8k1iyVAkYHVcQXOLXrE5QdFNpIxrDA6dNBisPpZE=,tag:DW671BahNqve1cKA6Yn0IQ==,type:str]
+    lastmodified: "2022-12-19T22:58:27Z"
+    mac: ENC[AES256_GCM,data:4RKDTIYpf4urFwnKJC4iYF+xsu7sbZiX7VtDhR+Jl9HeHEjsOWYonA0DSInKhvn0z3zl4VnKJL8DEGh6cmkAv3atHVffoURTIPzKiAjy2uVsIAM1TrmF+JCnM7MpxIJrcrOsNDDA0ZIRFtiGeQTjRmj8uWrUZQXR8jiXIgT9PUU=,iv:5QimYM48Q/oeOU653UYnVlymm3TOElKLdy5zaTTpCxQ=,tag:KVm9r1VDZBiZFkg9ohwj6A==,type:str]
    pgp:
        - created_at: "2022-10-27T18:39:31Z"
          enc: |
--- a/packages.nix
+++ b/packages.nix
@ -182,7 +182,7 @@ lib.attrsets.mapAttrs
        "microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" ''
          #!${pkgs.runtimeShell} -e

-          ${lib.optionalString (! builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) ''
+          ${lib.optionalString (!builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) ''
            echo "MicroVM must be configured to proper server" >&2
            exit 1
          ''}