Add basic OIDC for grafana
This commit is contained in:
parent
97da620ef6
commit
e017135180
|
@ -13,6 +13,8 @@
|
|||
};
|
||||
|
||||
services = {
|
||||
dex.settings.oauth2.skipApprovalScreen = true;
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts."auth.c3d2.de" = {
|
||||
|
@ -29,7 +31,11 @@
|
|||
portunus = {
|
||||
enable = true;
|
||||
dex = {
|
||||
# enable = true;
|
||||
enable = true;
|
||||
oidcClients = [ {
|
||||
callbackURL = "https://grafana.hq.c3d2.de/login/generic_oauth";
|
||||
id = "grafana";
|
||||
} ];
|
||||
};
|
||||
domain = "auth.c3d2.de";
|
||||
ldap = {
|
||||
|
@ -43,6 +49,22 @@
|
|||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."dex/environment" = libz.sops.permissionForUser "dex";
|
||||
secrets."portunus/seed" = libz.sops.permissionForUser "portunus";
|
||||
};
|
||||
|
||||
systemd.services.dex.serviceConfig = {
|
||||
DynamicUser = lib.mkForce false;
|
||||
EnvironmentFile = config.sops.secrets."dex/environment".path;
|
||||
StateDirectory = "dex";
|
||||
User = "dex";
|
||||
};
|
||||
|
||||
users = {
|
||||
groups.dex = { };
|
||||
users.dex = {
|
||||
group = "dex";
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
dex:
|
||||
environment: ENC[AES256_GCM,data:X213Nj0ftMSdEG7Z18hceghX3w9wBV2q4Z/q7enbZm/rbZKM2L2SBZnCtf7NGoFuZbePe95HR+puKCzmHKHt891So6Uq11OA5DvMvl3IdNKkXpHwS8HicIZWTGwtle0CaESzJqI7LJl1ajzXFX/fo3RClGz8V9D5cFza54N/29xKrxyRd+vu9zlXN6ZX/w==,iv:wHLq9shvvrzImMRoYInlWQVACNGqazDEHqkcp25zHHw=,tag:xhaX0oK0qxuQigWXrwRfwQ==,type:str]
|
||||
portunus:
|
||||
seed: ENC[AES256_GCM,data:bF4cxon5Wy9+i9jib+JfzW7++mMWYbt5U85S9b1YK6YYsvF2/4LKW8BwsCBsECKCqicSvejDID9DEGMXRhcojUWu07q/LBI8ADYhw8siBeTMYgb5V433Nt8EODJa8XUhpxWSl/PgLNZKw0+vSK4hQRZjAcmWl6Djy01LD0kyhU4rAwxY8FozlfaLtJN007LHhhGFA+r/l+nHuW+wBg7XVC3/7d0THS6krf44USBEyIdoYPbpLOhkyitcmGxHlT+AknUvgghyTnqxUIsPdhFq9LWPRSpxaCcH6mbFFsqBfQwfZ58BOW3Oqz3e7RDm4Z8LOJSL/3RDgEBJ3sNKHvPZp8x6lCaV9PZZGSKIOhp6534fY2s1LuPqIQGW+Qf+08j3XlpUuFkEURP+IdkEiJtk952cMN6SnN/QFhxM6Nr+s1JRzwbtuvmjQSPWQHC484XsizqVbyiLFMjX9QsKvnHeZeACspnZKdFSTWRZ2reRa1Lv6acIjWn+uv8S4sUt1o3zfcWFb5xG95NYhyBLFExsVzC/RWD/fD4jR/1ZAUF+vGl20SZzlj7MbRLg7JIwxVFoFgZLz915ZTbHbxDeX/OOhqd+GOBe8wsm+DJf8H939jNo+iPTWlHfY8zZOFQpdtkpt3uISpGBsBfMFtYInrBDXDNPr1SEbQPEAgjbYJWPC/FIgcIkGtRu4mN8Cl4IgPnTgSJ9WYpGkfuxb/PNvR4XN9bbjE4h9i7bCeA7nNPSFa3vItbVps0jM7TyWyha168K/gJ+nk9+iqK79m6SxaAHQ6A5P60V7XZpIDteWKuxV/I/1Tty1JLsN8khiHnrrqMqrxX3vyjXCwX1N16w7gMwLnQJkMO3M5pRhUsfaRm+lyBLWDVrN8o5PqZ+KZtldvqeZW+tknmvvUtYB6lYbcEdy9/4W6oNLBvINodKijQmOO66/RhiAu8q4qNI6JIpqdzl0CdKI86xoykfUGXbqm1heEloutcNxkEfR8D3Vn98rKc0IVB+uD8XROD53ZV1w2LbpzjHNJMITCebKufRjBZvVfMl8Q==,iv:xIAxj2D3HurNzQg/JjKCQ4KEwjKJ/PuDGM2RLRFuMX4=,tag:i5s0OMkvIgY4rgLQygVsaQ==,type:str]
|
||||
sops:
|
||||
|
@ -24,8 +26,8 @@ sops:
|
|||
OHlKSmZ0WGpJNTNlbGJZdWsvV2JVSjQKChNZeeT4l/ZiBMC0SZXY8wsNnZBtM9vw
|
||||
WfVljqnQTMODkoLjfxcvET2xZjSHSI0wjULjMAgg67lRUEG2bxMp3g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-08-01T23:50:16Z"
|
||||
mac: ENC[AES256_GCM,data:P7fUSy+q+jXqKq3uYLVZmOIh4WT19bd59zPel6ltuq9SpUTkrybr+AFqRdQs+DhADKF45X98lNUCvsyAXaXyP2ADQCcCeuWx/AQNjUaGiZ39LnHXAfn9r3o2xml8sXD7yri6BHDnCoaCNA/caAsaOz+yKB3vJw3PU5hWmm4os7s=,iv:nFSPrHTl/lJQkFJktkgkAbQVdQ6sqxFWbwl+dPwSfag=,tag:vk44cvyxy89dh+nonnKe7A==,type:str]
|
||||
lastmodified: "2022-12-23T05:29:41Z"
|
||||
mac: ENC[AES256_GCM,data:PgiZ9mg5ffLrkLO4RhxRScDiL0SQoF60cTMzxITOx1UtIjXWqmB/OM7rnOwlwVtyHY0OLe5XTVQ+yjVRD2Zv6ri0EJKU/0NZperunFdp/91iIswmzWJjwxD9luRw2h5Fjnq64xgWDJtpIMDIJy5PtxiTh1hO3p38m572BWiQPFI=,iv:8IXRzC61ZXZBnxoiULTWO6dnAPUAEqOuuLnBWHCrQ5k=,tag:N7zTvbL8qTJOi8YC6DKNGA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-07-31T16:18:25Z"
|
||||
enc: |
|
||||
|
|
|
@ -41,9 +41,18 @@
|
|||
};
|
||||
|
||||
settings = {
|
||||
"auth.anonymous" = {
|
||||
enabled = false;
|
||||
org_name = "Chaos";
|
||||
analytics.reporting_enabled = false;
|
||||
"auth.generic_oauth" = {
|
||||
enabled = true;
|
||||
allow_sign_up = true;
|
||||
api_url = "https://auth.c3d2.de/dex/userinfo";
|
||||
auth_url = "https://auth.c3d2.de/dex/auth";
|
||||
client_id = "grafana";
|
||||
client_secret = "$__file{${config.sops.secrets."grafana/client-secret".path}}";
|
||||
icon = "signin";
|
||||
name = "auth.c3d2.de";
|
||||
scopes = "openid profile email";
|
||||
token_url = "https://auth.c3d2.de/dex/token";
|
||||
};
|
||||
security = {
|
||||
admin_password = "$__file{${config.sops.secrets."grafana/admin-password".path}}";
|
||||
|
@ -89,15 +98,15 @@
|
|||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = {
|
||||
"grafana/admin-password" = {
|
||||
group = config.systemd.services.grafana.serviceConfig.User;
|
||||
owner = config.systemd.services.grafana.serviceConfig.User;
|
||||
};
|
||||
"grafana/secret-key" = {
|
||||
secrets = let
|
||||
grafanaUser = {
|
||||
group = config.systemd.services.grafana.serviceConfig.User;
|
||||
owner = config.systemd.services.grafana.serviceConfig.User;
|
||||
};
|
||||
in {
|
||||
"grafana/admin-password" = grafanaUser;
|
||||
"grafana/client-secret" = grafanaUser;
|
||||
"grafana/secret-key" = grafanaUser;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
grafana:
|
||||
admin-password: ENC[AES256_GCM,data:eohgvOafD8g=,iv:7gYI4ITOOg+/ahP9OKJHd09dRC5ZbM8t4909IrAfHbY=,tag:6NJRgaWyKSvohfYZY1gHhg==,type:str]
|
||||
client-secret: ENC[AES256_GCM,data:1Ijj2s3tT0U/bkVUlu0hUKDvrOrEvR/cywPwSpsUCacBH+7jUyLdq2xg6yAKjX/IOgtH0ZMHHN9aIRbq7JugBQ==,iv:tTA8zPUEzuptn6SxMQ2RJSG+OmRw9T+gAzVBp344pkc=,tag:PqN/uW8yoMrX0SaKODAFhg==,type:str]
|
||||
secret-key: ENC[AES256_GCM,data:0FYJ2sEN6/tEf7v6eNvFtT2AX8xxqrU5rbolJTPLxG3WZ3ZV8GjC0zRmuy/zw7MOOB4UKKcHI+kR6WzBYRartw==,iv:ehA4KC3rE6QaiX0fbNTNiydk4Ly2zyASr3utGcWqkHE=,tag:muafXs36mdiT2rLDt9eldw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
|
@ -25,8 +26,8 @@ sops:
|
|||
eVN5KzdSQktNNjRyekZUK1U5SnVwbzAKbEYEDJz+gBILvt8KWLzkZ3gQwdQCBAH6
|
||||
KSYuY9d0BrznamgUjNt9zCxWBuzIqZbL5PbTrK30EdVG66d5U+bkTg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-10-27T19:29:47Z"
|
||||
mac: ENC[AES256_GCM,data:IuIBWaRQGtn+QSYRgRE2r3hYPSut9mO8rTb7Fz2pRcOjaitUD9jd1LpvGzRSsOHEfOArxJlv99njqVq9NA26cJUB7aWDxhL4DG4XXHf0vabUk8wSE1gdFwxDZRH5bvK11riuZnkoBSTGiFqlw9TvIZnASsHAmAgyI+WIGnNERfI=,iv:vUj8k1iyVAkYHVcQXOLXrE5QdFNpIxrDA6dNBisPpZE=,tag:DW671BahNqve1cKA6Yn0IQ==,type:str]
|
||||
lastmodified: "2022-12-19T22:58:27Z"
|
||||
mac: ENC[AES256_GCM,data:4RKDTIYpf4urFwnKJC4iYF+xsu7sbZiX7VtDhR+Jl9HeHEjsOWYonA0DSInKhvn0z3zl4VnKJL8DEGh6cmkAv3atHVffoURTIPzKiAjy2uVsIAM1TrmF+JCnM7MpxIJrcrOsNDDA0ZIRFtiGeQTjRmj8uWrUZQXR8jiXIgT9PUU=,iv:5QimYM48Q/oeOU653UYnVlymm3TOElKLdy5zaTTpCxQ=,tag:KVm9r1VDZBiZFkg9ohwj6A==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-10-27T18:39:31Z"
|
||||
enc: |
|
||||
|
|
|
@ -182,7 +182,7 @@ lib.attrsets.mapAttrs
|
|||
"microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" ''
|
||||
#!${pkgs.runtimeShell} -e
|
||||
|
||||
${lib.optionalString (! builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) ''
|
||||
${lib.optionalString (!builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) ''
|
||||
echo "MicroVM must be configured to proper server" >&2
|
||||
exit 1
|
||||
''}
|
||||
|
|
Loading…
Reference in New Issue