grafana: move to nixos-modules

2023-12-03 16:57:50 +01:00 · 2023-12-03 16:57:50 +01:00 · e5bf878cb3
parent b625818eeb
commit e5bf878cb3
5 changed files with 20 additions and 53 deletions
--- a/config/default.nix
+++ b/config/default.nix
@ -171,6 +171,11 @@
      gnome-initial-setup.enable = false;
    };

+    grafana.oauth = {
+      adminGroup = "grafana-admins";
+      userGroup = "grafana-users";
+    };
+
    hedgedoc.ldap.userGroup = "hedgedoc-users";

    home-assistant.ldap.userGroup = "home-assistant-users";
@ -223,11 +228,6 @@
      ldapPreset = true;
      # those can't be under hosts/*/default.nix because those are not imported for the auth microvm
      seedSettings.groups = [
-        {
-          long_name = "Grafana Administrators";
-          name = "grafana-admins";
-          permissions = {};
-        }
        {
          long_name = "Mobilizon Users";
          name = "mobilizon-users";
--- a/flake.lock
+++ b/flake.lock
@ -362,11 +362,11 @@
    },
    "nixos": {
      "locked": {
-        "lastModified": 1701088943,
-        "narHash": "sha256-x+wLGp8jAq8ObK6uN9TOJXgoaG2N+SSRhiG5GBnBMyM=",
+        "lastModified": 1701458931,
+        "narHash": "sha256-MGeSJCSMgCh29lFJg837Z5JbpF+mKEDwHBYYfQ3xwtU=",
        "owner": "SuperSandro2000",
        "repo": "nixpkgs",
-        "rev": "730ac6127efc0144ea067e86a90b56a5c61d7f26",
+        "rev": "562cbe0a293d73460fe974472dfb6e0a47393780",
        "type": "github"
      },
      "original": {
@ -398,11 +398,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1701034292,
-        "narHash": "sha256-Z9dI1ZGgPqs5HGL/dskfUOZ3wZJq/BNurVPw17nhAbs=",
+        "lastModified": 1701643093,
+        "narHash": "sha256-cJves2E255uJHoQLxdwB/Ipd718IYohE2HRBBse3Q9w=",
        "owner": "SuperSandro2000",
        "repo": "nixos-modules",
-        "rev": "99d25ca193cc4d2bfcfe4b3747c793e398f12a50",
+        "rev": "bfc7e254acbf9ab43658893e367f3944811f9685",
        "type": "github"
      },
      "original": {
--- a/hosts/auth/default.nix
+++ b/hosts/auth/default.nix
@ -18,8 +18,6 @@
      paths = [ "/var/lib/portunus/" ];
    };

-    dex.settings.oauth2.skipApprovalScreen = true;
-
    nginx = {
      enable = true;
      virtualHosts."auth.c3d2.de" = {
--- a/hosts/grafana/default.nix
+++ b/hosts/grafana/default.nix
@ -24,6 +24,13 @@

    grafana = {
      enable = true;
+      configureNginx = true;
+      oauth = {
+        enable = true;
+        adminGroup = "grafana-admins";
+        enableViewerRole = true;
+        userGroup = "grafana-users";
+      };

      provision = {
        enable = true;
@ -50,24 +57,7 @@
          enabled = true;
          org_name = "Chaos";
        };
-        "auth.generic_oauth" = {
-          enabled = true;
-          allow_assign_grafana_admin = true;
-          allow_sign_up = true;
-          api_url = "https://auth.c3d2.de/dex/userinfo";
-          auth_url = "https://auth.c3d2.de/dex/auth";
-          client_id = "grafana";
-          client_secret = "$__file{${config.sops.secrets."grafana/client-secret".path}}";
-          disable_login_form = true; # only allow OAuth
-          icon = "signin";
-          name = "auth.c3d2.de";
-          oauth_allow_insecure_email_lookup = true;
-          oauth_auto_login = true; # redirect automatically to the only oauth provider
-          role_attribute_path = "contains(groups[*], 'grafana-admins') && 'Admin'";
-          # https://dexidp.io/docs/custom-scopes-claims-clients/
-          scopes = "openid email groups profile offline_access";
-          token_url = "https://auth.c3d2.de/dex/token";
-        };
+        "auth.generic_oauth".client_secret = "$__file{${config.sops.secrets."grafana/client-secret".path}}";
        security = {
          admin_password = "$__file{${config.sops.secrets."grafana/admin-password".path}}";
          secret_key = "$__file{${config.sops.secrets."grafana/secret-key".path}}";
@ -102,17 +92,10 @@
    nginx = {
      enable = true;
      virtualHosts = {
-        "grafana.hq.c3d2.de" = {
+        "${config.services.grafana.settings.server.domain}" = {
          default = true;
          enableACME = true;
          forceSSL = true;
-          locations = {
-            "/".proxyPass = "http://localhost:3000/";
-            "/api/live/ws" = {
-              proxyPass = "http://localhost:3000/";
-              proxyWebsockets = true;
-            };
-          };
        };
      };
    };
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -17,20 +17,6 @@ with final; {

  ceph_17_2 = assert (lib.versions.majorMinor ceph.version) == "17.2"; prev.ceph;

-  dex-oidc = prev.dex-oidc.override {
-    buildGoModule = args: buildGoModule (args // {
-      patches = args.patches or [ ] ++ [
-        # remember session
-        (fetchpatch {
-          url = "https://github.com/dexidp/dex/commit/000004b13b876e04a6f75ec0394f7cabe84fb15e.patch";
-          hash = "sha256-u85RnwfhcQt7RK11Ed/fDLUbHOuD+TKJU8UHQslZowM=";
-        })
-      ];
-
-      vendorHash = "sha256-hxq7JPz8uD5WQIPO2anSf9+kzyoQy/BQ0OVTblA8qts=";
-    });
-  };
-
  dump1090-influxdb = callPackage ./dump1090-influxdb { };

  dump1090_rs = callPackage ./dump1090_rs.nix { };