From e5bf878cb3e3db32dd5d6607ca1dbf28065fe58d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Sun, 3 Dec 2023 16:57:50 +0100
Subject: [PATCH] grafana: move to nixos-modules

---
 config/default.nix        | 10 +++++-----
 flake.lock                | 12 ++++++------
 hosts/auth/default.nix    |  2 --
 hosts/grafana/default.nix | 35 +++++++++--------------------------
 overlays/default.nix      | 14 --------------
 5 files changed, 20 insertions(+), 53 deletions(-)

diff --git a/config/default.nix b/config/default.nix
index e124c935..ea9586cb 100644
--- a/config/default.nix
+++ b/config/default.nix
@@ -171,6 +171,11 @@
       gnome-initial-setup.enable = false;
     };
 
+    grafana.oauth = {
+      adminGroup = "grafana-admins";
+      userGroup = "grafana-users";
+    };
+
     hedgedoc.ldap.userGroup = "hedgedoc-users";
 
     home-assistant.ldap.userGroup = "home-assistant-users";
@@ -223,11 +228,6 @@
       ldapPreset = true;
       # those can't be under hosts/*/default.nix because those are not imported for the auth microvm
       seedSettings.groups = [
-        {
-          long_name = "Grafana Administrators";
-          name = "grafana-admins";
-          permissions = {};
-        }
         {
           long_name = "Mobilizon Users";
           name = "mobilizon-users";
diff --git a/flake.lock b/flake.lock
index e68bab49..1cc217f1 100644
--- a/flake.lock
+++ b/flake.lock
@@ -362,11 +362,11 @@
     },
     "nixos": {
       "locked": {
-        "lastModified": 1701088943,
-        "narHash": "sha256-x+wLGp8jAq8ObK6uN9TOJXgoaG2N+SSRhiG5GBnBMyM=",
+        "lastModified": 1701458931,
+        "narHash": "sha256-MGeSJCSMgCh29lFJg837Z5JbpF+mKEDwHBYYfQ3xwtU=",
         "owner": "SuperSandro2000",
         "repo": "nixpkgs",
-        "rev": "730ac6127efc0144ea067e86a90b56a5c61d7f26",
+        "rev": "562cbe0a293d73460fe974472dfb6e0a47393780",
         "type": "github"
       },
       "original": {
@@ -398,11 +398,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1701034292,
-        "narHash": "sha256-Z9dI1ZGgPqs5HGL/dskfUOZ3wZJq/BNurVPw17nhAbs=",
+        "lastModified": 1701643093,
+        "narHash": "sha256-cJves2E255uJHoQLxdwB/Ipd718IYohE2HRBBse3Q9w=",
         "owner": "SuperSandro2000",
         "repo": "nixos-modules",
-        "rev": "99d25ca193cc4d2bfcfe4b3747c793e398f12a50",
+        "rev": "bfc7e254acbf9ab43658893e367f3944811f9685",
         "type": "github"
       },
       "original": {
diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix
index 00c4287c..787b228f 100644
--- a/hosts/auth/default.nix
+++ b/hosts/auth/default.nix
@@ -18,8 +18,6 @@
       paths = [ "/var/lib/portunus/" ];
     };
 
-    dex.settings.oauth2.skipApprovalScreen = true;
-
     nginx = {
       enable = true;
       virtualHosts."auth.c3d2.de" = {
diff --git a/hosts/grafana/default.nix b/hosts/grafana/default.nix
index 057d1171..81395da2 100644
--- a/hosts/grafana/default.nix
+++ b/hosts/grafana/default.nix
@@ -24,6 +24,13 @@
 
     grafana = {
       enable = true;
+      configureNginx = true;
+      oauth = {
+        enable = true;
+        adminGroup = "grafana-admins";
+        enableViewerRole = true;
+        userGroup = "grafana-users";
+      };
 
       provision = {
         enable = true;
@@ -50,24 +57,7 @@
           enabled = true;
           org_name = "Chaos";
         };
-        "auth.generic_oauth" = {
-          enabled = true;
-          allow_assign_grafana_admin = true;
-          allow_sign_up = true;
-          api_url = "https://auth.c3d2.de/dex/userinfo";
-          auth_url = "https://auth.c3d2.de/dex/auth";
-          client_id = "grafana";
-          client_secret = "$__file{${config.sops.secrets."grafana/client-secret".path}}";
-          disable_login_form = true; # only allow OAuth
-          icon = "signin";
-          name = "auth.c3d2.de";
-          oauth_allow_insecure_email_lookup = true;
-          oauth_auto_login = true; # redirect automatically to the only oauth provider
-          role_attribute_path = "contains(groups[*], 'grafana-admins') && 'Admin'";
-          # https://dexidp.io/docs/custom-scopes-claims-clients/
-          scopes = "openid email groups profile offline_access";
-          token_url = "https://auth.c3d2.de/dex/token";
-        };
+        "auth.generic_oauth".client_secret = "$__file{${config.sops.secrets."grafana/client-secret".path}}";
         security = {
           admin_password = "$__file{${config.sops.secrets."grafana/admin-password".path}}";
           secret_key = "$__file{${config.sops.secrets."grafana/secret-key".path}}";
@@ -102,17 +92,10 @@
     nginx = {
       enable = true;
       virtualHosts = {
-        "grafana.hq.c3d2.de" = {
+        "${config.services.grafana.settings.server.domain}" = {
           default = true;
           enableACME = true;
           forceSSL = true;
-          locations = {
-            "/".proxyPass = "http://localhost:3000/";
-            "/api/live/ws" = {
-              proxyPass = "http://localhost:3000/";
-              proxyWebsockets = true;
-            };
-          };
         };
       };
     };
diff --git a/overlays/default.nix b/overlays/default.nix
index 217556ef..7dbd3ec5 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -17,20 +17,6 @@ with final; {
 
   ceph_17_2 = assert (lib.versions.majorMinor ceph.version) == "17.2"; prev.ceph;
 
-  dex-oidc = prev.dex-oidc.override {
-    buildGoModule = args: buildGoModule (args // {
-      patches = args.patches or [ ] ++ [
-        # remember session
-        (fetchpatch {
-          url = "https://github.com/dexidp/dex/commit/000004b13b876e04a6f75ec0394f7cabe84fb15e.patch";
-          hash = "sha256-u85RnwfhcQt7RK11Ed/fDLUbHOuD+TKJU8UHQslZowM=";
-        })
-      ];
-
-      vendorHash = "sha256-hxq7JPz8uD5WQIPO2anSf9+kzyoQy/BQ0OVTblA8qts=";
-    });
-  };
-
   dump1090-influxdb = callPackage ./dump1090-influxdb { };
 
   dump1090_rs = callPackage ./dump1090_rs.nix { };