nixos-modules/modules/grafana.nix

{ config, lib, libS, ... }:

let
  cfg = config.services.grafana;
in
{
  options = {
    services.grafana = {
      configureNginx = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = lib.mdDoc "Wether to configure Nginx.";
      };

      oauth = {
        enable = lib.mkEnableOption (lib.mdDoc ''login only via OAuth2'');
        enableViewerRole = lib.mkOption {
          type = lib.types.bool;
          default = false;
          description = lib.mdDoc "Wether to enable the fallback Viewer role when users do not have the user- or adminGroup.";
        };
        adminGroup = libS.ldap.mkUserGroupOption;
        userGroup = libS.ldap.mkUserGroupOption;
      };

      recommendedDefaults = libS.mkOpinionatedOption "set recommended and secure default settings";
    };
  };

  config = {
    # the default values are hardcoded instead of using options. because I couldn't figure out how to extract them from the freeform type
    assertions = lib.mkIf cfg.enable [
      {
        assertion = cfg.oauth.enable -> cfg.settings."auth.generic_oauth".client_secret != null;
        message = ''
          Setting services.grafana.oauth.enable to true requires to set services.grafana.settings."auth.generic_oauth".client_secret.
          Use this `$__file{/path/to/some/secret}` syntax to reference secrets securely.
        '';
      }
      {
        assertion = cfg.settings.security.secret_key != "SW2YcwTIb9zpOOhoPsMm";
        message = "services.grafana.settings.security.secret_key must be changed from it's insecure, default value!";
      }
      {
        assertion = cfg.settings.security.admin_password != "admin";
        message = "services.grafana.settings.security.admin_password must be changed from it's insecure, default value!";
      }
    ];

    services.grafana.settings = lib.mkMerge [
      (lib.mkIf (cfg.enable && cfg.recommendedDefaults) (libS.modules.mkRecursiveDefault {
        # no analytics, sorry, not sorry
        analytics = {
          feedback_links_enabled = false;
          reporting_enabled = false;
        };
        log.level = "warn";
        security = {
          cookie_secure = true;
          content_security_policy = true;
          strict_transport_security = true;
        };
        server = {
          enable_gzip = true;
          root_url = "https://${cfg.settings.server.domain}";
        };
      }))

      (lib.mkIf (cfg.enable && cfg.oauth.enable) {
        "auth.generic_oauth" = let
          inherit (config.services.dex.settings) issuer;
        in {
          enabled = true;
          allow_assign_grafana_admin = true; # required for grafana-admins
          allow_sign_up = true; # otherwise no new users can be created
          api_url = "${issuer}/userinfo";
          auth_url = "${issuer}/auth";
          client_id = "grafana";
          disable_login_form = true; # only allow OAuth
          icon = "signin";
          name = config.services.portunus.domain;
          oauth_allow_insecure_email_lookup = true; # otherwise updating the mail in ldap will break login
          oauth_auto_login = true; # redirect automatically to the only oauth provider
          use_refresh_token = true;
          role_attribute_path = "contains(groups[*], 'grafana-admins') && 'Admin' || contains(info.roles[*], 'grafana-user') && 'Editor'"
            + lib.optionalString cfg.oauth.enableViewerRole "|| 'Viewer'";
          role_attribute_strict = true;
          # https://dexidp.io/docs/custom-scopes-claims-clients/
          scopes = "openid email groups profile offline_access";
          token_url = "${issuer}/token";
        };
        server.protocol = "socket";
      })
    ];
  };

  config.services.nginx = lib.mkIf (cfg.enable && cfg.configureNginx) {
    upstreams.grafana.servers."unix:${cfg.settings.server.socket}" = { };
    virtualHosts = {
      "${cfg.settings.server.domain}".locations = {
        "/".proxyPass = "http://grafana";
        "/api/live/ws" = {
          proxyPass = "http://grafana";
          proxyWebsockets = true;
        };
      };
    };
  };

  config.services.portunus = {
    dex = lib.mkIf cfg.oauth.enable {
      enable = true;
      oidcClients = [{
        callbackURL = "https://${cfg.settings.server.domain}/login/generic_oauth";
        id = "grafana";
      }];
    };
    seedSettings.groups = lib.optional (cfg.oauth.adminGroup != null) {
      long_name = "Grafana Administrators";
      name = cfg.oauth.adminGroup;
      permissions = { };
    } ++ lib.optional (cfg.oauth.userGroup != null) {
      long_name = "Grafana Users";
      name = cfg.oauth.userGroup;
      permissions = { };
    };
  };
}
grafana: fix assertion 2023-06-28 14:46:52 +02:00			`{ config, lib, libS, ... }:`
Add grafana 2022-12-23 05:53:53 +01:00
			`let`
			`cfg = config.services.grafana;`
			`in`
			`{`
Add lib.mkOpinionatedOption and use it 2023-01-03 02:05:36 +01:00			`options = {`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`services.grafana = {`
grafana: add configureNginx 2023-12-03 21:59:40 +01:00			`configureNginx = lib.mkOption {`
			`type = lib.types.bool;`
			`default = false;`
			`description = lib.mdDoc "Wether to configure Nginx.";`
			`};`

grafana: add oauth 2023-12-03 21:46:41 +01:00			`oauth = {`
			`enable = lib.mkEnableOption (lib.mdDoc ''login only via OAuth2'');`
			`enableViewerRole = lib.mkOption {`
			`type = lib.types.bool;`
grafana: disable viewer role by default, turn on socket 2023-12-03 22:27:30 +01:00			`default = false;`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`description = lib.mdDoc "Wether to enable the fallback Viewer role when users do not have the user- or adminGroup.";`
			`};`
			`adminGroup = libS.ldap.mkUserGroupOption;`
			`userGroup = libS.ldap.mkUserGroupOption;`
			`};`

			`recommendedDefaults = libS.mkOpinionatedOption "set recommended and secure default settings";`
			`};`
Add grafana 2022-12-23 05:53:53 +01:00			`};`

grafana: add oauth 2023-12-03 21:46:41 +01:00			`config = {`
grafana: also assert that admin_password is changed 2023-06-28 15:00:24 +02:00			`# the default values are hardcoded instead of using options. because I couldn't figure out how to extract them from the freeform type`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`assertions = lib.mkIf cfg.enable [`
			`{`
			`assertion = cfg.oauth.enable -> cfg.settings."auth.generic_oauth".client_secret != null;`
			`message = ''`
Improve assertion texts 2023-12-05 02:52:08 +01:00			`Setting services.grafana.oauth.enable to true requires to set services.grafana.settings."auth.generic_oauth".client_secret.`
			Use this `$__file{/path/to/some/secret}` syntax to reference secrets securely.
grafana: add oauth 2023-12-03 21:46:41 +01:00			`'';`
			`}`
grafana: error if default secret is used 2023-06-28 13:40:11 +02:00			`{`
grafana: fix condition 2023-06-28 14:51:48 +02:00			`assertion = cfg.settings.security.secret_key != "SW2YcwTIb9zpOOhoPsMm";`
grafana: also assert that admin_password is changed 2023-06-28 15:00:24 +02:00			`message = "services.grafana.settings.security.secret_key must be changed from it's insecure, default value!";`
			`}`
			`{`
			`assertion = cfg.settings.security.admin_password != "admin";`
			`message = "services.grafana.settings.security.admin_password must be changed from it's insecure, default value!";`
grafana: error if default secret is used 2023-06-28 13:40:11 +02:00			`}`
			`];`

grafana: add oauth 2023-12-03 21:46:41 +01:00			`services.grafana.settings = lib.mkMerge [`
			`(lib.mkIf (cfg.enable && cfg.recommendedDefaults) (libS.modules.mkRecursiveDefault {`
			`# no analytics, sorry, not sorry`
			`analytics = {`
			`feedback_links_enabled = false;`
			`reporting_enabled = false;`
			`};`
grafana: make logging quieter 2023-12-03 23:19:10 +01:00			`log.level = "warn";`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`security = {`
			`cookie_secure = true;`
			`content_security_policy = true;`
			`strict_transport_security = true;`
			`};`
			`server = {`
			`enable_gzip = true;`
			`root_url = "https://${cfg.settings.server.domain}";`
			`};`
			`}))`

			`(lib.mkIf (cfg.enable && cfg.oauth.enable) {`
			`"auth.generic_oauth" = let`
grafana: cleanup 2023-12-05 02:52:23 +01:00			`inherit (config.services.dex.settings) issuer;`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`in {`
			`enabled = true;`
			`allow_assign_grafana_admin = true; # required for grafana-admins`
			`allow_sign_up = true; # otherwise no new users can be created`
grafana: cleanup 2023-12-05 02:52:23 +01:00			`api_url = "${issuer}/userinfo";`
			`auth_url = "${issuer}/auth";`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`client_id = "grafana";`
			`disable_login_form = true; # only allow OAuth`
			`icon = "signin";`
grafana: cleanup 2023-12-05 02:52:23 +01:00			`name = config.services.portunus.domain;`
grafana: activate refresh tokens 2023-12-03 23:19:20 +01:00			`oauth_allow_insecure_email_lookup = true; # otherwise updating the mail in ldap will break login`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`oauth_auto_login = true; # redirect automatically to the only oauth provider`
grafana: activate refresh tokens 2023-12-03 23:19:20 +01:00			`use_refresh_token = true;`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`role_attribute_path = "contains(groups[], 'grafana-admins') && 'Admin' \|\| contains(info.roles[], 'grafana-user') && 'Editor'"`
			`+ lib.optionalString cfg.oauth.enableViewerRole "\|\| 'Viewer'";`
			`role_attribute_strict = true;`
			`# https://dexidp.io/docs/custom-scopes-claims-clients/`
			`scopes = "openid email groups profile offline_access";`
grafana: cleanup 2023-12-05 02:52:23 +01:00			`token_url = "${issuer}/token";`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`};`
grafana: disable viewer role by default, turn on socket 2023-12-03 22:27:30 +01:00			`server.protocol = "socket";`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`})`
			`];`
			`};`

grafana: add configureNginx 2023-12-03 21:59:40 +01:00			`config.services.nginx = lib.mkIf (cfg.enable && cfg.configureNginx) {`
Asserted formatting fixes 2024-01-08 14:47:38 +01:00			`upstreams.grafana.servers."unix:${cfg.settings.server.socket}" = { };`
grafana: add configureNginx 2023-12-03 21:59:40 +01:00			`virtualHosts = {`
			`"${cfg.settings.server.domain}".locations = {`
			`"/".proxyPass = "http://grafana";`
			`"/api/live/ws" = {`
			`proxyPass = "http://grafana";`
			`proxyWebsockets = true;`
			`};`
			`};`
			`};`
			`};`

grafana: add oauth 2023-12-03 21:46:41 +01:00			`config.services.portunus = {`
			`dex = lib.mkIf cfg.oauth.enable {`
			`enable = true;`
			`oidcClients = [{`
			`callbackURL = "https://${cfg.settings.server.domain}/login/generic_oauth";`
			`id = "grafana";`
			`}];`
			`};`
			`seedSettings.groups = lib.optional (cfg.oauth.adminGroup != null) {`
			`long_name = "Grafana Administrators";`
grafana: add configureNginx 2023-12-03 21:59:40 +01:00			`name = cfg.oauth.adminGroup;`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`permissions = { };`
			`} ++ lib.optional (cfg.oauth.userGroup != null) {`
			`long_name = "Grafana Users";`
grafana: add configureNginx 2023-12-03 21:59:40 +01:00			`name = cfg.oauth.userGroup;`
grafana: add oauth 2023-12-03 21:46:41 +01:00			`permissions = { };`
			`};`
Add grafana 2022-12-23 05:53:53 +01:00			`};`
			`}`