Functioning OAuth for grafana

secrets.nix

@@ -11,6 +11,7 @@ in
 {
   "secrets/initialPassword.age".publicKeys = users ++ systems;
   "services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ];
+  "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [ tbarnouin grafana ];
   "services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ];
   "services/onlyoffice/secrets/office-dbpass.age".publicKeys  = [ tbarnouin onlyoffice ];
   "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [ tbarnouin onlyoffice ];

services/grafana/default.nix

@@ -66,17 +66,17 @@ in
           password = "\$__file{${config.age.secrets.grafana-db.path}}";
         };
         "auth.generic_oauth" = {
-          enabled = true;
+          enabled       = "true";
           name          = "authentik";
-          allow_sign_up = true;
+          allow_sign_up = "true";
-          client_id = "WYrvCg9SYRPxHFZ7ag4oxlPRBNFUSC5M4uPZQMIqi";
+          client_id     = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy";
           client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}";
-          scopes = [ "openid" "email" "profile" ];
+          scopes        = "openid email profile";
-          auth_url = "https://auth.omero-fbi.fr/application/o/authorize/";
+          auth_url      = "https://authentik.le43.eu/application/o/authorize/";
-          token_url = "https://auth.omero-fbi.fr/application/o/token/";
+          token_url     = "https://authentik.le43.eu/application/o/token/";
-          api_url = "https://auth.omero-fbi.fr/application/o/userinfo/";
+          api_url       = "https://authentik.le43.eu/application/o/userinfo/";
-          role_attribute_path = "contains(groups, 'project_admins') && 'Admin' || contains(groups, 'project_agent') && 'Editor' || 'Viewer';role_attribute_strict = false";
+          role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false";
-          allow_assign_grafana_admin = true;
+          allow_assign_grafana_admin = "true";
         };
       };
     };

services/grafana/secrets/grafana-oauth_secret.age

@@ -1 +1,13 @@
-S0VJw2OdQPMPNaKwoIS86tm8sGyTOZzauK7h6AhNfeYJiLUtVJgOcIhydxHtBqVPwNE2WagYHEaDjGnS2sJjWMzZNbm1ZjOuorYYRQhpR0w33lAfu4bsU9Lof2JjSvtP
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtMm9n
+VGJyeEdFckZjWHNybm94b2crSE0wclE1QlRXZkVGMVk4U1hMdFJBCnhQL3FSdW9l
+cUdNNThIdDVwQkxZWEQ2ZXZuekpKcWxQNy9jZlVoTVArZEkKLT4gc3NoLWVkMjU1
+MTkgd25FVXB3IEtwTmV3ckQybkd3L3R0TFp0a2JMTzNiMmdyNkNyVkdHUkQyd0Fm
+cGkxamMKeGNCSmF6TCtkVXZ5WG5Cd1F6WmkxWjlRZ0FCZ0p1NklPcmw1bFJ6dFNv
+ZwotPiAoLWdyZWFzZSAzfUpGL0QgOEtFWXdwCnJCNTFoeTQzUVJlejRUakRqREVy
+WS8zTmh3aUptcE56RDBqMld3NXNKZwotLS0gRnlBdEc1cVZOeDFQblAwOVN1MDUx
+Yko2UEJ6UE14Z3haUW5XWjJzNFVodwrg7eJ6dnbIAjvsz/XoktAot7G1+u1UJsAE
+QkLEtM7DpcFEvESO3JOhuIO/l6qoWjDuksh7yNhdLv2uOKa7ZpM5Q0DGFnRke3Qk
+RU2E2UU4w30cmAXFm75NT2T9Po0R182Px25gV7fvfNHMHmONFJZRqNxS2IUDS20W
+hDqk+ea9mnYNG1icpmYPj56OpKt+mqrf6kSFuU+R6zwIcoKpMR2wCA==
+-----END AGE ENCRYPTED FILE-----

services/nginx/default.nix

@@ -61,7 +61,7 @@ in
 
           # Enable CSP for your services.
           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-          add_header Content-Security-Policy "frame-ancestors self cloud.le43.eu office.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;";
+          add_header Content-Security-Policy "frame-ancestors self *.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;";
 
 
           # Minimize information leaked to other domains