From ff620d9d22073fafba93ea267a91b926ef323b3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Wed, 8 Jan 2025 11:50:21 +0100 Subject: [PATCH 1/3] Try and enable oauth on grafana --- services/grafana/default.nix | 31 +++++++++++++++---- .../grafana/secrets/grafana-oauth_secret.age | 1 + 2 files changed, 26 insertions(+), 6 deletions(-) create mode 100644 services/grafana/secrets/grafana-oauth_secret.age diff --git a/services/grafana/default.nix b/services/grafana/default.nix index 20439a6..a59afb8 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -19,11 +19,17 @@ in }; }; config = lib.mkIf cfg.enable { - age.secrets.grafana-db = { - file = ./secrets/grafana-db.age; - owner = "grafana"; + age.secrets ={ + grafana-db = { + file = ./secrets/grafana-db.age; + owner = "grafana"; + }; + grafana-oauth_secret = { + file = ./secrets/grafana-oauth_secret.age; + owner = "grafana"; + }; + kuma-token.file = ./secrets/kuma-token.age; }; - age.secrets.kuma-token.file = ./secrets/kuma-token.age; services.rsyslogd = { enable = true; extraConfig = '' @@ -37,10 +43,10 @@ in module(load="imtcp") input(type="imtcp" port="514" ruleset="remote") ''; - }; + }; services.influxdb2 = { enable = true; - }; + }; services.grafana = { enable = true; settings = { @@ -59,6 +65,19 @@ in user = "grafana"; password = "\$__file{${config.age.secrets.grafana-db.path}}"; }; + "auth.generic_oauth" = { + enabled = true; + name = "authentik"; + allow_sign_up = true; + client_id = "WYrvCg9SYRPxHFZ7ag4oxlPRBNFUSC5M4uPZQMIqi"; + client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}"; + scopes = [ "openid" "email" "profile" ]; + auth_url = "https://auth.omero-fbi.fr/application/o/authorize/"; + token_url = "https://auth.omero-fbi.fr/application/o/token/"; + api_url = "https://auth.omero-fbi.fr/application/o/userinfo/"; + role_attribute_path = "contains(groups, 'project_admins') && 'Admin' || contains(groups, 'project_agent') && 'Editor' || 'Viewer';role_attribute_strict = false"; + allow_assign_grafana_admin = true; + }; }; }; services.prometheus = { diff --git a/services/grafana/secrets/grafana-oauth_secret.age b/services/grafana/secrets/grafana-oauth_secret.age new file mode 100644 index 0000000..25e5f6b --- /dev/null +++ b/services/grafana/secrets/grafana-oauth_secret.age @@ -0,0 +1 @@ +S0VJw2OdQPMPNaKwoIS86tm8sGyTOZzauK7h6AhNfeYJiLUtVJgOcIhydxHtBqVPwNE2WagYHEaDjGnS2sJjWMzZNbm1ZjOuorYYRQhpR0w33lAfu4bsU9Lof2JjSvtP From 3d34252867445268c2726f4444fb1689cc24ca9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Wed, 8 Jan 2025 11:54:10 +0100 Subject: [PATCH 2/3] Comment template config to avoie flake check error --- flake.nix | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/flake.nix b/flake.nix index 089d94b..095c125 100644 --- a/flake.nix +++ b/flake.nix @@ -84,16 +84,16 @@ } ]; }; - template = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.self}/systems/minimalVMConfig.nix" - { - networking.hostName = "nixos"; - } - ]; - }; +# template = nixpkgs.lib.nixosSystem { +# inherit system; +# modules = [ +# agenix.nixosModules.default +# "${inputs.self}/systems/minimalVMConfig.nix" +# { +# networking.hostName = "nixos"; +# } +# ]; +# }; jellyfin = nixpkgs.lib.nixosSystem { inherit system; modules = [ From d039cc313130d564c9b001580c9dac00c02bb604 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Wed, 8 Jan 2025 12:57:14 +0100 Subject: [PATCH 3/3] Functioning OAuth for grafana --- secrets.nix | 1 + services/grafana/default.nix | 20 +++++++++---------- .../grafana/secrets/grafana-oauth_secret.age | 14 ++++++++++++- services/nginx/default.nix | 2 +- 4 files changed, 25 insertions(+), 12 deletions(-) diff --git a/secrets.nix b/secrets.nix index 50c0927..26b78f3 100644 --- a/secrets.nix +++ b/secrets.nix @@ -11,6 +11,7 @@ in { "secrets/initialPassword.age".publicKeys = users ++ systems; "services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ]; + "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [ tbarnouin grafana ]; "services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ]; "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [ tbarnouin onlyoffice ]; "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [ tbarnouin onlyoffice ]; diff --git a/services/grafana/default.nix b/services/grafana/default.nix index a59afb8..4afd0f1 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -66,17 +66,17 @@ in password = "\$__file{${config.age.secrets.grafana-db.path}}"; }; "auth.generic_oauth" = { - enabled = true; - name = "authentik"; - allow_sign_up = true; - client_id = "WYrvCg9SYRPxHFZ7ag4oxlPRBNFUSC5M4uPZQMIqi"; + enabled = "true"; + name = "authentik"; + allow_sign_up = "true"; + client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}"; - scopes = [ "openid" "email" "profile" ]; - auth_url = "https://auth.omero-fbi.fr/application/o/authorize/"; - token_url = "https://auth.omero-fbi.fr/application/o/token/"; - api_url = "https://auth.omero-fbi.fr/application/o/userinfo/"; - role_attribute_path = "contains(groups, 'project_admins') && 'Admin' || contains(groups, 'project_agent') && 'Editor' || 'Viewer';role_attribute_strict = false"; - allow_assign_grafana_admin = true; + scopes = "openid email profile"; + auth_url = "https://authentik.le43.eu/application/o/authorize/"; + token_url = "https://authentik.le43.eu/application/o/token/"; + api_url = "https://authentik.le43.eu/application/o/userinfo/"; + role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false"; + allow_assign_grafana_admin = "true"; }; }; }; diff --git a/services/grafana/secrets/grafana-oauth_secret.age b/services/grafana/secrets/grafana-oauth_secret.age index 25e5f6b..1d606ce 100644 --- a/services/grafana/secrets/grafana-oauth_secret.age +++ b/services/grafana/secrets/grafana-oauth_secret.age @@ -1 +1,13 @@ -S0VJw2OdQPMPNaKwoIS86tm8sGyTOZzauK7h6AhNfeYJiLUtVJgOcIhydxHtBqVPwNE2WagYHEaDjGnS2sJjWMzZNbm1ZjOuorYYRQhpR0w33lAfu4bsU9Lof2JjSvtP +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtMm9n +VGJyeEdFckZjWHNybm94b2crSE0wclE1QlRXZkVGMVk4U1hMdFJBCnhQL3FSdW9l +cUdNNThIdDVwQkxZWEQ2ZXZuekpKcWxQNy9jZlVoTVArZEkKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IEtwTmV3ckQybkd3L3R0TFp0a2JMTzNiMmdyNkNyVkdHUkQyd0Fm +cGkxamMKeGNCSmF6TCtkVXZ5WG5Cd1F6WmkxWjlRZ0FCZ0p1NklPcmw1bFJ6dFNv +ZwotPiAoLWdyZWFzZSAzfUpGL0QgOEtFWXdwCnJCNTFoeTQzUVJlejRUakRqREVy +WS8zTmh3aUptcE56RDBqMld3NXNKZwotLS0gRnlBdEc1cVZOeDFQblAwOVN1MDUx +Yko2UEJ6UE14Z3haUW5XWjJzNFVodwrg7eJ6dnbIAjvsz/XoktAot7G1+u1UJsAE +QkLEtM7DpcFEvESO3JOhuIO/l6qoWjDuksh7yNhdLv2uOKa7ZpM5Q0DGFnRke3Qk +RU2E2UU4w30cmAXFm75NT2T9Po0R182Px25gV7fvfNHMHmONFJZRqNxS2IUDS20W +hDqk+ea9mnYNG1icpmYPj56OpKt+mqrf6kSFuU+R6zwIcoKpMR2wCA== +-----END AGE ENCRYPTED FILE----- diff --git a/services/nginx/default.nix b/services/nginx/default.nix index 9095fcf..f637385 100644 --- a/services/nginx/default.nix +++ b/services/nginx/default.nix @@ -61,7 +61,7 @@ in # Enable CSP for your services. #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header Content-Security-Policy "frame-ancestors self cloud.le43.eu office.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;"; + add_header Content-Security-Policy "frame-ancestors self *.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;"; # Minimize information leaked to other domains