Functioning OAuth for grafana

Comment template config to avoie flake check error
Try and enable oauth on grafana
2025-01-08 12:57:14 +01:00 · 2025-01-08 11:54:10 +01:00 · 2025-01-08 11:50:21 +01:00
5 changed files with 50 additions and 17 deletions
--- a/flake.nix
+++ b/flake.nix
@ -84,16 +84,16 @@
            }
          ];
        };
-        template = nixpkgs.lib.nixosSystem {
-          inherit system;
-          modules = [
-            agenix.nixosModules.default
-            "${inputs.self}/systems/minimalVMConfig.nix"
-            {
-              networking.hostName = "nixos";
-            }
-          ];
-        };
+#        template = nixpkgs.lib.nixosSystem {
+#          inherit system;
+#          modules = [
+#            agenix.nixosModules.default
+#            "${inputs.self}/systems/minimalVMConfig.nix"
+#            {
+#              networking.hostName = "nixos";
+#            }
+#          ];
+#        };
        jellyfin = nixpkgs.lib.nixosSystem {
          inherit system;
          modules = [
--- a/secrets.nix
+++ b/secrets.nix
@ -11,6 +11,7 @@ in
 {
  "secrets/initialPassword.age".publicKeys = users ++ systems;
  "services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ];
+  "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [ tbarnouin grafana ];
  "services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ];
  "services/onlyoffice/secrets/office-dbpass.age".publicKeys  = [ tbarnouin onlyoffice ];
  "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [ tbarnouin onlyoffice ];
--- a/services/grafana/default.nix
+++ b/services/grafana/default.nix
@ -19,11 +19,17 @@ in
    };
  };
  config = lib.mkIf cfg.enable {
-    age.secrets.grafana-db = {
-      file  = ./secrets/grafana-db.age;
-      owner = "grafana";
+    age.secrets ={
+      grafana-db = {
+        file  = ./secrets/grafana-db.age;
+        owner = "grafana";
+      };
+      grafana-oauth_secret = {
+        file  = ./secrets/grafana-oauth_secret.age;
+        owner = "grafana";
+      };
+      kuma-token.file  = ./secrets/kuma-token.age;
    };
-    age.secrets.kuma-token.file  = ./secrets/kuma-token.age;
    services.rsyslogd = {
      enable = true;
      extraConfig = ''
@ -37,10 +43,10 @@ in
        module(load="imtcp")
        input(type="imtcp" port="514" ruleset="remote")
      '';
-    };  
+    };
    services.influxdb2 = {
      enable = true;
-    };  
+    };
    services.grafana = {
      enable = true;
      settings = {
@ -59,6 +65,19 @@ in
          user     = "grafana";
          password = "\$__file{${config.age.secrets.grafana-db.path}}";
        };
+        "auth.generic_oauth" = {
+          enabled       = "true";
+          name          = "authentik";
+          allow_sign_up = "true";
+          client_id     = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy";
+          client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}";
+          scopes        = "openid email profile";
+          auth_url      = "https://authentik.le43.eu/application/o/authorize/";
+          token_url     = "https://authentik.le43.eu/application/o/token/";
+          api_url       = "https://authentik.le43.eu/application/o/userinfo/";
+          role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false";
+          allow_assign_grafana_admin = "true";
+        };
      };
    };
    services.prometheus = {
--- a/services/grafana/secrets/grafana-oauth_secret.age
+++ b/services/grafana/secrets/grafana-oauth_secret.age
@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtMm9n
+VGJyeEdFckZjWHNybm94b2crSE0wclE1QlRXZkVGMVk4U1hMdFJBCnhQL3FSdW9l
+cUdNNThIdDVwQkxZWEQ2ZXZuekpKcWxQNy9jZlVoTVArZEkKLT4gc3NoLWVkMjU1
+MTkgd25FVXB3IEtwTmV3ckQybkd3L3R0TFp0a2JMTzNiMmdyNkNyVkdHUkQyd0Fm
+cGkxamMKeGNCSmF6TCtkVXZ5WG5Cd1F6WmkxWjlRZ0FCZ0p1NklPcmw1bFJ6dFNv
+ZwotPiAoLWdyZWFzZSAzfUpGL0QgOEtFWXdwCnJCNTFoeTQzUVJlejRUakRqREVy
+WS8zTmh3aUptcE56RDBqMld3NXNKZwotLS0gRnlBdEc1cVZOeDFQblAwOVN1MDUx
+Yko2UEJ6UE14Z3haUW5XWjJzNFVodwrg7eJ6dnbIAjvsz/XoktAot7G1+u1UJsAE
+QkLEtM7DpcFEvESO3JOhuIO/l6qoWjDuksh7yNhdLv2uOKa7ZpM5Q0DGFnRke3Qk
+RU2E2UU4w30cmAXFm75NT2T9Po0R182Px25gV7fvfNHMHmONFJZRqNxS2IUDS20W
+hDqk+ea9mnYNG1icpmYPj56OpKt+mqrf6kSFuU+R6zwIcoKpMR2wCA==
+-----END AGE ENCRYPTED FILE-----
--- a/services/nginx/default.nix
+++ b/services/nginx/default.nix
@ -61,7 +61,7 @@ in

          # Enable CSP for your services.
          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-          add_header Content-Security-Policy "frame-ancestors self cloud.le43.eu office.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;";
+          add_header Content-Security-Policy "frame-ancestors self *.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;";


          # Minimize information leaked to other domains
Author	SHA1	Message	Date
Théo Barnouin	d039cc3131	Functioning OAuth for grafana All checks were successful / Build Nix targets (push) Successful in 3m30s Details	2025-01-08 12:57:14 +01:00
Théo Barnouin	3d34252867	Comment template config to avoie flake check error	2025-01-08 11:54:10 +01:00
Théo Barnouin	ff620d9d22	Try and enable oauth on grafana	2025-01-08 11:50:21 +01:00