grafana sso

flake.lock

@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1707830867,
+        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "base16": {
       "inputs": {
         "fromYaml": "fromYaml"
@@ -147,6 +168,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -197,6 +240,27 @@
       }
     },
     "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -217,7 +281,7 @@
         "type": "github"
       }
     },
-    "home-manager_2": {
+    "home-manager_3": {
       "inputs": {
         "nixpkgs": [
           "stylix",
@@ -241,8 +305,8 @@
     "hyprland": {
       "inputs": {
         "hyprland-protocols": "hyprland-protocols",
-        "nixpkgs": "nixpkgs",
-        "systems": "systems",
+        "nixpkgs": "nixpkgs_2",
+        "systems": "systems_2",
         "wlroots": "wlroots",
         "xdph": "xdph"
       },
@@ -309,6 +373,22 @@
       }
     },
     "nixpkgs": {
+      "locked": {
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
       "locked": {
         "lastModified": 1706191920,
         "narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=",
@@ -324,7 +404,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1707268954,
         "narHash": "sha256-2en1kvde3cJVc3ZnTy8QeD2oKcseLFjYPLKhIGDanQ0=",
@@ -339,7 +419,7 @@
         "type": "indirect"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
       "locked": {
         "lastModified": 1700856099,
         "narHash": "sha256-RnEA7iJ36Ay9jI0WwP+/y4zjEhmeN6Cjs9VOFBH7eVQ=",
@@ -357,9 +437,10 @@
     },
     "root": {
       "inputs": {
-        "home-manager": "home-manager",
+        "agenix": "agenix",
+        "home-manager": "home-manager_2",
         "hyprland": "hyprland",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
         "stable-nixpkgs": "stable-nixpkgs",
         "stylix": "stylix"
       }
@@ -392,8 +473,8 @@
         "base16-vim": "base16-vim",
         "flake-compat": "flake-compat",
         "gnome-shell": "gnome-shell",
-        "home-manager": "home-manager_2",
-        "nixpkgs": "nixpkgs_3"
+        "home-manager": "home-manager_3",
+        "nixpkgs": "nixpkgs_4"
       },
       "locked": {
         "lastModified": 1707492526,
@@ -410,6 +491,21 @@
       }
     },
     "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
       "locked": {
         "lastModified": 1689347949,
         "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",

flake.nix

@@ -10,6 +10,7 @@
     };
     stylix.url = "github:danth/stylix";
     hyprland.url = "github:hyprwm/Hyprland/v0.35.0";
+    agenix.url = "github:ryantm/agenix";
   };
 
   outputs = inputs: let

lib/mkconf.nix

@@ -5,7 +5,9 @@
   userFullname,
   ...
 }: modules: home-modules:
-with inputs;
+let
+  inherit (inputs) home-manager nixpkgs hyprland agenix;
+in
   nixpkgs.lib.nixosSystem {
     specialArgs = {inherit inputs;};
 
@@ -15,6 +17,7 @@ with inputs;
       modules
       ++ [
         home-manager.nixosModules.home-manager
+        agenix.nixosModules.default
         {
           home-manager = {
             useGlobalPkgs = true;

nixos/default.nix

@@ -110,5 +110,8 @@ in {
     "net.ipv4.ip_unprivileged_port_start" = 53;
   };
 
-  services.prometheus.exporters.node.enable = true;
+  services.prometheus.exporters.node = {
+    enable = true;
+    enabledCollectors = [ "systemd" ];
+  };
 }

nixos/services/grafana.nix

@@ -1,8 +1,31 @@
 {config, ...}: let
   cfg = config.services.grafana;
+  secrets = config.age.secrets;
 in {
+  age.secrets.grafana_oidc_client_secret = {
+    file = ../../secrets/grafana/oidc/client_secret.age;
+    owner = "grafana";
+  };
   services.grafana = {
     enable = true;
+    settings = {
+      server = {
+        root_url = "https://${cfg.settings.server.domain}";
+      };
+      "auth.generic_oauth" = {
+        enabled = true;
+        name = "authentik";
+        client_id = "TNMLGFxpovO0jPptxD0nYmjnuytXd1MphjFS20uE";
+        client_secret = "$__file{${secrets.grafana_oidc_client_secret.path}}";
+        scopes = toString ["openid" "profile" "email"];
+        auth_url = "https://auth.tristans.cloud/application/o/authorize/";
+        token_url = "https://auth.tristans.cloud/application/o/token/";
+        api_url = "https://auth.tristans.cloud/application/o/userinfo/";
+        redirect_url = "https://auth.tristans.cloud/application/o/grafana/end-session/";
+        role_attribute_path =
+          "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
+      };
+    };
   };
   services.nginx.virtualHosts = {
     ${cfg.settings.server.domain} = {

nixos/services/prometheus.nix

@@ -1,5 +1,22 @@
+{config, ...}:
+let
+  inherit ( config.services ) prometheus;
+  nodes = [
+    "100.65.29.110"
+    "100.106.241.122"
+  ];
+  addPort = ip: "${ip}:${toString prometheus.exporters.node.port}";
+in
 {
   services.prometheus = {
     enable = true;
+    scrapeConfigs = [
+      {
+        job_name = "nodes";
+        static_configs = [{
+          targets = builtins.map addPort nodes;
+        }];
+      }
+    ];
   };
 }

secrets.nix

@@ -0,0 +1,9 @@
+let
+  alpine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkVkc3JV1rEMSxDhdxIbONLQPiXi3uANign9G3ap8PR"; 
+  zenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyirMHhLksc5eLp1jL/NYLSv+2Z67mRJQdljVLWMqKs"; 
+  tristan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINl4Mbp0CwfLVuqxRdiUE66Rcj3HAw164XhI3WYGOnc6";
+  hosts = [ alpine ];
+in
+{
+  "secrets/grafana/oidc/client_secret.age".publicKeys = [alpine tristan];
+}