tristan/nix
1
0
Fork 0
Code Projects Releases Packages Activity
nix/nixos/services/grafana.nix
Tristan 8e30de4995 grafana sso
2024-02-18 15:54:14 +00:00

39 lines
1.4 KiB
Nix
Raw Blame History

{config, ...}: let
cfg = config.services.grafana;
secrets = config.age.secrets;
in {
age.secrets.grafana_oidc_client_secret = {
file = ../../secrets/grafana/oidc/client_secret.age;
owner = "grafana";
};
services.grafana = {
enable = true;
settings = {
server = {
root_url = "https://${cfg.settings.server.domain}";
};
"auth.generic_oauth" = {
enabled = true;
name = "authentik";
client_id = "TNMLGFxpovO0jPptxD0nYmjnuytXd1MphjFS20uE";
client_secret = "$__file{${secrets.grafana_oidc_client_secret.path}}";
scopes = toString ["openid" "profile" "email"];
auth_url = "https://auth.tristans.cloud/application/o/authorize/";
token_url = "https://auth.tristans.cloud/application/o/token/";
api_url = "https://auth.tristans.cloud/application/o/userinfo/";
redirect_url = "https://auth.tristans.cloud/application/o/grafana/end-session/";
role_attribute_path =
"contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
};
};
};
services.nginx.virtualHosts = {
${cfg.settings.server.domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString cfg.settings.server.http_port}";
};
};
};
}
View git blame Copy permalink