diff --git a/flake.nix b/flake.nix index 109b785..e66cefc 100644 --- a/flake.nix +++ b/flake.nix @@ -209,6 +209,7 @@ sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age; + grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age; photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age; syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age; syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age; diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix index 4c15ce9..43f7da3 100644 --- a/hosts/fwminex/configuration.nix +++ b/hosts/fwminex/configuration.nix @@ -131,6 +131,7 @@ in } ]; }; + }; mj = { @@ -155,6 +156,12 @@ in sshguard.enable = false; gitea.enable = true; + grafana = { + enable = true; + port = myData.ports.grafana; + oidcSecretFile = config.age.secrets.grafana-oidc.path; + }; + tailscale = { enable = true; verboseLogs = false; diff --git a/modules/services/default.nix b/modules/services/default.nix index 4d35b5f..ec3d45a 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -7,6 +7,7 @@ ./deployerbot ./friendlyport ./gitea + ./grafana ./hass ./headscale ./jakstpub diff --git a/modules/services/grafana/default.nix b/modules/services/grafana/default.nix new file mode 100644 index 0000000..fd75565 --- /dev/null +++ b/modules/services/grafana/default.nix @@ -0,0 +1,70 @@ +{ config, lib, ... }: +let + cfg = config.mj.services.grafana; +in +{ + options.mj.services.grafana = with lib.types; { + enable = lib.mkEnableOption "enable grafana"; + port = lib.mkOption { type = port; }; + oidcSecretFile = lib.mkOption { type = str; }; + }; + + config = lib.mkIf cfg.enable { + services.grafana = { + enable = true; + provision = { + enable = true; + datasources.settings = { + apiVersion = 1; + datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + access = "proxy"; + url = "http://127.0.0.1:${toString config.services.prometheus.port}"; + isDefault = true; + jsonData.timeInterval = "10s"; + } + ]; + }; + }; + settings = { + paths.logs = "/var/log/grafana"; + server = { + domain = "grafana.jakstys.lt"; + root_url = "http://grafana.jakstys.lt"; + enable_gzip = true; + http_addr = "0.0.0.0"; + http_port = cfg.port; + }; + users.auto_assign_org = true; + users.auto_assign_org_role = "Editor"; + + # https://github.com/grafana/grafana/issues/70203#issuecomment-1612823390 + auth.oauth_allow_insecure_email_lookup = true; + + "auth.generic_oauth" = { + enabled = true; + auto_login = true; + client_id = "5349c113-467d-4b95-a61b-264f2d844da8"; + client_secret = "$__file{/run/grafana/oidc-secret}"; + auth_url = "https://git.jakstys.lt/login/oauth/authorize"; + api_url = "https://git.jakstys.lt/login/oauth/userinfo"; + token_url = "https://git.jakstys.lt/login/oauth/access_token"; + }; + feature_toggles.accessTokenExpirationCheck = true; + }; + }; + + systemd.services.grafana = { + preStart = "ln -sf $CREDENTIALS_DIRECTORY/oidc /run/grafana/oidc-secret"; + serviceConfig = { + LogsDirectory = "grafana"; + RuntimeDirectory = "grafana"; + LoadCredential = [ "oidc:${cfg.oidcSecretFile}" ]; + }; + }; + + }; + +} diff --git a/secrets.nix b/secrets.nix index e894d67..713a735 100644 --- a/secrets.nix +++ b/secrets.nix @@ -32,7 +32,6 @@ in { } // mk ([ vno1-oh2 ] ++ motiejus) [ "secrets/vno1-oh2/borgbackup/password.age" - "secrets/grafana.jakstys.lt/oidc.age" "secrets/letsencrypt/account.key.age" "secrets/vaultwarden/secrets.env.age" @@ -57,7 +56,7 @@ in vno1-oh2 ] ++ motiejus -) [ ] +) [ "secrets/grafana.jakstys.lt/oidc.age" ] // mk ([ fwminex ] ++ motiejus) [ "secrets/motiejus_server_passwd_hash.age" "secrets/root_server_passwd_hash.age" diff --git a/secrets/grafana.jakstys.lt/oidc.age b/secrets/grafana.jakstys.lt/oidc.age index c37eeea..bf0d87a 100644 Binary files a/secrets/grafana.jakstys.lt/oidc.age and b/secrets/grafana.jakstys.lt/oidc.age differ