From 283e10b9b58465ec1e45f08800ae1bb29ae341c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Sat, 3 Aug 2024 05:57:15 +0300 Subject: [PATCH] fwminex: +grafana --- flake.nix | 1 + hosts/fwminex/configuration.nix | 7 +++ modules/services/default.nix | 1 + modules/services/grafana/default.nix | 70 +++++++++++++++++++++++++++ secrets.nix | 3 +- secrets/grafana.jakstys.lt/oidc.age | Bin 680 -> 791 bytes 6 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 modules/services/grafana/default.nix diff --git a/flake.nix b/flake.nix index 109b785..e66cefc 100644 --- a/flake.nix +++ b/flake.nix @@ -209,6 +209,7 @@ sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age; + grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age; photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age; syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age; syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age; diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix index 4c15ce9..43f7da3 100644 --- a/hosts/fwminex/configuration.nix +++ b/hosts/fwminex/configuration.nix @@ -131,6 +131,7 @@ in } ]; }; + }; mj = { @@ -155,6 +156,12 @@ in sshguard.enable = false; gitea.enable = true; + grafana = { + enable = true; + port = myData.ports.grafana; + oidcSecretFile = config.age.secrets.grafana-oidc.path; + }; + tailscale = { enable = true; verboseLogs = false; diff --git a/modules/services/default.nix b/modules/services/default.nix index 4d35b5f..ec3d45a 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -7,6 +7,7 @@ ./deployerbot ./friendlyport ./gitea + ./grafana ./hass ./headscale ./jakstpub diff --git a/modules/services/grafana/default.nix b/modules/services/grafana/default.nix new file mode 100644 index 0000000..fd75565 --- /dev/null +++ b/modules/services/grafana/default.nix @@ -0,0 +1,70 @@ +{ config, lib, ... }: +let + cfg = config.mj.services.grafana; +in +{ + options.mj.services.grafana = with lib.types; { + enable = lib.mkEnableOption "enable grafana"; + port = lib.mkOption { type = port; }; + oidcSecretFile = lib.mkOption { type = str; }; + }; + + config = lib.mkIf cfg.enable { + services.grafana = { + enable = true; + provision = { + enable = true; + datasources.settings = { + apiVersion = 1; + datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + access = "proxy"; + url = "http://127.0.0.1:${toString config.services.prometheus.port}"; + isDefault = true; + jsonData.timeInterval = "10s"; + } + ]; + }; + }; + settings = { + paths.logs = "/var/log/grafana"; + server = { + domain = "grafana.jakstys.lt"; + root_url = "http://grafana.jakstys.lt"; + enable_gzip = true; + http_addr = "0.0.0.0"; + http_port = cfg.port; + }; + users.auto_assign_org = true; + users.auto_assign_org_role = "Editor"; + + # https://github.com/grafana/grafana/issues/70203#issuecomment-1612823390 + auth.oauth_allow_insecure_email_lookup = true; + + "auth.generic_oauth" = { + enabled = true; + auto_login = true; + client_id = "5349c113-467d-4b95-a61b-264f2d844da8"; + client_secret = "$__file{/run/grafana/oidc-secret}"; + auth_url = "https://git.jakstys.lt/login/oauth/authorize"; + api_url = "https://git.jakstys.lt/login/oauth/userinfo"; + token_url = "https://git.jakstys.lt/login/oauth/access_token"; + }; + feature_toggles.accessTokenExpirationCheck = true; + }; + }; + + systemd.services.grafana = { + preStart = "ln -sf $CREDENTIALS_DIRECTORY/oidc /run/grafana/oidc-secret"; + serviceConfig = { + LogsDirectory = "grafana"; + RuntimeDirectory = "grafana"; + LoadCredential = [ "oidc:${cfg.oidcSecretFile}" ]; + }; + }; + + }; + +} diff --git a/secrets.nix b/secrets.nix index e894d67..713a735 100644 --- a/secrets.nix +++ b/secrets.nix @@ -32,7 +32,6 @@ in { } // mk ([ vno1-oh2 ] ++ motiejus) [ "secrets/vno1-oh2/borgbackup/password.age" - "secrets/grafana.jakstys.lt/oidc.age" "secrets/letsencrypt/account.key.age" "secrets/vaultwarden/secrets.env.age" @@ -57,7 +56,7 @@ in vno1-oh2 ] ++ motiejus -) [ ] +) [ "secrets/grafana.jakstys.lt/oidc.age" ] // mk ([ fwminex ] ++ motiejus) [ "secrets/motiejus_server_passwd_hash.age" "secrets/root_server_passwd_hash.age" diff --git a/secrets/grafana.jakstys.lt/oidc.age b/secrets/grafana.jakstys.lt/oidc.age index c37eeea28dd8b2503cb456b783e133d713f779a7..bf0d87a87e6db4c328e494ead8b378243cb94b70 100644 GIT binary patch literal 791 zcmZ9}yNlZf0LSrA=;G3;Bo_iL&XOU*k*$}dKtd#04@;JrF)hPxuO3+hYoFrgBuF%(xJ2zlF}Qx9Hq?#O2}XE;rsioe7EOr*2R9i3$x9g ztnk5l(COXpmSxa$9SB7SMAyr;6-IW=l4uP(R5cnlpp0Ee)OtH^Ail*Y2I5(9goecg zEdrX6I_MG@ZloqJ^PQ`UC?}VZLFO~K5uvoyn1X6T87T8Oo>=c|zEJRr-?fXKF$Fmy zpL?t+3YF_&mgDVsg|SgP9gGAaOd1|1Lwek?>S%B0x+(1Kp(G8WIWC4AuaK^fiQ=p% zcVl#!sCyumr8nB*Z5D~kYDQ@6tkGBI7$LlI9mDM?pNl%dsX?mOuALBYV-2JZ4&r8o z5RA&r!TACu8p$F3MKZOZX#h63Psk0gqXJxn_&Wl@JNl>(BGri5$jiV%OasuT=q#;= z(^_d=4NBIuP2|V`>CA0;(!vwSEnBB*q*Z`nNxiP~g>M;#lQa`5rX}C)=gH+_+pz9! zAr$KZdx!&@E(u3VU6PQYTn&{z87(*tru>n>kDO#HQq$Ga1$g z4Js`6rWO%#?TAA%bGP&u*qNhv6PYQ@Ue^3?Mbq4Y$u8M%JZ4oX65Z-$0K3>$Tc%1S zC_!9%`8cP}z;w71Em38GTBFzfCFW##O3Kp-ykX06=w?Su-1+K4UouPkX_aXHP%=ZUXmt@(zH#}H0ej0w`sejO`0@KlQ(IbG;tEa z6C4~IbWwD25oZMj9Zn|)5fvN`Zc|)E-1JUC`~?p@hHd37e;lP~ISu@aL1crN#PXMN zi-nW7%mPi5T+Wsvv18}fUJ}(I)Dqf+oo>|_6jNU}IzzRcY(R>i^l2(-x|5hC2+W(t zOka(f@_fnHENG+lz;QggmxWXe@EP!BFe)>WNv@SWt^XGqJL^!%L?c1-t zG7{Ar5j`9i_%2PbQsS;%YEMAZIFAZ6lf%Es;GrZrQ$bvE}e%_byZ!KF6D)>7opHE`iX4Cg)34OI05W6XrW*=|`th_#q>HR1P-tdS zVL#<%N}DIM#Kl{oMmusV9WV{mgjhbG&j~!Ewqs#r*3l>pb)I9FN(S4LH9Hnb&sk+? z5_*x*P2>R6_Z|B2@yX%K+0%W*stk@Cy|)D)Njur~JDZzdKi$3hV!!?P!-F&6!p^z( z=iiCH&c0b3CtrRWeK{4sy7ln&+wI$1!_U`FSf_71Z~yGxJaF>+_OmMokKO+b5+djw