grafana: remove oidc too
This commit is contained in:
@@ -18,7 +18,6 @@ in
|
|||||||
root-server-passwd-hash.file = ../../secrets/root_server_passwd_hash.age;
|
root-server-passwd-hash.file = ../../secrets/root_server_passwd_hash.age;
|
||||||
sasl-passwd.file = ../../secrets/postfix_sasl_passwd.age;
|
sasl-passwd.file = ../../secrets/postfix_sasl_passwd.age;
|
||||||
borgbackup-password.file = ../../secrets/fwminex/borgbackup-password.age;
|
borgbackup-password.file = ../../secrets/fwminex/borgbackup-password.age;
|
||||||
grafana-oidc.file = ../../secrets/grafana.jakstys.lt/oidc.age;
|
|
||||||
letsencrypt-account-key.file = ../../secrets/letsencrypt/account.key.age;
|
letsencrypt-account-key.file = ../../secrets/letsencrypt/account.key.age;
|
||||||
vaultwarden-secrets-env.file = ../../secrets/vaultwarden/secrets.env.age;
|
vaultwarden-secrets-env.file = ../../secrets/vaultwarden/secrets.env.age;
|
||||||
synapse-jakstys-signing-key.file = ../../secrets/synapse/jakstys_lt_signing_key.age;
|
synapse-jakstys-signing-key.file = ../../secrets/synapse/jakstys_lt_signing_key.age;
|
||||||
@@ -473,7 +472,6 @@ in
|
|||||||
grafana = {
|
grafana = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = myData.ports.grafana;
|
port = myData.ports.grafana;
|
||||||
oidcSecretFile = config.age.secrets.grafana-oidc.path;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
tailscale = {
|
tailscale = {
|
||||||
|
|||||||
@@ -11,7 +11,6 @@ in
|
|||||||
options.mj.services.grafana = with lib.types; {
|
options.mj.services.grafana = with lib.types; {
|
||||||
enable = lib.mkEnableOption "enable grafana";
|
enable = lib.mkEnableOption "enable grafana";
|
||||||
port = lib.mkOption { type = port; };
|
port = lib.mkOption { type = port; };
|
||||||
oidcSecretFile = lib.mkOption { type = str; };
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
@@ -47,33 +46,10 @@ in
|
|||||||
http_port = cfg.port;
|
http_port = cfg.port;
|
||||||
};
|
};
|
||||||
users.auto_assign_org = true;
|
users.auto_assign_org = true;
|
||||||
users.auto_assign_org_role = "Editor";
|
|
||||||
|
|
||||||
# https://github.com/grafana/grafana/issues/70203#issuecomment-1612823390
|
|
||||||
auth.oauth_allow_insecure_email_lookup = true;
|
|
||||||
|
|
||||||
"auth.generic_oauth" = {
|
|
||||||
enabled = true;
|
|
||||||
auto_login = true;
|
|
||||||
client_id = "5349c113-467d-4b95-a61b-264f2d844da8";
|
|
||||||
client_secret = "$__file{/run/grafana/oidc-secret}";
|
|
||||||
auth_url = "https://git.jakstys.lt/login/oauth/authorize";
|
|
||||||
api_url = "https://git.jakstys.lt/login/oauth/userinfo";
|
|
||||||
token_url = "https://git.jakstys.lt/login/oauth/access_token";
|
|
||||||
};
|
|
||||||
feature_toggles.accessTokenExpirationCheck = true;
|
feature_toggles.accessTokenExpirationCheck = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.grafana = {
|
|
||||||
preStart = "ln -sf $CREDENTIALS_DIRECTORY/oidc /run/grafana/oidc-secret";
|
|
||||||
serviceConfig = {
|
|
||||||
LogsDirectory = "grafana";
|
|
||||||
RuntimeDirectory = "grafana";
|
|
||||||
LoadCredential = [ "oidc:${cfg.oidcSecretFile}" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
mj.services.friendlyport.ports = [
|
mj.services.friendlyport.ports = [
|
||||||
{
|
{
|
||||||
subnets = [ myData.subnets.tailscale.cidr ];
|
subnets = [ myData.subnets.tailscale.cidr ];
|
||||||
|
|||||||
@@ -58,8 +58,6 @@ in
|
|||||||
"secrets/root_server_passwd_hash.age"
|
"secrets/root_server_passwd_hash.age"
|
||||||
]
|
]
|
||||||
// mk ([ fwminex ] ++ motiejus) [
|
// mk ([ fwminex ] ++ motiejus) [
|
||||||
"secrets/headscale/oidc_client_secret2.age"
|
|
||||||
"secrets/grafana.jakstys.lt/oidc.age"
|
|
||||||
"secrets/vaultwarden/secrets.env.age"
|
"secrets/vaultwarden/secrets.env.age"
|
||||||
"secrets/letsencrypt/account.key.age"
|
"secrets/letsencrypt/account.key.age"
|
||||||
|
|
||||||
|
|||||||
Binary file not shown.
Reference in New Issue
Block a user