configure grafana oidc

client id: 5349c113-467d-4b95-a61b-264f2d844da8
2023-08-14 15:30:01 +03:00 · 2023-08-14 15:30:01 +03:00 · c8caae7d99
commit c8caae7d99
parent 5a7a32f1e0
4 changed files with 35 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -90,6 +90,7 @@

            age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
            age.secrets.borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age;
+            age.secrets.grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
            age.secrets.letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age;
          }
        ];
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@ -157,6 +157,16 @@
          http_addr = "0.0.0.0";
          http_port = myData.ports.grafana;
        };
+        auth.oauth_allow_insecure_email_lookup = true;
+        "auth.generic_oauth" = {
+          enabled = true;
+          client_id = "5349c113-467d-4b95-a61b-264f2d844da8";
+          client_secret = "$__file{/run/grafana/oidc-secret}";
+          auth_url = "https://git.jakstys.lt/login/oauth/authorize";
+          api_url = "https://git.jakstys.lt/login/oauth/userinfo";
+          token_url = "https://git.jakstys.lt/login/oauth/access_token";
+        };
+        feature_toggles.accessTokenExpirationCheck = true;
      };
    };

@ -215,6 +225,14 @@
      wants = ["nsd-acme-grafana.jakstys.lt.service"];
    };

+    grafana = {
+      preStart = "ln -sf $CREDENTIALS_DIRECTORY/oidc /run/grafana/oidc-secret";
+      serviceConfig = {
+        RuntimeDirectory = "grafana";
+        LoadCredential = ["oidc:${config.age.secrets.grafana-oidc.path}"];
+      };
+    };
+
    cert-watcher = {
      description = "Restart caddy when tls keys/certs change";
      wantedBy = ["multi-user.target"];
--- a/secrets.nix
+++ b/secrets.nix
@ -29,6 +29,7 @@ in
  // mk ([vno1-oh2] ++ motiejus) [
    "secrets/hel1-a/zfs-passphrase.age"
    "secrets/vno1-oh2/borgbackup/password.age"
+    "secrets/grafana.jakstys.lt/oidc.age"
    "secrets/letsencrypt/account.key.age"
  ]
  // mk (systems ++ motiejus) [
--- a/secrets/grafana.jakstys.lt/oidc.age
+++ b/secrets/grafana.jakstys.lt/oidc.age
@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 gJrHQg ej79kBVT2fAw7UssjrWr2PzaHZTg/Kz4zszS2Otod0M
+e6gkJMB9/ew3MVCtaeDqo71e/HGJCCGxqLw6PLCeHfE
+-> X25519 B4CDnVnaOb9EZ5BT5Td8HSpO7doIqFxPaOyt2ySzFQs
+U85oEdx/nw9Z4Ojrx78qmGFo4QMk6qSdLxPf6kj1NDE
+-> piv-p256 +y2G/w AnlTfEux0XOjf37KUuizAWymOID0N6VlMAQbREYPFgv6
+l7aJCDjdDK6Nf5o7laLK8BfhQLt3UkQS8pX/OysaHZI
+-> piv-p256 jNqd3A A2I3noVPaw/0g22jIM/VCIHo5vl9JbAMfbi3KHsgS+UE
+xiANL8jrJqUor9n3WZhJSzJ6fH/FMg+PXJpM3y4U3Jc
+-> Y%SI-grease
+DSiy2TEGnnDeJaLuvKDGN8nJz7D57vgJSpmy269chWlCiYH3IGvI5HGdshPt30Ih
+kDzqtPQU/cLrsBHyTRmuQ7Mn0jdp6l/lVKWwHHCArun/+Y+ormDXTEneLoTaUI3f
+dkg
+--- fn/9LJm/9+imjk782wITmMC1nTE76VR94qdvV1gpbZw
+Ë$<24>J1?òaöl—6/CÑžÊJŠÙþ¶K¡¹Èx§À¦ÁàÔÿ„áè¶}L~6™~<7E>§æc1Š4Ÿ‰6MÓªÑiÙÑÁ2%úF!	á,Úšô¼R£šÛ