{
config,
lib,
myData,
...
}:
let
cfg = config.mj.services.grafana;
in
{
options.mj.services.grafana = with lib.types; {
enable = lib.mkEnableOption "enable grafana";
port = lib.mkOption { type = port; };
oidcSecretFile = lib.mkOption { type = str; };
};
config = lib.mkIf cfg.enable {
services.grafana = {
enable = true;
provision = {
enable = true;
datasources.settings = {
apiVersion = 1;
datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
jsonData.timeInterval = "10s";
}
];
};
};
settings = {
paths.logs = "/var/log/grafana";
smtp = {
enabled = true;
from_address = "noreply@jakstys.lt";
};
server = {
domain = "grafana.jakstys.lt";
root_url = "https://grafana.jakstys.lt";
enable_gzip = true;
http_addr = "0.0.0.0";
http_port = cfg.port;
};
users.auto_assign_org = true;
users.auto_assign_org_role = "Editor";
# https://github.com/grafana/grafana/issues/70203#issuecomment-1612823390
auth.oauth_allow_insecure_email_lookup = true;
"auth.generic_oauth" = {
enabled = true;
auto_login = true;
client_id = "5349c113-467d-4b95-a61b-264f2d844da8";
client_secret = "$__file{/run/grafana/oidc-secret}";
auth_url = "https://git.jakstys.lt/login/oauth/authorize";
api_url = "https://git.jakstys.lt/login/oauth/userinfo";
token_url = "https://git.jakstys.lt/login/oauth/access_token";
};
feature_toggles.accessTokenExpirationCheck = true;
};
};
systemd.services.grafana = {
preStart = "ln -sf $CREDENTIALS_DIRECTORY/oidc /run/grafana/oidc-secret";
serviceConfig = {
LogsDirectory = "grafana";
RuntimeDirectory = "grafana";
LoadCredential = [ "oidc:${cfg.oidcSecretFile}" ];
};
};
mj.services.friendlyport.ports = [
{
subnets = [ myData.subnets.tailscale.cidr ];
tcp = [ cfg.port ];
}
];
};
}