Use Authentik for Grafana auth
This commit is contained in:
parent
1aea58945d
commit
f142ce296c
|
|
@ -127,12 +127,40 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
ldap = mkOption {
|
oauth = let
|
||||||
type = nullOr (submodule ldapOpts);
|
oauthOpts.options = {
|
||||||
description = "";
|
hostname = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Host of the OAuth server.";
|
||||||
|
};
|
||||||
|
|
||||||
|
client-id = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Path to file containing the Grafana OAuth client ID.";
|
||||||
|
};
|
||||||
|
|
||||||
|
client-secret = mkOption {
|
||||||
|
type = str;
|
||||||
|
description =
|
||||||
|
"Path to file containing the Grafana OAuth client secret.";
|
||||||
|
};
|
||||||
|
|
||||||
|
slug = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "The application slug on the OAuth server.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in mkOption {
|
||||||
|
type = nullOr (submodule oauthOpts);
|
||||||
default = null;
|
default = null;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# ldap = mkOption {
|
||||||
|
# type = nullOr (submodule ldapOpts);
|
||||||
|
# description = "";
|
||||||
|
# default = null;
|
||||||
|
# };
|
||||||
|
|
||||||
admin-password-file = mkOption {
|
admin-password-file = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
description = "Path to a file containing the admin user's password.";
|
description = "Path to a file containing the admin user's password.";
|
||||||
|
|
@ -170,14 +198,14 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
fudo.secrets.host-secrets.${hostname}.grafana-environment-file = {
|
# fudo.secrets.host-secrets.${hostname}.grafana-environment-file = {
|
||||||
source-file = pkgs.writeText "grafana.env" ''
|
# source-file = pkgs.writeText "grafana.env" ''
|
||||||
${optionalString (cfg.ldap != null)
|
# ${optionalString (cfg.ldap != null)
|
||||||
''GRAFANA_LDAP_BIND_PASSWD="${cfg.ldap.bind-passwd}"''}
|
# ''GRAFANA_LDAP_BIND_PASSWD="${cfg.ldap.bind-passwd}"''}
|
||||||
'';
|
# '';
|
||||||
target-file = "/run/metrics/grafana/auth-bind.passwd";
|
# target-file = "/run/metrics/grafana/auth-bind.passwd";
|
||||||
user = config.systemd.services.grafana.serviceConfig.User;
|
# user = config.systemd.services.grafana.serviceConfig.User;
|
||||||
};
|
# };
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
nginx = {
|
nginx = {
|
||||||
|
|
@ -234,42 +262,64 @@ in {
|
||||||
ssl_mode = if cfg.private-network then "disable" else "require";
|
ssl_mode = if cfg.private-network then "disable" else "require";
|
||||||
};
|
};
|
||||||
|
|
||||||
"ldap.auth" = mkIf (cfg.ldap != null) (let
|
# "ldap.auth" = mkIf (cfg.ldap != null) (let
|
||||||
base = cfg.ldap.base-dn;
|
# base = cfg.ldap.base-dn;
|
||||||
|
|
||||||
config-file = pkgs.writeText "grafana-ldap.toml" ''
|
# config-file = pkgs.writeText "grafana-ldap.toml" ''
|
||||||
[[servers]]
|
# [[servers]]
|
||||||
host = "${concatStringsSep " " cfg.ldap.hosts}"
|
# host = "${concatStringsSep " " cfg.ldap.hosts}"
|
||||||
port = 389
|
# port = 389
|
||||||
start_tls = true
|
# start_tls = true
|
||||||
|
|
||||||
bind_dn = "uid=%s,ou=members,${base}"
|
# bind_dn = "uid=%s,ou=members,${base}"
|
||||||
|
|
||||||
search_filter = "(uid=%s)"
|
# search_filter = "(uid=%s)"
|
||||||
search_base_dns = [ "ou=members,${base}" ]
|
# search_base_dns = [ "ou=members,${base}" ]
|
||||||
|
|
||||||
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
|
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
|
||||||
group_search_base_dns = ["ou=groups,${base}"]
|
# group_search_base_dns = ["ou=groups,${base}"]
|
||||||
group_search_filter_user_attribute = "uid"
|
# group_search_filter_user_attribute = "uid"
|
||||||
|
|
||||||
[[servers.group_mappings]]
|
# [[servers.group_mappings]]
|
||||||
group_dn = "cn=admin,ou=groups,${base}"
|
# group_dn = "cn=admin,ou=groups,${base}"
|
||||||
org_role = "Admin"
|
# org_role = "Admin"
|
||||||
grafana_admin = true
|
# grafana_admin = true
|
||||||
|
|
||||||
[[servers.group_mappings]]
|
# [[servers.group_mappings]]
|
||||||
group_dn = "cn=*,ou=groups,${base}"
|
# group_dn = "cn=*,ou=groups,${base}"
|
||||||
org_role = "Viewer"
|
# org_role = "Viewer"
|
||||||
'';
|
# '';
|
||||||
in {
|
# in {
|
||||||
|
# enabled = true;
|
||||||
|
# allow_sign_up = true;
|
||||||
|
# config_file = "${config-file}";
|
||||||
|
|
||||||
|
# # AUTH_LDAP_ENABLED = "true";
|
||||||
|
# # AUTH_LDAP_ALLOW_SIGN_UP = "true";
|
||||||
|
# # AUTH_LDAP_CONFIG_FILE = config-file;
|
||||||
|
# });
|
||||||
|
|
||||||
|
auth = mkIf (!isNull cfg.oauth) {
|
||||||
|
signout_redirect_url =
|
||||||
|
"https://${cfg.oauth.hostname}/application/o/${cfg.oauth.slug}/end-session/";
|
||||||
|
oauth_auto_login = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
"auth.generic_oauth" = mkIf (!isNull cfg.oauth) {
|
||||||
|
name = "Authentik";
|
||||||
enabled = true;
|
enabled = true;
|
||||||
allow_sign_up = true;
|
client_id = "$__file{${cfg.oauth.client-id}}";
|
||||||
config_file = "${config-file}";
|
client_secret = "$__file{${cfg.oauth.client-secret}}";
|
||||||
|
scopes = "openid email profile";
|
||||||
# AUTH_LDAP_ENABLED = "true";
|
auth_url = "https://${cfg.oauth.hostname}/application/o/authorize/";
|
||||||
# AUTH_LDAP_ALLOW_SIGN_UP = "true";
|
token_url = "https://${cfg.oauth.hostname}/application/o/token/";
|
||||||
# AUTH_LDAP_CONFIG_FILE = config-file;
|
api_url = "https://${cfg.oauth.hostname}/application/o/userinfo/";
|
||||||
});
|
role_attribute_path = concatStringsSep " || " [
|
||||||
|
"contains(groups[*], 'Metrics Admin') && 'Admin'"
|
||||||
|
"contains(groups[*], 'Metrics Editor') && 'Editor'"
|
||||||
|
"'Viewer'"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
provision = {
|
provision = {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue