nixos: add grafana + prom/vm mixins

author: Seth Flynn <[email protected]> 2025-02-14 23:55:18 -0500
committer: Seth Flynn <[email protected]> 2025-02-15 01:18:39 -0500
commit: c651506fe6ccfe88309bf6b7050cc43ec62de0e7 (patch)
tree: 93370d645221abe01363cc2080386a94a3556403 /modules/nixos/mixins/grafana.nix
parent: 3a0933447bc9b5d44e13a12a845c0d70662a92a5 (diff)
1 files changed, 68 insertions, 0 deletions
diff --git a/modules/nixos/mixins/grafana.nix b/modules/nixos/mixins/grafana.nix
new file mode 100644
index 0000000..3385107
--- /dev/null
+++ b/modules/nixos/mixins/grafana.nix
@@ -0,0 +1,68 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}:
+
+{
+  config = lib.mkMerge [
+    {
+      services.grafana = {
+        settings = {
+          analytics = {
+            feedback_links_enabled = false;
+            reporting_enabled = false;
+          };
+
+          "auth.anonymous".enable = true;
+
+          server = {
+            http_port = 6000;
+
+            domain = lib.mkDefault ("grafana." + config.networking.domain);
+            enable_gzip = true;
+            enforce_domain = true;
+            root_url = "https://" + config.services.grafana.settings.server.domain + "/";
+          };
+        };
+      };
+    }
+
+    (lib.mkIf config.services.kanidm.enableServer {
+      services.grafana = {
+        settings = {
+          "auth.basic".enabled = false;
+
+          "auth.generic_oauth" = {
+            enabled = true;
+
+            name = "Kanidm";
+            client_id = "grafana";
+            client_secret = "$__file{${config.age.secrets.grafanaKanidm.path}}";
+            scopes = "openid,profile,email,groups";
+            auth_url = config.services.kanidm.serverSettings.origin + "/ui/oauth2";
+            token_url = config.services.kanidm.serverSettings.origin + "/oauth2/token";
+            api_url = config.services.kanidm.serverSettings.origin + "/oauth2/openid/grafana/userinfo";
+            use_pkce = true;
+            use_refresh_token = true;
+
+            allow_assign_grafana_admin = true;
+            allow_sign_up = true;
+            groups_attribute_path = "groups";
+            login_attribute_path = "preferred_username";
+            role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'";
+          };
+        };
+      };
+    })
+
+    (lib.mkIf (config.services.grafana.enable && config.services.kanidm.enableServer) {
+      age.secrets.grafanaKanidm = {
+        file = secretsDir + "/grafanaKanidmSecret.age";
+        owner = config.users.users.grafana.name;
+        group = config.users.groups.grafana.name;
+      };
+    })
+  ];
+}
author	Seth Flynn <[email protected]>	2025-02-14 23:55:18 -0500
committer	Seth Flynn <[email protected]>	2025-02-15 01:18:39 -0500
commit	c651506fe6ccfe88309bf6b7050cc43ec62de0e7 (patch)
tree	93370d645221abe01363cc2080386a94a3556403 /modules/nixos/mixins/grafana.nix
parent	3a0933447bc9b5d44e13a12a845c0d70662a92a5 (diff)