feat: add grafana test setup with oauth2

2025-10-10 23:00:39 +02:00 · 2023-06-02 01:28:35 +02:00 · 2023-06-02 01:28:35 +02:00 · 135528e082
commit 135528e082
parent a7c1fb016b
7 changed files with 146 additions and 9 deletions
--- a/hosts/common/core/impermanence.nix
+++ b/hosts/common/core/impermanence.nix
@ -79,7 +79,7 @@
          directory = "/var/lib/cups";
          user = "root";
          group = "root";
-          mode = "0755";
+          mode = "0700";
        }
      ]
      ++ lib.optionals config.services.fail2ban.enable [
@ -95,7 +95,7 @@
          directory = "/var/lib/postgresql";
          user = "postgres";
          group = "postgres";
-          mode = "0755";
+          mode = "0700";
        }
      ]
      ++ lib.optionals config.services.gitea.enable [
@ -103,7 +103,15 @@
          directory = "/var/lib/gitea";
          user = "gitea";
          group = "gitea";
-          mode = "0755";
+          mode = "0700";
+        }
+      ]
+      ++ lib.optionals config.services.grafana.enable [
+        {
+          directory = config.services.grafana.dataDir;
+          user = "grafana";
+          group = "grafana";
+          mode = "0700";
        }
      ]
      ++ lib.optionals config.services.kanidm.enableServer [
@ -111,7 +119,7 @@
          directory = "/var/lib/kanidm";
          user = "kanidm";
          group = "kanidm";
-          mode = "0755";
+          mode = "0700";
        }
      ];
  };
--- a/hosts/sentinel/nginx.nix
+++ b/hosts/sentinel/nginx.nix
@ -1,5 +1,6 @@
 {
  config,
+  lib,
  nodes,
  ...
 }: let
@ -34,10 +35,13 @@ in {

  services.nginx = let
    authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain;
+    authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress);
+    grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain;
+    grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port;
  in {
    enable = true;
-    upstreams."kanidm" = {
-      servers."${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:8300" = {};
+    upstreams.kanidm = {
+      servers."${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort}" = {};
      extraConfig = ''
        zone kanidm 64k;
        keepalive 2;
@ -54,5 +58,18 @@ in {
        proxy_ssl_verify off;
      '';
    };
+
+    upstreams.grafana = {
+      servers."${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort}" = {};
+      extraConfig = ''
+        zone grafana 64k;
+        keepalive 2;
+      '';
+    };
+    virtualHosts.${grafanaDomain} = {
+      forceSSL = true;
+      useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain;
+      locations."/".proxyPass = "http://grafana";
+    };
  };
 }
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -7,6 +7,7 @@
 }: let
  inherit (nodes.sentinel.config.repo.secrets.local) personalDomain;
  authDomain = "auth.${personalDomain}";
+  grafanaDomain = "grafana.${personalDomain}";
 in {
  imports = [
    nixos-hardware.common-cpu-intel
@ -60,7 +61,91 @@ in {
  };

  microvm.vms.test.config = {
+    lib,
+    config,
+    ...
+  }: {
    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
+
+    extra.wireguard.proxy-sentinel.client.via = "sentinel";
+
+    networking.nftables.firewall = {
+      zones = lib.mkForce {
+        #local-vms.interfaces = ["local-vms"];
+        proxy-sentinel.interfaces = ["proxy-sentinel"];
+        sentinel = {
+          parent = "proxy-sentinel";
+          ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
+          ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
+        };
+      };
+
+      rules = lib.mkForce {
+        sentinel-to-local = {
+          from = ["sentinel"];
+          to = ["local"];
+          allowedTCPPorts = [3001];
+        };
+      };
+    };
+
+    rekey.secrets.grafana-secret-key = {
+      file = ./secrets/grafana-secret-key.age;
+      mode = "440";
+      group = "grafana";
+    };
+
+    services.grafana = {
+      enable = true;
+      settings = {
+        analytics.reporting_enabled = false;
+        users.allow_sign_up = false;
+
+        server = {
+          domain = grafanaDomain;
+          root_url = "https://${config.services.grafana.settings.server.domain}";
+          enforce_domain = true;
+          enable_gzip = true;
+          http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
+          http_port = 3001;
+          # cert_key = /etc/grafana/grafana.key;
+          # cert_file = /etc/grafana/grafana.crt;
+          # protocol = "https"
+        };
+
+        security = {
+          disable_initial_admin_creation = true;
+          secret_key = "$__file{${config.rekey.secrets.grafana-secret-key.path}}";
+          cookie_secure = true;
+          disable_gravatar = true;
+          hide_version = true;
+        };
+
+        auth = {
+          signout_redirect_url = "https://sso.nycode.dev/if/session-end/grafana/";
+          disable_login_form = true;
+        };
+
+        "auth.generic_oauth" = {
+          enabled = true;
+          name = "Kanidm";
+          icon = "signin";
+          allow_sign_up = true;
+          auto_login = false;
+          client_id = "grafana";
+          client_secret = "$__file{${config.rekey.secrets.grafana-oauth-client-secret.path}}";
+          scopes = "openid profile email";
+          login_attribute_path = "prefered_username";
+          auth_url = "https://${authDomain}/ui/oauth2";
+          token_url = "https://${authDomain}/oauth2/token";
+          api_url = "https://${authDomain}/oauth2/openid/grafana/userinfo";
+          use_pkce = true;
+          allow_assign_grafana_admin = true;
+        };
+
+        # TODO provision
+      };
+    };
  };

  microvm.vms.nginx.config = {
@ -70,9 +155,7 @@ in {
  }: {
    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";

-    extra.wireguard.proxy-sentinel = {
-      client.via = "sentinel";
-    };
+    extra.wireguard.proxy-sentinel.client.via = "sentinel";

    networking.nftables.firewall = {
      zones = lib.mkForce {
--- a/hosts/ward/secrets/grafana-secret-key.age
+++ b/hosts/ward/secrets/grafana-secret-key.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 S365Ptmx5jGBBvN7q/nxHZWLT4wsHYey5TSIvqfKqXs
+MODSBeb8Kt0CfFdTgPskMFVaen28O5N5ql7aqxJ+YaQ
+-> piv-p256 xqSe8Q A8G1Ljc2V/ay90ZiITuXGDxRaH5R/QqDsSpXbsYQFFjx
+nE6ODZqg4QAujfWOeTRD/S0m/8bRadTqSCQa5sVIJ3w
+-> <*^9;-grease X4qEn "qK,G4} 5Gp'jn!Q
+bU3aA07kpeHbqAoFMrp4mWj3/iPH67VZpE+mW2Z9huxze+Jn1js0p/hV2fj2jlWm
+/DZP
+--- vSYl/yA0H1WBqkDI+lu8o1+/l7pOt5wFwb2cLuCDWFQ
+¤YÊBç'íŽ;HIët%‹¼?{e8ÞÀïV€B«QýFÌ»‡eí>ìmæ(øõG†ÂìÌ¸„9ßÍºÈ˜"‘Lû2zA~O€F³jsÂ"¸
--- a/secrets/wireguard/proxy-sentinel/keys/ward-test.age
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-test.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 cMMC99p0MIklijuoRd8tQCQrqo4UlVPmsOyKc5qt4X0
+T1PF6GADXZQV9d9m834dmnIwD877qjjNklA/LlSlI8E
+-> piv-p256 xqSe8Q A1lRTx9nYJzX/aLJ/0ed7cql4nTE6XXhhtjNTMmZQFvM
+uo9MbHeHqcEXsxxYx5h/28n5nwPXl7O7W8PRXNUBv+w
+-> Vqg!O%^-grease
+TxEpmFfkMMptulXHKQ
+--- bd0u4VALhJtT/XO47mLjTrPnzvX5qcmZyx4I1Kr3ymU
+ŽÀêq»7½„Õµ5„p=Ûh$U»„ÉEI‰|o~ ŒIã³øðx�r	î3Éý|*;¦w˜JMÅ„â@ì*usO¤µU:0!ýä8{
--- a/secrets/wireguard/proxy-sentinel/keys/ward-test.pub
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-test.pub
@ -0,0 +1 @@
+PTlU+qtfddz0ZfcHcfZmSxZ4Abe8UCpWV2FBJQswzBk=
--- a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-test.age
+++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-test.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 3bQe5/vCstk47dFWcHw+b/VPNNcWdQc/h7LJY3gaMzk
+20CR1ih9fzd6aCq4oKLvOIOoBO8WIKKkEk4+SMr+qus
+-> piv-p256 xqSe8Q A5Is7U9nNFHhQWs+3ef7va56kGP77CuM61Tlq2KtNve9
+UP3HX8ickxbaNanHaBN+5azuHvrLgJI7Jdc9rjO5NlY
+-> *b-grease K[ ot SG~=$]V~ Klp
+nGbF
+--- 6ySzDV9GHLj+UkO3AdCz1qNeHLsHnna4Ss5O/VfzwX0
+Ý™ƒZ›gÅøŽ* TjÕº‘ä§å‰º”R©g];Ã×}}øâœ÷ñ¦MmùÐ‡Ü«Ø:2¯×ë`G*ûÜÚä«ˆ�Ô@â�u=
				`@ -0,0 +1 @@`
				`PTlU+qtfddz0ZfcHcfZmSxZ4Abe8UCpWV2FBJQswzBk=`