feat: add grafana test setup with oauth2

2025-10-11 07:10:39 +02:00 · 2023-06-02 01:28:35 +02:00 · 2023-06-02 01:28:35 +02:00 · 135528e082
commit 135528e082
parent a7c1fb016b
7 changed files with 146 additions and 9 deletions
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -7,6 +7,7 @@
 }: let
  inherit (nodes.sentinel.config.repo.secrets.local) personalDomain;
  authDomain = "auth.${personalDomain}";
+  grafanaDomain = "grafana.${personalDomain}";
 in {
  imports = [
    nixos-hardware.common-cpu-intel
@ -60,7 +61,91 @@ in {
  };

  microvm.vms.test.config = {
+    lib,
+    config,
+    ...
+  }: {
    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
+
+    extra.wireguard.proxy-sentinel.client.via = "sentinel";
+
+    networking.nftables.firewall = {
+      zones = lib.mkForce {
+        #local-vms.interfaces = ["local-vms"];
+        proxy-sentinel.interfaces = ["proxy-sentinel"];
+        sentinel = {
+          parent = "proxy-sentinel";
+          ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
+          ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
+        };
+      };
+
+      rules = lib.mkForce {
+        sentinel-to-local = {
+          from = ["sentinel"];
+          to = ["local"];
+          allowedTCPPorts = [3001];
+        };
+      };
+    };
+
+    rekey.secrets.grafana-secret-key = {
+      file = ./secrets/grafana-secret-key.age;
+      mode = "440";
+      group = "grafana";
+    };
+
+    services.grafana = {
+      enable = true;
+      settings = {
+        analytics.reporting_enabled = false;
+        users.allow_sign_up = false;
+
+        server = {
+          domain = grafanaDomain;
+          root_url = "https://${config.services.grafana.settings.server.domain}";
+          enforce_domain = true;
+          enable_gzip = true;
+          http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
+          http_port = 3001;
+          # cert_key = /etc/grafana/grafana.key;
+          # cert_file = /etc/grafana/grafana.crt;
+          # protocol = "https"
+        };
+
+        security = {
+          disable_initial_admin_creation = true;
+          secret_key = "$__file{${config.rekey.secrets.grafana-secret-key.path}}";
+          cookie_secure = true;
+          disable_gravatar = true;
+          hide_version = true;
+        };
+
+        auth = {
+          signout_redirect_url = "https://sso.nycode.dev/if/session-end/grafana/";
+          disable_login_form = true;
+        };
+
+        "auth.generic_oauth" = {
+          enabled = true;
+          name = "Kanidm";
+          icon = "signin";
+          allow_sign_up = true;
+          auto_login = false;
+          client_id = "grafana";
+          client_secret = "$__file{${config.rekey.secrets.grafana-oauth-client-secret.path}}";
+          scopes = "openid profile email";
+          login_attribute_path = "prefered_username";
+          auth_url = "https://${authDomain}/ui/oauth2";
+          token_url = "https://${authDomain}/oauth2/token";
+          api_url = "https://${authDomain}/oauth2/openid/grafana/userinfo";
+          use_pkce = true;
+          allow_assign_grafana_admin = true;
+        };
+
+        # TODO provision
+      };
+    };
  };

  microvm.vms.nginx.config = {
@ -70,9 +155,7 @@ in {
  }: {
    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";

-    extra.wireguard.proxy-sentinel = {
-      client.via = "sentinel";
-    };
+    extra.wireguard.proxy-sentinel.client.via = "sentinel";

    networking.nftables.firewall = {
      zones = lib.mkForce {