mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: use kanidm secret provisioning

Browse source
This commit is contained in:
oddlama 2023-08-27 01:17:11 +02:00
parent 522de920bb
commit 7c48e51320
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
9 changed files with 126 additions and 105 deletions
Download patch file Download diff file Expand all files Collapse all files

10
hosts/ward/microvms/grafana.nix
View file

@ -28,6 +28,13 @@ in {
group = "grafana";
};
# Mirror the original oauth2 secret
age.secrets.grafana-oauth2-client-secret = {
inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-grafana) rekeyFile;
mode = "440";
group = "grafana";
};
nodes.ward-influxdb = {
# Mirror the original secret on the influx host
age.secrets."grafana-influxdb-token-${config.node.name}" = {
@ -100,8 +107,7 @@ in {
allow_sign_up = true;
#auto_login = true;
client_id = "grafana";
#client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
client_secret = "aZKNCM6KpjBy4RqwKJXMLXzyx9rKH6MZTFk4wYrKWuBqLj6t"; # TODO temporary test not a real secret
client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}";
scopes = "openid email profile";
login_attribute_path = "prefered_username";
auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2";