From 36a422f94bb843e3a5bc7ea88259cc805857815d Mon Sep 17 00:00:00 2001 From: Erwin Boskma Date: Thu, 29 Feb 2024 23:14:56 +0100 Subject: [PATCH] saga: Add Keycloak login to Grafana --- machines/saga/configuration.nix | 3 +++ machines/saga/grafana/default.nix | 19 +++++++++++++++++++ machines/saga/secrets.yaml | 5 +++-- 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/machines/saga/configuration.nix b/machines/saga/configuration.nix index 99cd812..85d3d8b 100644 --- a/machines/saga/configuration.nix +++ b/machines/saga/configuration.nix @@ -87,6 +87,9 @@ metrics_key = { owner = config.systemd.services.prometheus.serviceConfig.User; }; + grafana-oauth2-secret = { + owner = config.systemd.services.grafana.serviceConfig.User; + }; }; system.stateVersion = "24.05"; diff --git a/machines/saga/grafana/default.nix b/machines/saga/grafana/default.nix index 177eddf..b901deb 100644 --- a/machines/saga/grafana/default.nix +++ b/machines/saga/grafana/default.nix @@ -1,13 +1,32 @@ +{ config, ... }: { services.grafana = { enable = true; settings = { + log = { + level = "info"; + }; server = { domain = "saga.datarift.nl"; enforce_domain = true; http_addr = "0.0.0.0"; root_url = "https://saga.datarift.nl"; }; + "auth.generic_oauth" = { + enabled = true; + name = "Keycloak"; + allow_sign_up = true; + client_id = "grafana"; + client_secret = "$__file{${config.sops.secrets.grafana-oauth2-secret.path}}"; + use_refresh_token = true; + scopes = "openid profile email offline_access roles"; + auth_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/auth"; + token_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/token"; + api_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/userinfo"; + signout_redirect_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Fsaga.datarift.nl%2Flogin"; + role_attribute_path = "contains(resource_access.grafana.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || 'Viewer'"; + allow_assign_grafana_admin = true; + }; }; }; } diff --git a/machines/saga/secrets.yaml b/machines/saga/secrets.yaml index e0d01b1..2c47519 100644 --- a/machines/saga/secrets.yaml +++ b/machines/saga/secrets.yaml @@ -1,6 +1,7 @@ metrics_cert: ENC[AES256_GCM,data:hxI6B6h1eOaHlYpUeHcsXMAEPZwuKpAgZ9gYkkqK73guUymi6g38kd1ULarm4cDHQC6ugaS5SadBxCExzxvTHpxXJWS+mc+GxJgU6u0wxitWG6h1M2btCHH6blvb/dKrSHcVNEBm+se/XwcPDvDuKJckS3JRfQ6dUpziNcguF1g0RSk7rWtKyLJx40O3Mc1BivAaPirNxOeExhwG7UX4rfwzw3ajqPg0AnaXfRlHA5vfvZAGhTYh1qXrUWXQgtjZj/B30vMB18oA6vxZnmkFVbZyUwh9O65hkdWY8kGQSc1IuhmzK7vcLquTAymdVgmW6Zmy/49bRgC5+aZKiIwiXnnK1e/Ygy+WvvQ/dpJZ0YANhLFiC1ygXiUHGOzh4gvo23c5NPcH8PDnMx6z1j5V4QTqi2w5RCA3A7pobP/u7Jn0pqFqRB2ws9bpsLQXGifOoGhTGiEfM6XJPSELNx3OMYmNSMbtM9PrMTs8ajaT3Vo0alwR67hSEU4i13vpgcEErcf+bxo8DoBRi3qwoU7bc/y2XLIWdxy9I2UTE2gMxuINHUuWX+n8J6WFYTs66KwXDY16G2WBBPh7zbjQqa8HLM4/K6bZVDKvhEuoDDz+Mp9bf2dlaM9qADnjumjRXbivdYg45rT3nuAsJ5pcEbz3RPP8j9Ri6cbb/eChWqCXcWyzEY8NfMNAdph3jetduaic+SgCqUnhJptM2lOPgdo0uscqD1O08giAvqLciTBR/kB2N9hIXOXwVVLgkSLvryduD/q1plfEnVzcsrUauJ6lleS0EUqQlVdrvM+DSYMPBZgecAmjrpvDdNP5gMseLrpd2/vVZOM3An/wrgf2vTOA3HNm1Fjj/iyKvIVsj+ZV0TAsXJh8BwyF09mJLm7kwKP+wkUmJkWJUW2yG/Dx9LHKaMhUEsMpF0ogP9aekyYG8d5PJ2d8VdKjQI2aanSkkh7kXPghemjfjP9T,iv:irh5m+oLYqMVsSmZNZK7s9nQtLxRvZ80lIAfE4nrAf4=,tag:xL5/SAP9b07yuiZUdizwwA==,type:str] metrics_key: ENC[AES256_GCM,data:fGpIg3k/PBcq4dVdLL5oNEdbrPTFarDAi9QLw7ViEfzG4jdxOec8rdFNtECX3IdtGIFZ7VtLd7hTISYrklafBqYMyBw0y3dxmbQaG7CQoIPoxnoJlbwAxofjfgFyVa69V6/o1mvCBfw3Tv8akRQel+3lTTB7RgqBsd+JNjiIsrC5r4JAr6KJCkKKLbNJZ79W1PGdKb2VEeVwGmdfWcvKz4TN6Za4cwhc51IAnZBH+2QnNNCYM6JnT0LVIzERS6ljF8MOb2Xmaqb9w6QxxTLX4nheEceWpOMLc71nIGtMSsU+SiRiZtHEdcUsDGBUdriqQ2mP5Q10Yz0K0u1wqXiLiz/wfeFGIvRPNOpP/b/cSFQSp494ZnMdO2bsnXOKQNFVBkkIO2jvB2SOlIJwC329n9vG,iv:jktiYgPJluYrQOpOOTwwpQ9SDJVvsO4lEwDe+l2cn3Q=,tag:rduGq7/XVShG9SqQeWl19g==,type:str] metrics_ca: ENC[AES256_GCM,data:nMocCNsco+iYrrZbJxuoWhQ5ytDyy+JjaRTbalTof4CPK3CtWpu2KhHhVJNN+XaThns3jzBEjEDyuPqhb27CaUG871Z8O8BGAEtYWUa886sIdgPgOkL3rsDCELxnnEkCKIcyfu3DZFIcs+hWQGOVQ3KBY44dpwJzm5xm/PbbpiPo7QawAzEhOynmRz1eN+At+aDgBNMRJ9fWg5qaImf6iFL804M7q6mjVAOopvL+I5vMAn4FODWWn93Vm0edHWjhIDb2NHuwSL0WRdt74GMES+ZPvBjpnGsMFteCC1sWGuAMY9S78V54+o95Ijf6j8yzPadyayZb51K2/qGWas/wpaQlmva2mQvv/y1jpDfewLt4ZstzqCamVhhXzZfguf7F+MpbEGpNUl7SvCnS6BtNU7XCaV5bEp8vTKfhYVh+/AqBPYG2BpLB0N/Q198/nTkW82CgP1V4BJ8HD8FiWympZjhLjdglkMZ3h1u9k6VQIAZ9kQS3B60kKBq1mWhDVmZmNTSMf85zfV48XrBPF/ttCfCjd33gxopok5OLMZqVHNKY4PxCLI6e5FKOwwEmrzf6MffGiDWZWMgTaz3OM+d9Yv8yjNDeboGb6TGRn4yXfKlcsl4mYZi+C3IJ0BkmUA9BXaLXhhWKl/e5Xs5Ajtgf3fwSVEgsQ8G3kC2OQT0qoIMKx37K4YmABYVFx0qcJy2diQ3ZoFmvGAwvYb5vKtlyJHnbDz6OyXWfYc1UkAG4mtHNMrsgSL7ruju4QvIeZPwXDsNazI9R3dWaLbnz041JQNRvA0Kpwg3LxHaf4D0Ln7nBokEmvRycuBXljPk35B3CuGoj2qnCJzx057MTQoX/UKtQ/KRbGP0Dmmu+s1cH9dHw8l3ya+zZEKBJHt2w7rmmMiYVXMetjoPIHevePumDeXFRyCvU3mWwj7xUtzbrpTwY0zSYi5brdMRe4NBtmYJsMmH7Jgc+HOgtbm8MC++FApxiKpV2,iv:08lM7WQLcnuC7DvTZ1999sOojo9l35gAZpp4oIMuJBY=,tag:YW0xjTJkycV7xJHZuhE0uQ==,type:str] +grafana-oauth2-secret: ENC[AES256_GCM,data:D4f/MxiIGaeKD5DNXiCLg2IeFMX0TAkxIR1BY+1z89w=,iv:XNrRSwipAbpQFnXG94zke28gTL22zNf/HfGriChaRgA=,tag:6tsqNc68wHujtlmV4plwPQ==,type:str] sops: kms: [] gcp_kms: [] @@ -34,8 +35,8 @@ sops: K1FHaGVOQlo2cjBTQ3ZIYXZ5ZzNsNlEKLZWrUkNXTv8ECwXz1aPdnrpMs6r9Q+yI k5rFkaa+ylIk4OqouKRxxlNFdgcdqqYdZEqLrfuLnamzr6LNaoL1dQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-29T10:40:34Z" - mac: ENC[AES256_GCM,data:mofYtl2tbmOhe12j1murXcx4GAosmE4ezZZ1Uby8F0TS6Ob2J+13SBS1jwhEkU8S9ylVgx0jSET2weoEHfYS+d0/RDd9bjdXrnI8DeIA46D3wNNssYID9RAuPE18Dc98eVMOOBwH/hT46Bj630l0Rm8H/HB+fwcOFR5ahcvm2Pw=,iv:p2+aTSaOqL1jQpUt9+FBf8QgcwA13haKXLrGV4wdH84=,tag:ecgweBQiXOyiRVY9yBwDIw==,type:str] + lastmodified: "2024-02-29T15:40:45Z" + mac: ENC[AES256_GCM,data:+gH5ZcPlJ1ESdo93Td9BfuMKB1la18ER8OnA65/WERL5bjFai0GRjLxUGOLiJF5ApIj1JMfoqd08awvS8xUVM/4zccYXTeHtngVw2Ra9q3wcvFK4VzQ7kIO0btd6+YSdGGFpWLwBvErsn1yUs67sl69qr4qz0BxMrFn3zac3aQU=,iv:4fxThNrDrOsNNSykVVEmAHfl2VpcZVA58E5lZ+krEpE=,tag:RFigNQQzcZBMiCky5nL3Wg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1