erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

saga: Add Keycloak login to Grafana

Browse source
This commit is contained in:
Erwin Boskma 2024-02-29 23:14:56 +01:00
parent 488d6fe6df
commit 36a422f94b
Signed by: erwin
SSH key fingerprint: SHA256:/Wk1WZdLg+vQHs3in9qq7PsIp8SMzwGSk/RLZ5zPuZk
3 changed files with 25 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
machines/saga/configuration.nix
View file

@ -87,6 +87,9 @@
metrics_key = { metrics_key = {
owner = config.systemd.services.prometheus.serviceConfig.User; owner = config.systemd.services.prometheus.serviceConfig.User;
}; };
grafana-oauth2-secret = {
owner = config.systemd.services.grafana.serviceConfig.User;
};
}; };
system.stateVersion = "24.05"; system.stateVersion = "24.05";

19
machines/saga/grafana/default.nix
View file

@ -1,13 +1,32 @@
{ config, ... }:
{ {
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = { settings = {
log = {
level = "info";
};
server = { server = {
domain = "saga.datarift.nl"; domain = "saga.datarift.nl";
enforce_domain = true; enforce_domain = true;
http_addr = "0.0.0.0"; http_addr = "0.0.0.0";
root_url = "https://saga.datarift.nl"; root_url = "https://saga.datarift.nl";
}; };
"auth.generic_oauth" = {
enabled = true;
name = "Keycloak";
allow_sign_up = true;
client_id = "grafana";
client_secret = "$__file{${config.sops.secrets.grafana-oauth2-secret.path}}";
use_refresh_token = true;
scopes = "openid profile email offline_access roles";
auth_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/auth";
token_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/token";
api_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/userinfo";
signout_redirect_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Fsaga.datarift.nl%2Flogin";
role_attribute_path = "contains(resource_access.grafana.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || 'Viewer'";
allow_assign_grafana_admin = true;
};
}; };
}; };
} }

5
machines/saga/secrets.yaml
View file

@ -1,6 +1,7 @@
metrics_cert: ENC[AES256_GCM,data:hxI6B6h1eOaHlYpUeHcsXMAEPZwuKpAgZ9gYkkqK73guUymi6g38kd1ULarm4cDHQC6ugaS5SadBxCExzxvTHpxXJWS+mc+GxJgU6u0wxitWG6h1M2btCHH6blvb/dKrSHcVNEBm+se/XwcPDvDuKJckS3JRfQ6dUpziNcguF1g0RSk7rWtKyLJx40O3Mc1BivAaPirNxOeExhwG7UX4rfwzw3ajqPg0AnaXfRlHA5vfvZAGhTYh1qXrUWXQgtjZj/B30vMB18oA6vxZnmkFVbZyUwh9O65hkdWY8kGQSc1IuhmzK7vcLquTAymdVgmW6Zmy/49bRgC5+aZKiIwiXnnK1e/Ygy+WvvQ/dpJZ0YANhLFiC1ygXiUHGOzh4gvo23c5NPcH8PDnMx6z1j5V4QTqi2w5RCA3A7pobP/u7Jn0pqFqRB2ws9bpsLQXGifOoGhTGiEfM6XJPSELNx3OMYmNSMbtM9PrMTs8ajaT3Vo0alwR67hSEU4i13vpgcEErcf+bxo8DoBRi3qwoU7bc/y2XLIWdxy9I2UTE2gMxuINHUuWX+n8J6WFYTs66KwXDY16G2WBBPh7zbjQqa8HLM4/K6bZVDKvhEuoDDz+Mp9bf2dlaM9qADnjumjRXbivdYg45rT3nuAsJ5pcEbz3RPP8j9Ri6cbb/eChWqCXcWyzEY8NfMNAdph3jetduaic+SgCqUnhJptM2lOPgdo0uscqD1O08giAvqLciTBR/kB2N9hIXOXwVVLgkSLvryduD/q1plfEnVzcsrUauJ6lleS0EUqQlVdrvM+DSYMPBZgecAmjrpvDdNP5gMseLrpd2/vVZOM3An/wrgf2vTOA3HNm1Fjj/iyKvIVsj+ZV0TAsXJh8BwyF09mJLm7kwKP+wkUmJkWJUW2yG/Dx9LHKaMhUEsMpF0ogP9aekyYG8d5PJ2d8VdKjQI2aanSkkh7kXPghemjfjP9T,iv:irh5m+oLYqMVsSmZNZK7s9nQtLxRvZ80lIAfE4nrAf4=,tag:xL5/SAP9b07yuiZUdizwwA==,type:str] metrics_cert: ENC[AES256_GCM,data:hxI6B6h1eOaHlYpUeHcsXMAEPZwuKpAgZ9gYkkqK73guUymi6g38kd1ULarm4cDHQC6ugaS5SadBxCExzxvTHpxXJWS+mc+GxJgU6u0wxitWG6h1M2btCHH6blvb/dKrSHcVNEBm+se/XwcPDvDuKJckS3JRfQ6dUpziNcguF1g0RSk7rWtKyLJx40O3Mc1BivAaPirNxOeExhwG7UX4rfwzw3ajqPg0AnaXfRlHA5vfvZAGhTYh1qXrUWXQgtjZj/B30vMB18oA6vxZnmkFVbZyUwh9O65hkdWY8kGQSc1IuhmzK7vcLquTAymdVgmW6Zmy/49bRgC5+aZKiIwiXnnK1e/Ygy+WvvQ/dpJZ0YANhLFiC1ygXiUHGOzh4gvo23c5NPcH8PDnMx6z1j5V4QTqi2w5RCA3A7pobP/u7Jn0pqFqRB2ws9bpsLQXGifOoGhTGiEfM6XJPSELNx3OMYmNSMbtM9PrMTs8ajaT3Vo0alwR67hSEU4i13vpgcEErcf+bxo8DoBRi3qwoU7bc/y2XLIWdxy9I2UTE2gMxuINHUuWX+n8J6WFYTs66KwXDY16G2WBBPh7zbjQqa8HLM4/K6bZVDKvhEuoDDz+Mp9bf2dlaM9qADnjumjRXbivdYg45rT3nuAsJ5pcEbz3RPP8j9Ri6cbb/eChWqCXcWyzEY8NfMNAdph3jetduaic+SgCqUnhJptM2lOPgdo0uscqD1O08giAvqLciTBR/kB2N9hIXOXwVVLgkSLvryduD/q1plfEnVzcsrUauJ6lleS0EUqQlVdrvM+DSYMPBZgecAmjrpvDdNP5gMseLrpd2/vVZOM3An/wrgf2vTOA3HNm1Fjj/iyKvIVsj+ZV0TAsXJh8BwyF09mJLm7kwKP+wkUmJkWJUW2yG/Dx9LHKaMhUEsMpF0ogP9aekyYG8d5PJ2d8VdKjQI2aanSkkh7kXPghemjfjP9T,iv:irh5m+oLYqMVsSmZNZK7s9nQtLxRvZ80lIAfE4nrAf4=,tag:xL5/SAP9b07yuiZUdizwwA==,type:str]
metrics_key: ENC[AES256_GCM,data:fGpIg3k/PBcq4dVdLL5oNEdbrPTFarDAi9QLw7ViEfzG4jdxOec8rdFNtECX3IdtGIFZ7VtLd7hTISYrklafBqYMyBw0y3dxmbQaG7CQoIPoxnoJlbwAxofjfgFyVa69V6/o1mvCBfw3Tv8akRQel+3lTTB7RgqBsd+JNjiIsrC5r4JAr6KJCkKKLbNJZ79W1PGdKb2VEeVwGmdfWcvKz4TN6Za4cwhc51IAnZBH+2QnNNCYM6JnT0LVIzERS6ljF8MOb2Xmaqb9w6QxxTLX4nheEceWpOMLc71nIGtMSsU+SiRiZtHEdcUsDGBUdriqQ2mP5Q10Yz0K0u1wqXiLiz/wfeFGIvRPNOpP/b/cSFQSp494ZnMdO2bsnXOKQNFVBkkIO2jvB2SOlIJwC329n9vG,iv:jktiYgPJluYrQOpOOTwwpQ9SDJVvsO4lEwDe+l2cn3Q=,tag:rduGq7/XVShG9SqQeWl19g==,type:str] metrics_key: ENC[AES256_GCM,data:fGpIg3k/PBcq4dVdLL5oNEdbrPTFarDAi9QLw7ViEfzG4jdxOec8rdFNtECX3IdtGIFZ7VtLd7hTISYrklafBqYMyBw0y3dxmbQaG7CQoIPoxnoJlbwAxofjfgFyVa69V6/o1mvCBfw3Tv8akRQel+3lTTB7RgqBsd+JNjiIsrC5r4JAr6KJCkKKLbNJZ79W1PGdKb2VEeVwGmdfWcvKz4TN6Za4cwhc51IAnZBH+2QnNNCYM6JnT0LVIzERS6ljF8MOb2Xmaqb9w6QxxTLX4nheEceWpOMLc71nIGtMSsU+SiRiZtHEdcUsDGBUdriqQ2mP5Q10Yz0K0u1wqXiLiz/wfeFGIvRPNOpP/b/cSFQSp494ZnMdO2bsnXOKQNFVBkkIO2jvB2SOlIJwC329n9vG,iv:jktiYgPJluYrQOpOOTwwpQ9SDJVvsO4lEwDe+l2cn3Q=,tag:rduGq7/XVShG9SqQeWl19g==,type:str]
metrics_ca: ENC[AES256_GCM,data:nMocCNsco+iYrrZbJxuoWhQ5ytDyy+JjaRTbalTof4CPK3CtWpu2KhHhVJNN+XaThns3jzBEjEDyuPqhb27CaUG871Z8O8BGAEtYWUa886sIdgPgOkL3rsDCELxnnEkCKIcyfu3DZFIcs+hWQGOVQ3KBY44dpwJzm5xm/PbbpiPo7QawAzEhOynmRz1eN+At+aDgBNMRJ9fWg5qaImf6iFL804M7q6mjVAOopvL+I5vMAn4FODWWn93Vm0edHWjhIDb2NHuwSL0WRdt74GMES+ZPvBjpnGsMFteCC1sWGuAMY9S78V54+o95Ijf6j8yzPadyayZb51K2/qGWas/wpaQlmva2mQvv/y1jpDfewLt4ZstzqCamVhhXzZfguf7F+MpbEGpNUl7SvCnS6BtNU7XCaV5bEp8vTKfhYVh+/AqBPYG2BpLB0N/Q198/nTkW82CgP1V4BJ8HD8FiWympZjhLjdglkMZ3h1u9k6VQIAZ9kQS3B60kKBq1mWhDVmZmNTSMf85zfV48XrBPF/ttCfCjd33gxopok5OLMZqVHNKY4PxCLI6e5FKOwwEmrzf6MffGiDWZWMgTaz3OM+d9Yv8yjNDeboGb6TGRn4yXfKlcsl4mYZi+C3IJ0BkmUA9BXaLXhhWKl/e5Xs5Ajtgf3fwSVEgsQ8G3kC2OQT0qoIMKx37K4YmABYVFx0qcJy2diQ3ZoFmvGAwvYb5vKtlyJHnbDz6OyXWfYc1UkAG4mtHNMrsgSL7ruju4QvIeZPwXDsNazI9R3dWaLbnz041JQNRvA0Kpwg3LxHaf4D0Ln7nBokEmvRycuBXljPk35B3CuGoj2qnCJzx057MTQoX/UKtQ/KRbGP0Dmmu+s1cH9dHw8l3ya+zZEKBJHt2w7rmmMiYVXMetjoPIHevePumDeXFRyCvU3mWwj7xUtzbrpTwY0zSYi5brdMRe4NBtmYJsMmH7Jgc+HOgtbm8MC++FApxiKpV2,iv:08lM7WQLcnuC7DvTZ1999sOojo9l35gAZpp4oIMuJBY=,tag:YW0xjTJkycV7xJHZuhE0uQ==,type:str] metrics_ca: ENC[AES256_GCM,data:nMocCNsco+iYrrZbJxuoWhQ5ytDyy+JjaRTbalTof4CPK3CtWpu2KhHhVJNN+XaThns3jzBEjEDyuPqhb27CaUG871Z8O8BGAEtYWUa886sIdgPgOkL3rsDCELxnnEkCKIcyfu3DZFIcs+hWQGOVQ3KBY44dpwJzm5xm/PbbpiPo7QawAzEhOynmRz1eN+At+aDgBNMRJ9fWg5qaImf6iFL804M7q6mjVAOopvL+I5vMAn4FODWWn93Vm0edHWjhIDb2NHuwSL0WRdt74GMES+ZPvBjpnGsMFteCC1sWGuAMY9S78V54+o95Ijf6j8yzPadyayZb51K2/qGWas/wpaQlmva2mQvv/y1jpDfewLt4ZstzqCamVhhXzZfguf7F+MpbEGpNUl7SvCnS6BtNU7XCaV5bEp8vTKfhYVh+/AqBPYG2BpLB0N/Q198/nTkW82CgP1V4BJ8HD8FiWympZjhLjdglkMZ3h1u9k6VQIAZ9kQS3B60kKBq1mWhDVmZmNTSMf85zfV48XrBPF/ttCfCjd33gxopok5OLMZqVHNKY4PxCLI6e5FKOwwEmrzf6MffGiDWZWMgTaz3OM+d9Yv8yjNDeboGb6TGRn4yXfKlcsl4mYZi+C3IJ0BkmUA9BXaLXhhWKl/e5Xs5Ajtgf3fwSVEgsQ8G3kC2OQT0qoIMKx37K4YmABYVFx0qcJy2diQ3ZoFmvGAwvYb5vKtlyJHnbDz6OyXWfYc1UkAG4mtHNMrsgSL7ruju4QvIeZPwXDsNazI9R3dWaLbnz041JQNRvA0Kpwg3LxHaf4D0Ln7nBokEmvRycuBXljPk35B3CuGoj2qnCJzx057MTQoX/UKtQ/KRbGP0Dmmu+s1cH9dHw8l3ya+zZEKBJHt2w7rmmMiYVXMetjoPIHevePumDeXFRyCvU3mWwj7xUtzbrpTwY0zSYi5brdMRe4NBtmYJsMmH7Jgc+HOgtbm8MC++FApxiKpV2,iv:08lM7WQLcnuC7DvTZ1999sOojo9l35gAZpp4oIMuJBY=,tag:YW0xjTJkycV7xJHZuhE0uQ==,type:str]
grafana-oauth2-secret: ENC[AES256_GCM,data:D4f/MxiIGaeKD5DNXiCLg2IeFMX0TAkxIR1BY+1z89w=,iv:XNrRSwipAbpQFnXG94zke28gTL22zNf/HfGriChaRgA=,tag:6tsqNc68wHujtlmV4plwPQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -34,8 +35,8 @@ sops:
K1FHaGVOQlo2cjBTQ3ZIYXZ5ZzNsNlEKLZWrUkNXTv8ECwXz1aPdnrpMs6r9Q+yI K1FHaGVOQlo2cjBTQ3ZIYXZ5ZzNsNlEKLZWrUkNXTv8ECwXz1aPdnrpMs6r9Q+yI
k5rFkaa+ylIk4OqouKRxxlNFdgcdqqYdZEqLrfuLnamzr6LNaoL1dQ== k5rFkaa+ylIk4OqouKRxxlNFdgcdqqYdZEqLrfuLnamzr6LNaoL1dQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-29T10:40:34Z" lastmodified: "2024-02-29T15:40:45Z"
mac: ENC[AES256_GCM,data:mofYtl2tbmOhe12j1murXcx4GAosmE4ezZZ1Uby8F0TS6Ob2J+13SBS1jwhEkU8S9ylVgx0jSET2weoEHfYS+d0/RDd9bjdXrnI8DeIA46D3wNNssYID9RAuPE18Dc98eVMOOBwH/hT46Bj630l0Rm8H/HB+fwcOFR5ahcvm2Pw=,iv:p2+aTSaOqL1jQpUt9+FBf8QgcwA13haKXLrGV4wdH84=,tag:ecgweBQiXOyiRVY9yBwDIw==,type:str] mac: ENC[AES256_GCM,data:+gH5ZcPlJ1ESdo93Td9BfuMKB1la18ER8OnA65/WERL5bjFai0GRjLxUGOLiJF5ApIj1JMfoqd08awvS8xUVM/4zccYXTeHtngVw2Ra9q3wcvFK4VzQ7kIO0btd6+YSdGGFpWLwBvErsn1yUs67sl69qr4qz0BxMrFn3zac3aQU=,iv:4fxThNrDrOsNNSykVVEmAHfl2VpcZVA58E5lZ+krEpE=,tag:RFigNQQzcZBMiCky5nL3Wg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1