feat(compute01): Deploy grafana on grafana.dgnum.eu
Some checks failed
build configuration / build_web02 (push) Successful in 59s
build configuration / build_vault01 (push) Successful in 1m2s
build configuration / build_storage01 (push) Successful in 1m4s
build configuration / build_web01 (push) Successful in 1m34s
lint / check (push) Successful in 34s
build configuration / build_compute01 (push) Has been cancelled

This commit is contained in:
Tom Hubrecht 2024-02-19 14:20:21 +01:00
parent df37471e5c
commit 10e768cacd
5 changed files with 137 additions and 0 deletions

View file

@ -10,6 +10,7 @@ lib.extra.mkConfig {
enabledServices = [
# List of services to enable
"ds-fr"
"grafana"
"hedgedoc"
"k-radius"
"kanidm"

View file

@ -0,0 +1,86 @@
{ config, ... }:
let
host = "grafana.dgnum.eu";
port = 3033;
file = name: "$__file{${config.age.secrets."grafana-${name}_file".path}}";
in
{
services = {
grafana = {
enable = true;
settings = {
"auth.generic_oauth" = {
api_url = "https://sso.dgnum.eu/oauth2/openid/grafana_dgn/userinfo";
auth_url = "https://sso.dgnum.eu/ui/oauth2";
client_id = "grafana_dgn";
client_secret = file "oauth_client_secret";
enabled = true;
id_token_attribute_name = "sub";
login_attribute_path = "preferred_username";
name = "Kanidm";
scopes = "email,openid,profile";
token_url = "https://sso.dgnum.eu/oauth2/token";
use_pkce = true;
};
database = {
type = "postgres";
user = "grafana";
host = "/run/postgresql";
};
security.disable_initial_admin_creation = true;
server = {
domain = host;
enable_gzip = true;
enforce_domain = true;
http_port = port;
root_url = "https://${host}";
router_logging = true;
};
smtp = {
enabled = true;
from_address = "grafana@infra.dgnum.eu";
host = "kurisu.lahfa.xyz:587";
password = file "smtp_password";
user = "web-services@infra.dgnum.eu";
};
users = {
default_theme = "system";
default_language = "en-GB";
auto_assign_org_role = "Admin";
};
};
};
postgresql = {
ensureDatabases = [ "grafana" ];
ensureUsers = [
{
name = "grafana";
ensureDBOwnership = true;
}
];
};
nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
};
age-secrets.autoMatch = [ "grafana" ];
}

View file

@ -0,0 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg ukyCbDqq1/18sjxWxyCCwYgYDavNcRq5cBvpZoqSKVQ
2lmz4ONDnXiW0+FqLwi4OVOClm96YU6NUMxeLcwyqhI
-> ssh-ed25519 jIXfPA MNspuPXKkP/fUp3qoPDmew+htam1l8JczSCCZFil6zE
1ugIhchyaumzv/izKFq1dCer6QPfLt6Fv2rIiU6rzGs
-> ssh-ed25519 QlRB9Q teomppq6nVFhnQFELI/sQNCRuMGNs2Tu6AY/PMWAzzI
LDLn1CsC9xqBBszdp4TZV/uCaYHBb65HS5eoG2+vfzU
-> ssh-ed25519 r+nK/Q GK/IVVvWVNjq1Fa8DKvljC1pD4OUz3MsM+VjROVYfSA
jJ2vK3HFkOGzrxvQJg6PayrEhOPVyvAZS29IEfKRbhs
-> ssh-rsa krWCLQ
XywRp0R34ulA6AhRloj+OonbP3ZmvWvnxko+KSBNZHUEO3P84N/UTSJLhTJrJHps
uYWhOO1VXMdOmu8+s2ymvsFFHZlQ1Ngr28/8Cb4InYbOcjc1jGsA/laSFelGG/qZ
CxoSw59oga+wssAf7NRVDY0GLtZIhdACnlfCodBnwGgr7MrO/jtv6wUcNtTQwqyg
k6JvmeXVO54sAbcICfDNHiWLejOA9B1tQ4biAtNZrw2BRh1siXVcjtrlkjdfqsc4
4R/EDAYLHIMBnG/6Qpp5H3vPEEdwtaU2Tcd5RZHxWR+8ZjFFhLsZaGQZ5GxzlVOW
qd63AwlEvNGOSIMXBqc+tQ
-> ssh-ed25519 /vwQcQ Qm4OViiUxA0eIAiP+tPi+q9Uw+dluFKGi4J35q6dr3A
Byx5ohtc05YfpZhcZew6P7g90KEMammQ0KgvtRGAhBk
-> ssh-ed25519 0R97PA YKE87fWy7Gix4dk+YOqTkMMFyG1mTVjroO/I6rHtLXQ
o9O664qMLUIEwxti17O4VByFCMmOZ4vTtPH5qNscGnU
-> ssh-ed25519 JGx7Ng NfuL52cirg0LkXcoF3a0GYJx82Bt50YS9cpEnDH27T8
OdqOs4ViSnW1fWZ5GLro4Z5afqmnGya6TsoKr3aZs0w
--- oqm2jb9ZHSHAhbxUYWDxQW/FaPwiq3iFr6RIX1nHCYo
ì©šÎj½ó˪f¾©Fyz#ö뤄å…ùÕâ íz‰z¥}´ýÂø9(!SÂöÛ<C3B6>¸ûz2kªÈCæ<43>¦J¬T…Ÿ”þG<C3BE>€³“Z_àÑ

View file

@ -0,0 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg 81QjxFKkN+8VVGbQIAuM45veIGdQemg8CUTdPoH2QGs
YotUqCNICfvb/Flf3RHZRLJ93foKpAFB3AOjkol+EIc
-> ssh-ed25519 jIXfPA Kb01OMjnns0qo3LztzEnTShUs2aH0DZzDGDiE3WcqiA
aqdKE5MHxzCCGoIuZSOPIVSSQi75pifkQq+HptU33i0
-> ssh-ed25519 QlRB9Q eo5FA1T5eYatUmM41+RZc0y7ZlHembU+7YduHKUsFnA
tlDL2I+GFsqxiYFZKYNv/F48DnlsmqNLkB6hDbiTFhA
-> ssh-ed25519 r+nK/Q 6Zt+yfT1jAEjO53BR8Buk2nQomxRoFJgYpBRgP3CmR8
hQ8fsGpSWJI7NIpHLCVspMtsicxaiWwigXDzk20pRfE
-> ssh-rsa krWCLQ
FK1ozQkZ73MkzBzhLmcVAdNMvL+UzxCSVc26in+GRnZdDOEW0HnvYSxjnCkRfFZ5
l8Eo69JFVufJgKQ+Yx5xE3hfvZCEp7ih5ZmcD7rleLDGLeW4pIvamiUd/YGvGpw0
G2ZNHHATDviTlK344rc29mx/Dk01bSoAiiQJ+PiLa+bD1Uv/sXuyimm/wos3PeZV
7lcwu/Ug0k2RzhntYYjZML0fgdHlCMEiBRFqMaGAI2snTOnOtfcMb+0z0eeEUVrx
O9wCOwxj4GYr8tYQNujF6QUPF/sEOGXKlMCoK4OExjhfNL2Rrf1QTF1rlgOTsToP
sS8wCH/Gg7UQUb7LqmyA1g
-> ssh-ed25519 /vwQcQ dFeVQpXMkVKV3XLnoaSfIr092hEflFaqj5oH5VJlRVI
eM+EvVHPUblmDpIwLNE7CpU8RHYT/6v11gqliRFrT90
-> ssh-ed25519 0R97PA 1VraTBHXimUuyTRmMFzXcBFGZ+GWDS0eX08RMpRfqFo
24uyDJC0PugE8qsZRVHsUv4EQ89fm5dB6J18Dv7d3NM
-> ssh-ed25519 JGx7Ng j2v9R9ki2tPgFww+oaKAWtarDDUSQXSWLszaGqRi6SU
Xy0bFe+yrcuTMrBqbtmnlF6X6bkxXaQqwrtabTlsXPc
--- p9c3bc4gDKhcJkmiCIR9RJvTxywuPVeenqvgCuJgw6M
ágTÁôÃeÔˆ/<2F>Ë|hg*ý4DY¥íÿØä\Å”$œg᯿*°¶|uþB²gš?õ<19><:;Ýç@J$[dô'

View file

@ -5,6 +5,8 @@ in
lib.setDefault { inherit publicKeys; } [
"ds_fr-secret_file"
"grafana-smtp_password_file"
"grafana-oauth_client_secret_file"
"hedgedoc-environment_file"
"librenms-database_password_file"
"librenms-environment_file"