diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix index 407e52e..ba89c5f 100644 --- a/machines/compute01/_configuration.nix +++ b/machines/compute01/_configuration.nix @@ -10,6 +10,7 @@ lib.extra.mkConfig { enabledServices = [ # List of services to enable "ds-fr" + "grafana" "hedgedoc" "k-radius" "kanidm" diff --git a/machines/compute01/grafana.nix b/machines/compute01/grafana.nix new file mode 100644 index 0000000..2687a68 --- /dev/null +++ b/machines/compute01/grafana.nix @@ -0,0 +1,86 @@ +{ config, ... }: + +let + host = "grafana.dgnum.eu"; + port = 3033; + + file = name: "$__file{${config.age.secrets."grafana-${name}_file".path}}"; +in + +{ + services = { + grafana = { + enable = true; + + settings = { + "auth.generic_oauth" = { + api_url = "https://sso.dgnum.eu/oauth2/openid/grafana_dgn/userinfo"; + auth_url = "https://sso.dgnum.eu/ui/oauth2"; + client_id = "grafana_dgn"; + client_secret = file "oauth_client_secret"; + enabled = true; + id_token_attribute_name = "sub"; + login_attribute_path = "preferred_username"; + name = "Kanidm"; + scopes = "email,openid,profile"; + token_url = "https://sso.dgnum.eu/oauth2/token"; + use_pkce = true; + }; + + database = { + type = "postgres"; + user = "grafana"; + host = "/run/postgresql"; + }; + + security.disable_initial_admin_creation = true; + + server = { + domain = host; + enable_gzip = true; + enforce_domain = true; + http_port = port; + root_url = "https://${host}"; + router_logging = true; + }; + + smtp = { + enabled = true; + from_address = "grafana@infra.dgnum.eu"; + host = "kurisu.lahfa.xyz:587"; + password = file "smtp_password"; + user = "web-services@infra.dgnum.eu"; + }; + + users = { + default_theme = "system"; + default_language = "en-GB"; + auto_assign_org_role = "Admin"; + }; + }; + }; + + postgresql = { + ensureDatabases = [ "grafana" ]; + ensureUsers = [ + { + name = "grafana"; + ensureDBOwnership = true; + } + ]; + }; + + nginx.virtualHosts.${host} = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + }; + + age-secrets.autoMatch = [ "grafana" ]; +} diff --git a/machines/compute01/secrets/grafana-oauth_client_secret_file b/machines/compute01/secrets/grafana-oauth_client_secret_file new file mode 100644 index 0000000..c5eef45 --- /dev/null +++ b/machines/compute01/secrets/grafana-oauth_client_secret_file @@ -0,0 +1,24 @@ +age-encryption.org/v1 +-> ssh-ed25519 tDqJRg ukyCbDqq1/18sjxWxyCCwYgYDavNcRq5cBvpZoqSKVQ +2lmz4ONDnXiW0+FqLwi4OVOClm96YU6NUMxeLcwyqhI +-> ssh-ed25519 jIXfPA MNspuPXKkP/fUp3qoPDmew+htam1l8JczSCCZFil6zE +1ugIhchyaumzv/izKFq1dCer6QPfLt6Fv2rIiU6rzGs +-> ssh-ed25519 QlRB9Q teomppq6nVFhnQFELI/sQNCRuMGNs2Tu6AY/PMWAzzI +LDLn1CsC9xqBBszdp4TZV/uCaYHBb65HS5eoG2+vfzU +-> ssh-ed25519 r+nK/Q GK/IVVvWVNjq1Fa8DKvljC1pD4OUz3MsM+VjROVYfSA +jJ2vK3HFkOGzrxvQJg6PayrEhOPVyvAZS29IEfKRbhs +-> ssh-rsa krWCLQ +XywRp0R34ulA6AhRloj+OonbP3ZmvWvnxko+KSBNZHUEO3P84N/UTSJLhTJrJHps +uYWhOO1VXMdOmu8+s2ymvsFFHZlQ1Ngr28/8Cb4InYbOcjc1jGsA/laSFelGG/qZ +CxoSw59oga+wssAf7NRVDY0GLtZIhdACnlfCodBnwGgr7MrO/jtv6wUcNtTQwqyg +k6JvmeXVO54sAbcICfDNHiWLejOA9B1tQ4biAtNZrw2BRh1siXVcjtrlkjdfqsc4 +4R/EDAYLHIMBnG/6Qpp5H3vPEEdwtaU2Tcd5RZHxWR+8ZjFFhLsZaGQZ5GxzlVOW +qd63AwlEvNGOSIMXBqc+tQ +-> ssh-ed25519 /vwQcQ Qm4OViiUxA0eIAiP+tPi+q9Uw+dluFKGi4J35q6dr3A +Byx5ohtc05YfpZhcZew6P7g90KEMammQ0KgvtRGAhBk +-> ssh-ed25519 0R97PA YKE87fWy7Gix4dk+YOqTkMMFyG1mTVjroO/I6rHtLXQ +o9O664qMLUIEwxti17O4VByFCMmOZ4vTtPH5qNscGnU +-> ssh-ed25519 JGx7Ng NfuL52cirg0LkXcoF3a0GYJx82Bt50YS9cpEnDH27T8 +OdqOs4ViSnW1fWZ5GLro4Z5afqmnGya6TsoKr3aZs0w +--- oqm2jb9ZHSHAhbxUYWDxQW/FaPwiq3iFr6RIX1nHCYo +쩚j˪fFyz#뤄 zz}9(!Sہ$ z2kC揦JTGZ_ \ No newline at end of file diff --git a/machines/compute01/secrets/grafana-smtp_password_file b/machines/compute01/secrets/grafana-smtp_password_file new file mode 100644 index 0000000..0c8d3b0 --- /dev/null +++ b/machines/compute01/secrets/grafana-smtp_password_file @@ -0,0 +1,24 @@ +age-encryption.org/v1 +-> ssh-ed25519 tDqJRg 81QjxFKkN+8VVGbQIAuM45veIGdQemg8CUTdPoH2QGs +YotUqCNICfvb/Flf3RHZRLJ93foKpAFB3AOjkol+EIc +-> ssh-ed25519 jIXfPA Kb01OMjnns0qo3LztzEnTShUs2aH0DZzDGDiE3WcqiA +aqdKE5MHxzCCGoIuZSOPIVSSQi75pifkQq+HptU33i0 +-> ssh-ed25519 QlRB9Q eo5FA1T5eYatUmM41+RZc0y7ZlHembU+7YduHKUsFnA +tlDL2I+GFsqxiYFZKYNv/F48DnlsmqNLkB6hDbiTFhA +-> ssh-ed25519 r+nK/Q 6Zt+yfT1jAEjO53BR8Buk2nQomxRoFJgYpBRgP3CmR8 +hQ8fsGpSWJI7NIpHLCVspMtsicxaiWwigXDzk20pRfE +-> ssh-rsa krWCLQ +FK1ozQkZ73MkzBzhLmcVAdNMvL+UzxCSVc26in+GRnZdDOEW0HnvYSxjnCkRfFZ5 +l8Eo69JFVufJgKQ+Yx5xE3hfvZCEp7ih5ZmcD7rleLDGLeW4pIvamiUd/YGvGpw0 +G2ZNHHATDviTlK344rc29mx/Dk01bSoAiiQJ+PiLa+bD1Uv/sXuyimm/wos3PeZV +7lcwu/Ug0k2RzhntYYjZML0fgdHlCMEiBRFqMaGAI2snTOnOtfcMb+0z0eeEUVrx +O9wCOwxj4GYr8tYQNujF6QUPF/sEOGXKlMCoK4OExjhfNL2Rrf1QTF1rlgOTsToP +sS8wCH/Gg7UQUb7LqmyA1g +-> ssh-ed25519 /vwQcQ dFeVQpXMkVKV3XLnoaSfIr092hEflFaqj5oH5VJlRVI +eM+EvVHPUblmDpIwLNE7CpU8RHYT/6v11gqliRFrT90 +-> ssh-ed25519 0R97PA 1VraTBHXimUuyTRmMFzXcBFGZ+GWDS0eX08RMpRfqFo +24uyDJC0PugE8qsZRVHsUv4EQ89fm5dB6J18Dv7d3NM +-> ssh-ed25519 JGx7Ng j2v9R9ki2tPgFww+oaKAWtarDDUSQXSWLszaGqRi6SU +Xy0bFe+yrcuTMrBqbtmnlF6X6bkxXaQqwrtabTlsXPc +--- p9c3bc4gDKhcJkmiCIR9RJvTxywuPVeenqvgCuJgw6M +gTeԈ/|hg*4DY\Ŕ$g᯿*|uBg?<:;@J$[d' \ No newline at end of file diff --git a/machines/compute01/secrets/secrets.nix b/machines/compute01/secrets/secrets.nix index e01c9b0..9e7ad18 100644 --- a/machines/compute01/secrets/secrets.nix +++ b/machines/compute01/secrets/secrets.nix @@ -5,6 +5,8 @@ in lib.setDefault { inherit publicKeys; } [ "ds_fr-secret_file" + "grafana-smtp_password_file" + "grafana-oauth_client_secret_file" "hedgedoc-environment_file" "librenms-database_password_file" "librenms-environment_file"