{ config, ... }: let host = "grafana.dgnum.eu"; port = 3033; file = name: "$__file{${config.age.secrets."grafana-${name}_file".path}}"; in { services = { grafana = { enable = true; settings = { "auth.generic_oauth" = { api_url = "https://sso.dgnum.eu/oauth2/openid/grafana_dgn/userinfo"; auth_url = "https://sso.dgnum.eu/ui/oauth2"; client_id = "grafana_dgn"; client_secret = file "oauth_client_secret"; enabled = true; id_token_attribute_name = "sub"; login_attribute_path = "preferred_username"; name = "Kanidm"; scopes = "email,openid,profile"; token_url = "https://sso.dgnum.eu/oauth2/token"; use_pkce = true; }; database = { type = "postgres"; user = "grafana"; host = "/run/postgresql"; }; security.disable_initial_admin_creation = true; server = { domain = host; enable_gzip = true; enforce_domain = true; http_port = port; root_url = "https://${host}"; router_logging = true; }; smtp = { enabled = true; from_address = "grafana@infra.dgnum.eu"; host = "kurisu.lahfa.xyz:587"; password = file "smtp_password"; user = "web-services@infra.dgnum.eu"; }; users = { default_theme = "system"; default_language = "en-GB"; auto_assign_org_role = "Admin"; }; }; }; postgresql = { ensureDatabases = [ "grafana" ]; ensureUsers = [ { name = "grafana"; ensureDBOwnership = true; } ]; }; nginx.virtualHosts.${host} = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString port}"; proxyWebsockets = true; recommendedProxySettings = true; }; }; }; age-secrets.autoMatch = [ "grafana" ]; }