feat(whitby/grafana): use CAS SSO
There's a hard-coded list of Admin usernames for the moment. We should revisit this and get an actual groups setup in LDAP that's propagated through... Change-Id: Ic3601f1a9753573076769f4912038e9f1b60e139 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2982 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
This commit is contained in:
parent
ba30cd6bb2
commit
a0cfa097e0
1 changed files with 52 additions and 0 deletions
|
@ -387,6 +387,56 @@ in {
|
|||
domain = "status.tvl.su";
|
||||
rootUrl = "https://status.tvl.su";
|
||||
analytics.reporting.enable = false;
|
||||
extraOptions = let
|
||||
options = {
|
||||
auth = {
|
||||
generic_oauth = {
|
||||
enabled = true;
|
||||
client_id = "OAUTH-TVL-grafana-f1A1EmHLDT";
|
||||
scopes = "openid profile email";
|
||||
name = "TVL";
|
||||
email_attribute_path = "mail";
|
||||
login_attribute_path = "sub";
|
||||
name_attribute_path = "displayName";
|
||||
auth_url = "https://login.tvl.fyi/oidc/authorize";
|
||||
token_url = "https://login.tvl.fyi/oidc/accessToken";
|
||||
api_url = "https://login.tvl.fyi/oidc/profile";
|
||||
|
||||
# Give lukegb, grfn, tazjin "Admin" rights.
|
||||
role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
|
||||
|
||||
# Allow creating new Grafana accounts from OAuth accounts.
|
||||
allow_sign_up = true;
|
||||
};
|
||||
anonymous = {
|
||||
enabled = true;
|
||||
org_name = "The Virus Lounge";
|
||||
org_role = "Viewer";
|
||||
};
|
||||
basic.enabled = false;
|
||||
oauth_auto_login = true;
|
||||
disable_login_form = true;
|
||||
};
|
||||
};
|
||||
inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
|
||||
inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;
|
||||
|
||||
# Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
|
||||
encodeName = raw: replaceStrings ["."] ["_"] (toUpper (concatStringsSep "_" raw));
|
||||
|
||||
# Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
|
||||
optionToString = value:
|
||||
if (typeOf value) == "bool" then
|
||||
if value then "true" else "false"
|
||||
else builtins.toString value;
|
||||
|
||||
# Turn an nested options attrset into a flat listToAttrs-compatible list.
|
||||
encodeOptions = prefix: inp: concatLists (mapAttrsToList (name: value:
|
||||
if (typeOf value) == "set"
|
||||
then encodeOptions (prefix ++ [name]) value
|
||||
else [ (nameValuePair (encodeName (prefix ++ [name])) (optionToString value)) ]
|
||||
) inp);
|
||||
in listToAttrs (encodeOptions [] options);
|
||||
|
||||
provision = {
|
||||
enable = true;
|
||||
|
@ -397,6 +447,8 @@ in {
|
|||
}];
|
||||
};
|
||||
};
|
||||
# Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
|
||||
systemd.services.grafana.serviceConfig.EnvironmentFile = "/etc/secrets/grafana";
|
||||
|
||||
security.sudo.extraRules = [
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue