tsuki/grafana: enable oauth2, misc hardening

This commit is contained in:
Oystein Kristoffer Tveit 2023-07-28 21:53:53 +02:00
parent 816a46603a
commit d74ed2d045
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146

View File

@ -93,17 +93,23 @@
settings = let
secretFile = sopsKey: ''$__file{${config.sops.secrets.${sopsKey}.path}}'';
in {
analytics.check_for_updates = false;
server = {
domain = "log.nani.wtf";
root_url = "https://log.nani.wtf";
enforce_domain = true;
enable_gzip = true;
protocol = "socket";
socket = "/run/grafana/grafana.sock";
};
security = {
disable_initial_admin_creation = true;
cookie_secure = true;
csrf_trusted_origins = [ "https://auth.nani.wtf" ];
data_source_proxy_whitelist = [
(with config.services.prometheus; "${listenAddress}:${toString port}")
];
disable_gravatar = true;
disable_initial_admin_creation = true;
secret_key = secretFile "grafana/secretkey";
};
@ -113,6 +119,37 @@
host = "/var/run/postgresql";
password = secretFile "postgres/grafana";
};
auth = {
# disable_login_form = true;
};
"auth.generic_oauth" = let
authServerUrl = config.services.kanidm.serverSettings.origin;
in {
enabled = true;
name = "KaniDM";
client_id = "grafana";
client_secret = secretFile "grafana/oauth2_secret";
auth_url = "${authServerUrl}/ui/oauth2";
token_url = "${authServerUrl}/oauth2/token";
api_url = "${authServerUrl}/oauth2/authorise";
scopes = "email openid profile";
auto_login = true;
use_pkce = true;
# I only have one user, and that one user should always be admin,
# no matter what kanidm sends.
role_attribute_strict = true;
role_attribute_path = "contains(info.groups[*], 'grafana_users') && 'GrafanaAdmin' || 'Viewer'";
allow_assign_grafana_admin = true;
};
analytics = {
check_for_updates = false;
feedback_links_enabled = false;
reporting_enabled = false;
};
};
};