From d74ed2d04545d3abf9e50bed72e3dabcd63a81fa Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Fri, 28 Jul 2023 21:53:53 +0200
Subject: [PATCH] tsuki/grafana: enable oauth2, misc hardening

---
 hosts/tsuki/services/grafana/default.nix | 41 ++++++++++++++++++++++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/hosts/tsuki/services/grafana/default.nix b/hosts/tsuki/services/grafana/default.nix
index 651fcbc..e8e29f5 100644
--- a/hosts/tsuki/services/grafana/default.nix
+++ b/hosts/tsuki/services/grafana/default.nix
@@ -93,17 +93,23 @@
     settings = let
       secretFile = sopsKey: ''$__file{${config.sops.secrets.${sopsKey}.path}}'';
     in {
-      analytics.check_for_updates = false;
       server = {
         domain = "log.nani.wtf";
+        root_url = "https://log.nani.wtf";
+        enforce_domain = true;
         enable_gzip = true;
         protocol = "socket";
         socket = "/run/grafana/grafana.sock";
       };
 
       security = {
-        disable_initial_admin_creation = true;
         cookie_secure = true;
+        csrf_trusted_origins = [ "https://auth.nani.wtf" ];
+        data_source_proxy_whitelist = [
+          (with config.services.prometheus; "${listenAddress}:${toString port}")
+        ];
+        disable_gravatar = true;
+        disable_initial_admin_creation = true;
         secret_key = secretFile "grafana/secretkey";
       };
 
@@ -113,6 +119,37 @@
         host = "/var/run/postgresql";
         password = secretFile "postgres/grafana";
       };
+
+      auth = {
+        # disable_login_form = true;
+      };
+
+      "auth.generic_oauth" = let
+        authServerUrl = config.services.kanidm.serverSettings.origin;
+      in {
+        enabled = true;
+        name = "KaniDM";
+        client_id = "grafana";
+        client_secret = secretFile "grafana/oauth2_secret";
+        auth_url = "${authServerUrl}/ui/oauth2";
+        token_url = "${authServerUrl}/oauth2/token";
+        api_url = "${authServerUrl}/oauth2/authorise";
+        scopes = "email openid profile";
+        auto_login = true;
+        use_pkce = true;
+
+        # I only have one user, and that one user should always be admin,
+        # no matter what kanidm sends.
+        role_attribute_strict = true;
+        role_attribute_path = "contains(info.groups[*], 'grafana_users') && 'GrafanaAdmin' || 'Viewer'";
+        allow_assign_grafana_admin = true;
+      };
+
+      analytics = {
+        check_for_updates = false;
+        feedback_links_enabled = false;
+        reporting_enabled = false;
+      };
     };
   };