commit f68685dc7059e31dcd58135137f601cbd881c30a
author Samuel Shuert <coded@clicks.codes> Sat Oct 28 20:07:56 2023 -0400
committer Skyler Grey <minion@clicks.codes> Thu Nov 16 22:53:33 2023 +0000
tree abc11f485cd945c6539adb2e8b4867b6565a4f1b
parent 8faa2562e0499d7aa68b7a4c2c9e6ad11353567e

Move all flakes into modules/ and sep't, create deploy script for a1d2

Change-Id: Ie4d50fb8f16da193195beb139922a366b72b0b0a

modules/common/grafana.nix

diff --git a/modules/common/grafana.nix b/modules/common/grafana.nix
new file mode 100644
index 0000000..f6ca62a
--- /dev/null
+++ b/modules/common/grafana.nix
@@ -0,0 +1,95 @@
+{ lib, config, base, pkgs, helpers, ... }:
+lib.recursiveUpdate {
+  services.grafana = {
+    enable = true;
+
+    settings = {
+      server = rec {
+        domain = "logs.clicks.codes";
+        root_url = "https://${domain}";
+        http_port = 9052;
+        enable_gzip = true;
+      };
+      analytics.reporting_enabled = false;
+      "auth.generic_oauth" = {
+        enabled = true;
+        name = "Clicks OAuth";
+        allow_sign_up = true;
+        client_id = "grafana";
+        client_secret = "!!client_secret!!";
+        scopes = "openid email profile offline_access roles";
+        email_attribute_path = "email";
+        login_attribute_path = "login";
+        name_attribute_path = "name";
+        auth_url =
+          "https://login.clicks.codes/realms/clicks/protocol/openid-connect/auth";
+        token_url =
+          "https://login.clicks.codes/realms/clicks/protocol/openid-connect/token";
+        api_url =
+          "https://login.clicks.codes/realms/clicks/protocol/openid-connect/userinfo";
+        role_attribute_path =
+          "contains(resource_access.grafana.roles[*], 'server_admin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || 'Viewer'";
+        allow_assign_grafana_admin = true;
+        auto_login = true;
+      };
+      "auth.basic".enabled = false;
+      auth.disable_login_form = true;
+    };
+
+    provision.datasources.settings.datasources = [{
+      name = "clicks-postgresql";
+      type = "postgres";
+      access = "proxy";
+
+      url = "postgres://localhost:${toString config.services.postgresql.port}";
+      user = "clicks_grafana";
+      password =
+        "$__file{${config.sops.secrets.clicks_grafana_db_password.path}}";
+      # defined in postgres.nix
+    }];
+  };
+
+  sops.secrets.clicks_grafana_client_secret = {
+    mode = "0600";
+    owner = config.users.users.root.name;
+    group = config.users.users.root.group;
+    sopsFile = ../../secrets/grafana.json;
+    format = "json";
+  };
+} (let isDerived = base != null;
+in if isDerived then
+  let
+    generators = lib.generators;
+    cfg = config.services.grafana;
+    settingsFormatIni = pkgs.formats.ini {
+      listToValue =
+        lib.concatMapStringsSep " " (generators.mkValueStringDefault { });
+      mkKeyValue = generators.mkKeyValueDefault {
+        mkValueString = v:
+          if v == null then "" else generators.mkValueStringDefault { } v;
+      } "=";
+    };
+    grafana_cfgfile = settingsFormatIni.generate "config.ini" cfg.settings;
+  in {
+    scalpel.trafos."grafana.ini" = {
+      source = toString grafana_cfgfile;
+      matchers."client_secret".secret =
+        config.sops.secrets.clicks_grafana_client_secret.path;
+      owner = config.users.users.grafana.name;
+      group = config.users.users.root.name;
+      mode = "0400";
+    };
+
+    systemd.services.grafana.serviceConfig.ExecStart = lib.mkForce
+      (pkgs.writeShellScript "grafana-start" ''
+        set -o errexit -o pipefail -o nounset -o errtrace
+        shopt -s inherit_errexit
+
+        exec ${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir} -config ${
+          config.scalpel.trafos."grafana.ini".destination
+        }
+      '');
+    systemd.services.grafana.restartTriggers = [ grafana_cfgfile ];
+  }
+else
+  { })