| { lib, config, base, pkgs, helpers, ... }: |
| lib.recursiveUpdate { |
| services.grafana = { |
| enable = true; |
| |
| settings = { |
| server = rec { |
| domain = "logs.clicks.codes"; |
| root_url = "https://${domain}"; |
| http_port = 9052; |
| enable_gzip = true; |
| }; |
| analytics.reporting_enabled = false; |
| "auth.generic_oauth" = { |
| enabled = true; |
| name = "Clicks OAuth"; |
| allow_sign_up = true; |
| client_id = "grafana"; |
| client_secret = "!!client_secret!!"; |
| scopes = "openid email profile offline_access roles"; |
| email_attribute_path = "email"; |
| login_attribute_path = "login"; |
| name_attribute_path = "name"; |
| auth_url = |
| "https://login.clicks.codes/realms/clicks/protocol/openid-connect/auth"; |
| token_url = |
| "https://login.clicks.codes/realms/clicks/protocol/openid-connect/token"; |
| api_url = |
| "https://login.clicks.codes/realms/clicks/protocol/openid-connect/userinfo"; |
| role_attribute_path = |
| "contains(resource_access.grafana.roles[*], 'server_admin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || 'Viewer'"; |
| allow_assign_grafana_admin = true; |
| auto_login = true; |
| }; |
| "auth.basic".enabled = false; |
| auth.disable_login_form = true; |
| }; |
| |
| provision.datasources.settings.datasources = [{ |
| name = "clicks-postgresql"; |
| type = "postgres"; |
| access = "proxy"; |
| |
| url = "postgres://localhost:${toString config.services.postgresql.port}"; |
| user = "clicks_grafana"; |
| password = |
| "$__file{${config.sops.secrets.clicks_grafana_db_password.path}}"; |
| # defined in postgres.nix |
| }]; |
| }; |
| |
| sops.secrets.clicks_grafana_client_secret = { |
| mode = "0600"; |
| owner = config.users.users.root.name; |
| group = config.users.users.root.group; |
| sopsFile = ../../secrets/grafana.json; |
| format = "json"; |
| }; |
| } (let isDerived = base != null; |
| in if isDerived then |
| let |
| generators = lib.generators; |
| cfg = config.services.grafana; |
| settingsFormatIni = pkgs.formats.ini { |
| listToValue = |
| lib.concatMapStringsSep " " (generators.mkValueStringDefault { }); |
| mkKeyValue = generators.mkKeyValueDefault { |
| mkValueString = v: |
| if v == null then "" else generators.mkValueStringDefault { } v; |
| } "="; |
| }; |
| grafana_cfgfile = settingsFormatIni.generate "config.ini" cfg.settings; |
| in { |
| scalpel.trafos."grafana.ini" = { |
| source = toString grafana_cfgfile; |
| matchers."client_secret".secret = |
| config.sops.secrets.clicks_grafana_client_secret.path; |
| owner = config.users.users.grafana.name; |
| group = config.users.users.root.name; |
| mode = "0400"; |
| }; |
| |
| systemd.services.grafana.serviceConfig.ExecStart = lib.mkForce |
| (pkgs.writeShellScript "grafana-start" '' |
| set -o errexit -o pipefail -o nounset -o errtrace |
| shopt -s inherit_errexit |
| |
| exec ${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir} -config ${ |
| config.scalpel.trafos."grafana.ini".destination |
| } |
| ''); |
| systemd.services.grafana.restartTriggers = [ grafana_cfgfile ]; |
| } |
| else |
| { }) |