Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / a7cc4e9da15538085ae617919cf8f3ff8c3acf09 / . / modules / grafana.nix
blob: 7c3b1758dfa0562267df565c9b89b97eb4b51d33 [file] [log] [blame]
TheCodedProfa7cc4e92023-10-10 19:29:06 -0400[diff] [blame^]1{ lib, config, base, pkgs, ... }:
2lib.recursiveUpdate
3{
Skyler Grey6f0f43d2023-05-03 15:01:05 +0000[diff] [blame]4 services.grafana = {
5 enable = true;
6
7 settings = {
8 server = rec {
9 domain = "logs.clicks.codes";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]10 root_url = "https://${domain}";
Skyler Grey6f0f43d2023-05-03 15:01:05 +0000[diff] [blame]11 http_port = 9052;
12 enable_gzip = true;
13 };
14 analytics.reporting_enabled = false;
TheCodedProfa7cc4e92023-10-10 19:29:06 -0400[diff] [blame^]15 "auth.generic_oauth" = {
16 enabled = true;
17 name = "Clicks OAuth";
18 allow_sign_up = true;
19 client_id = "grafana";
20 client_secret = "!!client_secret!!";
21 scopes = "openid email profile offline_access roles";
22 email_attribute_path = "email";
23 login_attribute_path = "login";
24 name_attribute_path = "name";
25 auth_url =
26 "https://login.clicks.codes/realms/clicks/protocol/openid-connect/auth";
27 token_url =
28 "https://login.clicks.codes/realms/clicks/protocol/openid-connect/token";
29 api_url =
30 "https://login.clicks.codes/realms/clicks/protocol/openid-connect/userinfo";
31 role_attribute_path =
32 "contains(resource_access.grafana.roles[*], 'server_admin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || 'Viewer'";
33 allow_assign_grafana_admin = true;
34 auto_login = true;
35 };
36 "auth.basic".enabled = false;
37 auth.disable_login_form = true;
Skyler Grey6f0f43d2023-05-03 15:01:05 +0000[diff] [blame]38 };
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]39
40 provision.datasources.settings.datasources = [{
41 name = "clicks-postgresql";
42 type = "postgres";
43 access = "proxy";
44
45 url = "postgres://localhost:${toString config.services.postgresql.port}";
46 user = "clicks_grafana";
TheCodedProfa7cc4e92023-10-10 19:29:06 -0400[diff] [blame^]47 password =
48 "$__file{${config.sops.secrets.clicks_grafana_db_password.path}}";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]49 # defined in postgres.nix
50 }];
Skyler Grey6f0f43d2023-05-03 15:01:05 +0000[diff] [blame]51 };
TheCodedProfa7cc4e92023-10-10 19:29:06 -0400[diff] [blame^]52
53 sops.secrets.clicks_grafana_client_secret = {
54 mode = "0600";
55 owner = "root";
56 group = "nobody";
57 sopsFile = ../secrets/grafana.json;
58 format = "json";
59 };
Skyler Grey6f0f43d2023-05-03 15:01:05 +0000[diff] [blame]60}
TheCodedProfa7cc4e92023-10-10 19:29:06 -0400[diff] [blame^]61 (
62 let isDerived = base != null;
63 in if isDerived then
64 let
65 generators = lib.generators;
66 cfg = config.services.grafana;
67 settingsFormatIni = pkgs.formats.ini {
68 listToValue =
69 lib.concatMapStringsSep " " (generators.mkValueStringDefault { });
70 mkKeyValue = generators.mkKeyValueDefault
71 {
72 mkValueString = v:
73 if v == null then "" else generators.mkValueStringDefault { } v;
74 } "=";
75 };
76 grafana_cfgfile = settingsFormatIni.generate "config.ini" cfg.settings;
77 in
78 {
79 scalpel.trafos."grafana.ini" = {
80 source = toString grafana_cfgfile;
81 matchers."client_secret".secret =
82 config.sops.secrets.clicks_grafana_client_secret.path;
83 owner = config.users.users.grafana.name;
84 group = "nobody";
85 mode = "0400";
86 };
87
88 systemd.services.grafana.serviceConfig.ExecStart = lib.mkForce (pkgs.writeShellScript "grafana-start" ''
89 set -o errexit -o pipefail -o nounset -o errtrace
90 shopt -s inherit_errexit
91
92 exec ${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir} -config ${config.scalpel.trafos."grafana.ini".destination}
93 '');
94 systemd.services.grafana.restartTriggers = [ grafana_cfgfile ];
95 }
96 else
97 { }
98 )