grafana: add kanidm oauth

2025-11-07 12:31:11 -05:00 · 2025-11-07 12:31:11 -05:00 · d42969036c
commit d42969036c
parent 63854f7d70
3 changed files with 58 additions and 7 deletions
--- a/modules/nixos/services/homeserver/grafana.nix
+++ b/modules/nixos/services/homeserver/grafana.nix
@ -28,8 +28,29 @@
        enable_gzip = true;
      };

+      "auth.generic_oauth" = {
+        enabled = true;
+        name = "Kanidm";
+        client_id = "grafana";
+        auth_url = "https://kanidm.wo2wz.fyi/ui/oauth2";
+        token_url = "https://kanidm.wo2wz.fyi/oauth2/token";
+        api_url = "https://kanidm.wo2wz.fyi/oauth2/openid/grafana/userinfo";
+
+        scopes = [ "openid" "profile" "email" "groups" "offline_access" ];
+        login_attribute_path = "preferred_username";
+        email_attribute_path = "email";
+        groups_attribute_path = "groups";
+        role_attribute_path = "contains(grafana_users[*], 'GrafanaAdmin') && 'GrafanaAdmin' || 'Viewer'";
+        allow_assign_grafana_admin = true;
+
+        allow_sign_up = true;
+        use_pkce = true;
+        use_refresh_token = true;
+      };
+
      security = {
        secret_key = "$__env{GRAFANA_SECRET_KEY}";
+        disable_initial_admin_creation = true;
        cookie_secure = true;
        disable_gravatar = true;
      };
--- a/modules/nixos/services/homeserver/kanidm.nix
+++ b/modules/nixos/services/homeserver/kanidm.nix
@ -4,6 +4,10 @@
  sops.secrets = {
    "acme/secrets.env" = {};

+    "kanidm/oauth2/grafana" = {
+      owner = "kanidm";
+      group = "kanidm";
+    };
    "kanidm/oauth2/nextcloud" = {
      owner = "kanidm";
      group = "kanidm";
@ -65,21 +69,45 @@
      persons.wo2w = {
        displayName = "wo2w";
        legalName = "Wo2wz_";
+        mailAddresses = [ "wo2w@kanidm.wo2wz.fyi" ];
+
+        groups = [
+          "grafana_users"
+          "nextcloud_users"
+          "zipline_users"
+
+          "grafana_admins"
+        ];
      };

      groups = {
-        nextcloud-grp.members = [ "wo2w" ];
-        zipline-grp.members = [ "wo2w" ];
+        grafana_users = {};
+        nextcloud_users = {};
+        zipline_users = {};
+
+        grafana_admins.members = [ "grafana_users" ];
      };

      systems.oauth2 = {
+        grafana = {
+          displayName = "Grafana";
+          originUrl = "https://grafana.taild5f7e6.ts.net/login/generic_oauth";
+          originLanding = "https://grafana.taild5f7e6.ts.net";
+
+          preferShortUsername = true;
+          basicSecretFile = config.sops.secrets."kanidm/oauth2/grafana".path;
+          scopeMaps.grafana_users = [ "openid" "email" "profile" "groups" "offline_access" ];
+          claimMaps.grafana_users.valuesByGroup.grafana_admins = [ "GrafanaAdmin" ];
+        };
+
        nextcloud = {
          displayName = "Nextcloud";
          originUrl = "https://nextcloud.wo2wz.fyi/index.php/apps/user_oidc/code";
          originLanding = "https://nextcloud.wo2wz.fyi/index.php";

+          preferShortUsername = true;
          basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path;
-          scopeMaps.nextcloud-grp = [ "openid" "profile" ];
+          scopeMaps.nextcloud_users = [ "openid" "profile" ];
        };

        zipline = {
@ -87,9 +115,10 @@
          originUrl = "https://zipline.wo2wz.fyi/api/auth/oauth/oidc";
          originLanding = "https://zipline.wo2wz.fyi";

+          preferShortUsername = true;
          allowInsecureClientDisablePkce = true;
          basicSecretFile = config.sops.secrets."kanidm/oauth2/zipline".path;
-          scopeMaps.zipline-grp = [ "openid" "profile" "email" "offline_access" ];
+          scopeMaps.zipline_users = [ "openid" "profile" "email" "offline_access" ];
        };
      };
    };