wo2w/nixos-config
1
0
Fork 0
Code Issues Pull requests Activity

grafana: add kanidm oauth

Browse source
This commit is contained in:
wo2wz 2025-11-07 12:31:11 -05:00
parent 63854f7d70
commit d42969036c
3 changed files with 58 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

21
modules/nixos/services/homeserver/grafana.nix
View file

@ -28,8 +28,29 @@
enable_gzip = true; enable_gzip = true;
}; };
"auth.generic_oauth" = {
enabled = true;
name = "Kanidm";
client_id = "grafana";
auth_url = "https://kanidm.wo2wz.fyi/ui/oauth2";
token_url = "https://kanidm.wo2wz.fyi/oauth2/token";
api_url = "https://kanidm.wo2wz.fyi/oauth2/openid/grafana/userinfo";
scopes = [ "openid" "profile" "email" "groups" "offline_access" ];
login_attribute_path = "preferred_username";
email_attribute_path = "email";
groups_attribute_path = "groups";
role_attribute_path = "contains(grafana_users[*], 'GrafanaAdmin') && 'GrafanaAdmin' || 'Viewer'";
allow_assign_grafana_admin = true;
allow_sign_up = true;
use_pkce = true;
use_refresh_token = true;
};
security = { security = {
secret_key = "$__env{GRAFANA_SECRET_KEY}"; secret_key = "$__env{GRAFANA_SECRET_KEY}";
disable_initial_admin_creation = true;
cookie_secure = true; cookie_secure = true;
disable_gravatar = true; disable_gravatar = true;
}; };

37
modules/nixos/services/homeserver/kanidm.nix
View file

@ -4,6 +4,10 @@
sops.secrets = { sops.secrets = {
"acme/secrets.env" = {}; "acme/secrets.env" = {};
"kanidm/oauth2/grafana" = {
owner = "kanidm";
group = "kanidm";
};
"kanidm/oauth2/nextcloud" = { "kanidm/oauth2/nextcloud" = {
owner = "kanidm"; owner = "kanidm";
group = "kanidm"; group = "kanidm";
@ -65,21 +69,45 @@
persons.wo2w = { persons.wo2w = {
displayName = "wo2w"; displayName = "wo2w";
legalName = "Wo2wz_"; legalName = "Wo2wz_";
mailAddresses = [ "wo2w@kanidm.wo2wz.fyi" ];
groups = [
"grafana_users"
"nextcloud_users"
"zipline_users"
"grafana_admins"
];
}; };
groups = { groups = {
nextcloud-grp.members = [ "wo2w" ]; grafana_users = {};
zipline-grp.members = [ "wo2w" ]; nextcloud_users = {};
zipline_users = {};
grafana_admins.members = [ "grafana_users" ];
}; };
systems.oauth2 = { systems.oauth2 = {
grafana = {
displayName = "Grafana";
originUrl = "https://grafana.taild5f7e6.ts.net/login/generic_oauth";
originLanding = "https://grafana.taild5f7e6.ts.net";
preferShortUsername = true;
basicSecretFile = config.sops.secrets."kanidm/oauth2/grafana".path;
scopeMaps.grafana_users = [ "openid" "email" "profile" "groups" "offline_access" ];
claimMaps.grafana_users.valuesByGroup.grafana_admins = [ "GrafanaAdmin" ];
};
nextcloud = { nextcloud = {
displayName = "Nextcloud"; displayName = "Nextcloud";
originUrl = "https://nextcloud.wo2wz.fyi/index.php/apps/user_oidc/code"; originUrl = "https://nextcloud.wo2wz.fyi/index.php/apps/user_oidc/code";
originLanding = "https://nextcloud.wo2wz.fyi/index.php"; originLanding = "https://nextcloud.wo2wz.fyi/index.php";
preferShortUsername = true;
basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path; basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path;
scopeMaps.nextcloud-grp = [ "openid" "profile" ]; scopeMaps.nextcloud_users = [ "openid" "profile" ];
}; };
zipline = { zipline = {
@ -87,9 +115,10 @@
originUrl = "https://zipline.wo2wz.fyi/api/auth/oauth/oidc"; originUrl = "https://zipline.wo2wz.fyi/api/auth/oauth/oidc";
originLanding = "https://zipline.wo2wz.fyi"; originLanding = "https://zipline.wo2wz.fyi";
preferShortUsername = true;
allowInsecureClientDisablePkce = true; allowInsecureClientDisablePkce = true;
basicSecretFile = config.sops.secrets."kanidm/oauth2/zipline".path; basicSecretFile = config.sops.secrets."kanidm/oauth2/zipline".path;
scopeMaps.zipline-grp = [ "openid" "profile" "email" "offline_access" ]; scopeMaps.zipline_users = [ "openid" "profile" "email" "offline_access" ];
}; };
}; };
}; };

7
secrets/secrets.yaml
View file

@ -7,9 +7,10 @@ caddy:
cloudflared: cloudflared:
8af2892d-d534-4e32-b867-5b79308a99d5.json: ENC[AES256_GCM,data:4fOlt/pNxQ9CSuKf1ZPv9odtdU+Q7NTlO56xGp5yY0AEZrbpljSlTS/b8dON5iVwRoUjUbUui8+jvDri7ad99e+kZUwzDC2S294oaQyPa5Bl4jrYZSFn6SWZbnBzyV5tVN0hoQlIMQ/oU53TvBAtNrj10toePH7iLB12AmqMCBshWEFUViAJqGcZZMrcarAT453FgtpR+f3vR8Wv90SGc7wHXARJZ4NzEIRmYD4dGA==,iv:1Mt9FJTlT7Sv9FvrNY97icXSi757ejt56lhc7OG1dJM=,tag:JxW5Cg6nPzzh4zxi9Wvw0A==,type:str] 8af2892d-d534-4e32-b867-5b79308a99d5.json: ENC[AES256_GCM,data:4fOlt/pNxQ9CSuKf1ZPv9odtdU+Q7NTlO56xGp5yY0AEZrbpljSlTS/b8dON5iVwRoUjUbUui8+jvDri7ad99e+kZUwzDC2S294oaQyPa5Bl4jrYZSFn6SWZbnBzyV5tVN0hoQlIMQ/oU53TvBAtNrj10toePH7iLB12AmqMCBshWEFUViAJqGcZZMrcarAT453FgtpR+f3vR8Wv90SGc7wHXARJZ4NzEIRmYD4dGA==,iv:1Mt9FJTlT7Sv9FvrNY97icXSi757ejt56lhc7OG1dJM=,tag:JxW5Cg6nPzzh4zxi9Wvw0A==,type:str]
grafana: grafana:
secrets.env: ENC[AES256_GCM,data:lWLfvr/pplCN1GzTiVF0avFzaqZX2+2kMK5bK19voyKGT8z6md/5vEKo4H9gDTKcSu7Y,iv:uj6wGI/OKtzvD4m+EVXfovvfRTCP4TnVxxnQtiwtpb4=,tag:syh4H2EnHgMJHQGyhBg+1g==,type:str] secrets.env: ENC[AES256_GCM,data:yv7u5+8l7M4PJ4BzCUlTGX8PeFxxVMtS2Pi4yKnvAeZf+4tcz6NFNRjyPeqTFinqmZ8yq+iYA1tBS5Gy9DTHo8TzmhoaWBPI/ZUXQgl5Y7lnGBOyZ6wHlllsP8zbC+zEWW+gRssaXj6yYBuvQTTzfSqSlmZdB7VwhUegiVxMs722jbys1Rl+NE8TKDc384IbwPRAIi6ZO+UH,iv:M/dgcJ++gMH5/sNQDUQvkiJW2n+fSkPCEDZBcFRXWuE=,tag:SocmiehkaCzl9ZB8dNZPZQ==,type:str]
kanidm: kanidm:
oauth2: oauth2:
grafana: ENC[AES256_GCM,data:9aWa5SJ4UNWcQCCRT9rL6XnoUjlkXeifBYe3fL4xRbNC3bc5L6jNtJOF9v0ZZ874pTr/dnv5LzLz/ISLDQWfnw==,iv:+V+JjP2EA02cn7aFif262DjqoCXYRLqXv2jR0pc457c=,tag:CI9daTCxkeOueb3d//hx0A==,type:str]
nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str] nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str]
zipline: ENC[AES256_GCM,data:q25Ugsqj6+we3dTDyczfxuGA1DcnlxUDbJLxlzVAF3wTtzdF4t6p2tkPlTtvvgLQQPg/sYAQB0zFE9DcxpxuCw==,iv:fyhRGFUTx1d0ITygUWOkaDAtVI2h05DMv3aEI/DUM2k=,tag:WaPRXbFXl1+aTC+ZtyITYw==,type:str] zipline: ENC[AES256_GCM,data:q25Ugsqj6+we3dTDyczfxuGA1DcnlxUDbJLxlzVAF3wTtzdF4t6p2tkPlTtvvgLQQPg/sYAQB0zFE9DcxpxuCw==,iv:fyhRGFUTx1d0ITygUWOkaDAtVI2h05DMv3aEI/DUM2k=,tag:WaPRXbFXl1+aTC+ZtyITYw==,type:str]
nextcloud: nextcloud:
@ -33,7 +34,7 @@ sops:
N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P
RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ== RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-03T19:35:32Z" lastmodified: "2025-11-06T15:31:14Z"
mac: ENC[AES256_GCM,data:vN6cjwfohcSPtqjSc+PJbuLDXGZauk92/ICRi3u2KiXZiThbTHJVVRM5b9s/nPBKMfEXoNu1VW0G3FiM5AZIrJDDlzUrF63iGm8m4WHMp37EcKCAm+VUGJqSd2Tg5AzR0JBgf85MSpCuv+4Btu8y9l4cpJWWfD+xXaq77wrx7nk=,iv:u7i2waGlejnICk6xQGs59EVchPTpBv1Y/FSwr/tmJwM=,tag:+H6py1V65Y+QKQ0WQ4i5wg==,type:str] mac: ENC[AES256_GCM,data:mOKxCnv5dDNuWGairJhV4Es36/MqM61d8ludzIgjpVmDD7arAxaMQA56FpCBU8eu0hVs1pO/Gw7xj0DIo+VTD0k2mdkimsp74gi13eEUdOCN5s+/7Th9sBpk5LeY9hzPp2fDFmBK3LLP9Jvp8IdKsbMgNKu6VzxukrWKOr1RpkM=,iv:HJKu/io7tV0Il06V2aglOaJHkjOxOcZ9JFbFCqFbTFw=,tag:iDmktXmP64OkijUxsQ5FCA==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0