Grafana with authentik

2025-02-21 17:45:18 +01:00 · 2025-02-21 17:45:18 +01:00 · db350e2445
commit db350e2445
parent 1efda446f3
4 changed files with 49 additions and 2 deletions
--- a/hosts/caddy/default.nix
+++ b/hosts/caddy/default.nix
@ -105,7 +105,7 @@ in
      grafana = {
        proxy = {
          enable = true;
-          domain = p.domains.ts;
+          domain = p.domains.public;
          host = p.hosts.metrics;
        };
      };
@ -143,7 +143,7 @@ in
        extraVirtualHosts = [
          {
            subdomain = "h";
-            host = "http://ha.internal:8123";
+            host = "http://${p.hosts.homeassistant}:8123";
            domain = p.domains.public;
          }
        ];
--- a/hosts/metrics/default.nix
+++ b/hosts/metrics/default.nix
@ -7,6 +7,7 @@
 let
  tailscaleMagicDNS = "neon-dory.ts.net";
  defaultNodePort = toString config.services.prometheus.exporters.node.port;
+  p = import ../parameters.nix;
 in
 {

@ -16,6 +17,10 @@ in
      file = ../../secrets/grafana-admin-pwd.age;
      owner = "grafana";
    };
+    grafana-secret-auth = {
+      file = ../../secrets/grafana-secret-auth.age;
+      owner = "grafana";
+    };
  };

  my = {
@ -32,6 +37,12 @@ in
      grafana = {
        enable = true;
        adminPasswordFile = config.age.secrets.grafana-admin-pwd.path;
+        auth = {
+          enable = true;
+          baseUrl = "auth.${p.domains.public}";
+          sectetKeyFile = config.age.secrets.grafana-secret-auth.path;
+        };
+        proxy.domain = p.domains.public;
      };
      prometheus.enable = true;
      loki.enable = true;
--- a/modules/monitoring/grafana.nix
+++ b/modules/monitoring/grafana.nix
@ -23,6 +23,25 @@ in
      '';
    };

+    auth = {
+      enable = lib.mkEnableOption "Enable authentication (Authentik) for Grafana";
+      baseUrl = lib.mkOption {
+        default = "https://auth.example.com";
+        type = lib.types.str;
+        description = ''
+          The base URL of the Authentik instance
+        '';
+      };
+      sectetKeyFile = lib.mkOption {
+        default = "";
+        type = lib.types.path;
+        description = ''
+          Path to the file containing the secret key for Grafana
+        '';
+      };
+
+    };
+
    proxy = {
      enable = lib.mkEnableOption "Set the proxy entry for this service";

@ -63,6 +82,22 @@ in
          enable = true;
          settings = {
            analytics.reporting_enabled = false;
+            auth = lib.mkIf cfg.auth.enable {
+              signout_redirect_url = "https://${cfg.auth.baseUrl}/application/o/grafana/end-session/";
+              disable_login_form = true;
+            };
+            "auth.generic_oauth" = {
+              name = "authentik";
+              enabled = cfg.auth.enable;
+              client_id = "GpPQl4K55kQQhIeuIgzN27kzPzSpY5HlpmqpU9sy";
+              client_secret = "$__file{${cfg.auth.sectetKeyFile}}";
+              scopes = "openid email profile";
+              auth_url = "https://${cfg.auth.baseUrl}/application/o/authorize/";
+              token_url = "https://${cfg.auth.baseUrl}/application/o/token/";
+              api_url = "https://${cfg.auth.baseUrl}/application/o/userinfo/";
+              # Optionally map user groups to Grafana roles";
+              role_attribute_path = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'";
+            };
            database = {
              user = "grafana";
              type = "postgres";
--- a/secrets.nix
+++ b/secrets.nix
@ -13,6 +13,7 @@ let
    readarr-apiKey = [ machines.metrics ];
    bazarr-apiKey = [ machines.metrics ];
    grafana-admin-pwd = [ machines.metrics ];
+    grafana-secret-auth = [ machines.metrics ];
    nextcloud-admin-pwd = [ machines.nextcloud ];
    vaultwarden-admin-pwd = [ machines.vaultwarden ];
    searx-secret = [ machines.caddy ];