diff --git a/hosts/caddy/default.nix b/hosts/caddy/default.nix index f3525ce..212a645 100644 --- a/hosts/caddy/default.nix +++ b/hosts/caddy/default.nix @@ -105,7 +105,7 @@ in grafana = { proxy = { enable = true; - domain = p.domains.ts; + domain = p.domains.public; host = p.hosts.metrics; }; }; @@ -143,7 +143,7 @@ in extraVirtualHosts = [ { subdomain = "h"; - host = "http://ha.internal:8123"; + host = "http://${p.hosts.homeassistant}:8123"; domain = p.domains.public; } ]; diff --git a/hosts/metrics/default.nix b/hosts/metrics/default.nix index 28aaf69..0120bab 100644 --- a/hosts/metrics/default.nix +++ b/hosts/metrics/default.nix @@ -7,6 +7,7 @@ let tailscaleMagicDNS = "neon-dory.ts.net"; defaultNodePort = toString config.services.prometheus.exporters.node.port; + p = import ../parameters.nix; in { @@ -16,6 +17,10 @@ in file = ../../secrets/grafana-admin-pwd.age; owner = "grafana"; }; + grafana-secret-auth = { + file = ../../secrets/grafana-secret-auth.age; + owner = "grafana"; + }; }; my = { @@ -32,6 +37,12 @@ in grafana = { enable = true; adminPasswordFile = config.age.secrets.grafana-admin-pwd.path; + auth = { + enable = true; + baseUrl = "auth.${p.domains.public}"; + sectetKeyFile = config.age.secrets.grafana-secret-auth.path; + }; + proxy.domain = p.domains.public; }; prometheus.enable = true; loki.enable = true; diff --git a/modules/monitoring/grafana.nix b/modules/monitoring/grafana.nix index 3a6d3ee..1079b23 100644 --- a/modules/monitoring/grafana.nix +++ b/modules/monitoring/grafana.nix @@ -23,6 +23,25 @@ in ''; }; + auth = { + enable = lib.mkEnableOption "Enable authentication (Authentik) for Grafana"; + baseUrl = lib.mkOption { + default = "https://auth.example.com"; + type = lib.types.str; + description = '' + The base URL of the Authentik instance + ''; + }; + sectetKeyFile = lib.mkOption { + default = ""; + type = lib.types.path; + description = '' + Path to the file containing the secret key for Grafana + ''; + }; + + }; + proxy = { enable = lib.mkEnableOption "Set the proxy entry for this service"; @@ -63,6 +82,22 @@ in enable = true; settings = { analytics.reporting_enabled = false; + auth = lib.mkIf cfg.auth.enable { + signout_redirect_url = "https://${cfg.auth.baseUrl}/application/o/grafana/end-session/"; + disable_login_form = true; + }; + "auth.generic_oauth" = { + name = "authentik"; + enabled = cfg.auth.enable; + client_id = "GpPQl4K55kQQhIeuIgzN27kzPzSpY5HlpmqpU9sy"; + client_secret = "$__file{${cfg.auth.sectetKeyFile}}"; + scopes = "openid email profile"; + auth_url = "https://${cfg.auth.baseUrl}/application/o/authorize/"; + token_url = "https://${cfg.auth.baseUrl}/application/o/token/"; + api_url = "https://${cfg.auth.baseUrl}/application/o/userinfo/"; + # Optionally map user groups to Grafana roles"; + role_attribute_path = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"; + }; database = { user = "grafana"; type = "postgres"; diff --git a/secrets.nix b/secrets.nix index 32b8c0f..fc20ab2 100644 --- a/secrets.nix +++ b/secrets.nix @@ -13,6 +13,7 @@ let readarr-apiKey = [ machines.metrics ]; bazarr-apiKey = [ machines.metrics ]; grafana-admin-pwd = [ machines.metrics ]; + grafana-secret-auth = [ machines.metrics ]; nextcloud-admin-pwd = [ machines.nextcloud ]; vaultwarden-admin-pwd = [ machines.vaultwarden ]; searx-secret = [ machines.caddy ];