Grafana with authentik

modules/monitoring/grafana.nix

@@ -23,6 +23,25 @@ in
       '';
     };
 
+    auth = {
+      enable = lib.mkEnableOption "Enable authentication (Authentik) for Grafana";
+      baseUrl = lib.mkOption {
+        default = "https://auth.example.com";
+        type = lib.types.str;
+        description = ''
+          The base URL of the Authentik instance
+        '';
+      };
+      sectetKeyFile = lib.mkOption {
+        default = "";
+        type = lib.types.path;
+        description = ''
+          Path to the file containing the secret key for Grafana
+        '';
+      };
+
+    };
+
     proxy = {
       enable = lib.mkEnableOption "Set the proxy entry for this service";
 
@@ -63,6 +82,22 @@ in
           enable = true;
           settings = {
             analytics.reporting_enabled = false;
+            auth = lib.mkIf cfg.auth.enable {
+              signout_redirect_url = "https://${cfg.auth.baseUrl}/application/o/grafana/end-session/";
+              disable_login_form = true;
+            };
+            "auth.generic_oauth" = {
+              name = "authentik";
+              enabled = cfg.auth.enable;
+              client_id = "GpPQl4K55kQQhIeuIgzN27kzPzSpY5HlpmqpU9sy";
+              client_secret = "$__file{${cfg.auth.sectetKeyFile}}";
+              scopes = "openid email profile";
+              auth_url = "https://${cfg.auth.baseUrl}/application/o/authorize/";
+              token_url = "https://${cfg.auth.baseUrl}/application/o/token/";
+              api_url = "https://${cfg.auth.baseUrl}/application/o/userinfo/";
+              # Optionally map user groups to Grafana roles";
+              role_attribute_path = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'";
+            };
             database = {
               user = "grafana";
               type = "postgres";