Grafana with authentik

hosts/caddy/default.nix

@@ -105,7 +105,7 @@ in
       grafana = {
         proxy = {
           enable = true;
-          domain = p.domains.ts;
+          domain = p.domains.public;
           host = p.hosts.metrics;
         };
       };
@@ -143,7 +143,7 @@ in
         extraVirtualHosts = [
           {
             subdomain = "h";
-            host = "http://ha.internal:8123";
+            host = "http://${p.hosts.homeassistant}:8123";
             domain = p.domains.public;
           }
         ];

hosts/metrics/default.nix

@@ -7,6 +7,7 @@
 let
   tailscaleMagicDNS = "neon-dory.ts.net";
   defaultNodePort = toString config.services.prometheus.exporters.node.port;
+  p = import ../parameters.nix;
 in
 {
 
@@ -16,6 +17,10 @@ in
       file = ../../secrets/grafana-admin-pwd.age;
       owner = "grafana";
     };
+    grafana-secret-auth = {
+      file = ../../secrets/grafana-secret-auth.age;
+      owner = "grafana";
+    };
   };
 
   my = {
@@ -32,6 +37,12 @@ in
       grafana = {
         enable = true;
         adminPasswordFile = config.age.secrets.grafana-admin-pwd.path;
+        auth = {
+          enable = true;
+          baseUrl = "auth.${p.domains.public}";
+          sectetKeyFile = config.age.secrets.grafana-secret-auth.path;
+        };
+        proxy.domain = p.domains.public;
       };
       prometheus.enable = true;
       loki.enable = true;

modules/monitoring/grafana.nix

@@ -23,6 +23,25 @@ in
       '';
     };
 
+    auth = {
+      enable = lib.mkEnableOption "Enable authentication (Authentik) for Grafana";
+      baseUrl = lib.mkOption {
+        default = "https://auth.example.com";
+        type = lib.types.str;
+        description = ''
+          The base URL of the Authentik instance
+        '';
+      };
+      sectetKeyFile = lib.mkOption {
+        default = "";
+        type = lib.types.path;
+        description = ''
+          Path to the file containing the secret key for Grafana
+        '';
+      };
+
+    };
+
     proxy = {
       enable = lib.mkEnableOption "Set the proxy entry for this service";
 
@@ -63,6 +82,22 @@ in
           enable = true;
           settings = {
             analytics.reporting_enabled = false;
+            auth = lib.mkIf cfg.auth.enable {
+              signout_redirect_url = "https://${cfg.auth.baseUrl}/application/o/grafana/end-session/";
+              disable_login_form = true;
+            };
+            "auth.generic_oauth" = {
+              name = "authentik";
+              enabled = cfg.auth.enable;
+              client_id = "GpPQl4K55kQQhIeuIgzN27kzPzSpY5HlpmqpU9sy";
+              client_secret = "$__file{${cfg.auth.sectetKeyFile}}";
+              scopes = "openid email profile";
+              auth_url = "https://${cfg.auth.baseUrl}/application/o/authorize/";
+              token_url = "https://${cfg.auth.baseUrl}/application/o/token/";
+              api_url = "https://${cfg.auth.baseUrl}/application/o/userinfo/";
+              # Optionally map user groups to Grafana roles";
+              role_attribute_path = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'";
+            };
             database = {
               user = "grafana";
               type = "postgres";

secrets.nix

@@ -13,6 +13,7 @@ let
     readarr-apiKey = [ machines.metrics ];
     bazarr-apiKey = [ machines.metrics ];
     grafana-admin-pwd = [ machines.metrics ];
+    grafana-secret-auth = [ machines.metrics ];
     nextcloud-admin-pwd = [ machines.nextcloud ];
     vaultwarden-admin-pwd = [ machines.vaultwarden ];
     searx-secret = [ machines.caddy ];