From f279fbeb5d20529a7fb6261dd6cda8e1ce481ffb Mon Sep 17 00:00:00 2001
From: pazpi <davide@pasetto.me>
Date: Fri, 1 May 2026 15:48:27 +0200
Subject: [PATCH] Fix SSO Groups mapping

---
 modules/monitoring/grafana.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/monitoring/grafana.nix b/modules/monitoring/grafana.nix
index 1952505..f38f298 100644
--- a/modules/monitoring/grafana.nix
+++ b/modules/monitoring/grafana.nix
@@ -91,12 +91,13 @@ in
               enabled = cfg.auth.enable;
               client_id = "GpPQl4K55kQQhIeuIgzN27kzPzSpY5HlpmqpU9sy";
               client_secret = "$__file{${cfg.auth.sectetKeyFile}}";
-              scopes = "openid email profile";
+              scopes = "openid email profile groups";
               auth_url = "https://${cfg.auth.baseUrl}/application/o/authorize/";
               token_url = "https://${cfg.auth.baseUrl}/application/o/token/";
               api_url = "https://${cfg.auth.baseUrl}/application/o/userinfo/";
               # Optionally map user groups to Grafana roles";
-              role_attribute_path = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'";
+              role_attribute_path = "contains(groups[*], 'Sysadmin') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'";
+              allow_assign_grafana_admin = true;
             };
             database = {
               user = "grafana";