{ config, lib, ... }: let cfg = config.bagel.services.grafana; inherit (lib) mkEnableOption mkIf; in { options.bagel.services.grafana.enable = mkEnableOption "Grafana frontend"; config = mkIf cfg.enable { age.secrets.grafana-oauth-secret = { file = ../../../secrets/grafana-oauth-secret.age; owner = "grafana"; }; bagel.services.postgres.enable = true; services = { grafana = { enable = true; settings = { server = { domain = "grafana.forkos.org"; http_addr = "127.0.0.1"; http_port = 2342; root_url = "https://grafana.forkos.org/"; }; database = { type = "postgres"; user = "grafana"; host = "/run/postgresql"; }; "auth.generic_oauth" = { enabled = true; name = "Lix SSO"; client_id = "forkos-grafana"; client_secret = "$__file{${config.age.secrets.grafana-oauth-secret.path}}"; auth_url = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth"; token_url = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token"; api_url = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/userinfo"; login_attribute_path = "username"; email_attribute_path = "email"; name_attribute_path = "full_name"; scopes = [ "openid" "profile" "email" "offline_access" "roles" ]; allow_sign_up = true; auto_login = true; allow_assign_grafana_admin = true; role_attribute_path = "contains(grafana_roles[*], 'Admin') && 'GrafanaAdmin' || contains(grafana_roles[*], 'Editor') && 'Editor' || 'Viewer'"; }; dashboards.default_home_dashboard_path = "${./dashboards/node_exporter.json}"; feature_toggles.enable = "autoMigrateOldPanels newVizTooltips"; security.angular_support_enabled = false; }; provision = { dashboards.settings = { apiVersion = 1; providers = [ { name = "default"; options.path = ./dashboards; } ]; }; datasources.settings = { apiVersion = 1; datasources = [ { name = "Mimir"; type = "prometheus"; uid = "mimir"; access = "proxy"; url = "http://127.0.0.1:9009/prometheus"; } { name = "Loki"; type = "loki"; uid = "loki"; access = "proxy"; url = "http://127.0.0.1:9090/"; } ]; }; }; }; postgresql = { ensureDatabases = [ "grafana" ]; ensureUsers = [ { name = "grafana"; ensureDBOwnership = true; } ]; }; nginx = let scfg = config.services.grafana.settings.server; in { enable = true; virtualHosts."${scfg.domain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://${scfg.http_addr}:${toString scfg.http_port}"; proxyWebsockets = true; }; }; }; }; }; }