forked from the-distro/infra
127 lines
3.3 KiB
Nix
127 lines
3.3 KiB
Nix
|
{
|
||
|
config,
|
||
|
lib,
|
||
|
...
|
||
|
}:
|
||
|
let
|
||
|
cfg = config.bagel.services.grafana;
|
||
|
inherit (lib) mkEnableOption mkIf;
|
||
|
in
|
||
|
{
|
||
|
options.bagel.services.grafana.enable = mkEnableOption "Grafana frontend";
|
||
|
|
||
|
config = mkIf cfg.enable {
|
||
|
age.secrets.grafana-oauth-secret = {
|
||
|
file = ../../../secrets/grafana-oauth-secret.age;
|
||
|
owner = "grafana";
|
||
|
};
|
||
|
|
||
|
bagel.services.postgres.enable = true;
|
||
|
|
||
|
services = {
|
||
|
grafana = {
|
||
|
enable = true;
|
||
|
|
||
|
settings = {
|
||
|
server = {
|
||
|
domain = "grafana.forkos.org";
|
||
|
http_addr = "127.0.0.1";
|
||
|
http_port = 2342;
|
||
|
root_url = "https://grafana.forkos.org/";
|
||
|
};
|
||
|
|
||
|
database = {
|
||
|
type = "postgres";
|
||
|
user = "grafana";
|
||
|
host = "/run/postgresql";
|
||
|
};
|
||
|
|
||
|
"auth.generic_oauth" = {
|
||
|
enabled = true;
|
||
|
|
||
|
name = "Lix SSO";
|
||
|
client_id = "forkos-grafana";
|
||
|
client_secret = "$__file{${config.age.secrets.grafana-oauth-secret.path}}";
|
||
|
|
||
|
auth_url = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
|
||
|
token_url = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
|
||
|
api_url = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/userinfo";
|
||
|
|
||
|
login_attribute_path = "username";
|
||
|
email_attribute_path = "email";
|
||
|
name_attribute_path = "full_name";
|
||
|
|
||
|
scopes = [
|
||
|
"openid"
|
||
|
"profile"
|
||
|
"email"
|
||
|
"offline_access"
|
||
|
"roles"
|
||
|
];
|
||
|
|
||
|
allow_sign_up = true;
|
||
|
auto_login = true;
|
||
|
allow_assign_grafana_admin = true;
|
||
|
|
||
|
role_attribute_path = "contains(grafana_roles[*], 'Admin') && 'GrafanaAdmin' || contains(grafana_roles[*], 'Editor') && 'Editor' || 'Viewer'";
|
||
|
};
|
||
|
|
||
|
dashboards.default_home_dashboard_path = "${./dashboards/node_exporter.json}";
|
||
|
|
||
|
feature_toggles.enable = "autoMigrateOldPanels newVizTooltips";
|
||
|
security.angular_support_enabled = false;
|
||
|
};
|
||
|
|
||
|
provision = {
|
||
|
dashboards.settings = {
|
||
|
apiVersion = 1;
|
||
|
providers = [
|
||
|
{
|
||
|
name = "default";
|
||
|
options.path = ./dashboards;
|
||
|
}
|
||
|
];
|
||
|
};
|
||
|
|
||
|
datasources.settings = {
|
||
|
apiVersion = 1;
|
||
|
datasources = [
|
||
|
{
|
||
|
name = "Mimir";
|
||
|
type = "prometheus";
|
||
|
uid = "mimir";
|
||
|
access = "proxy";
|
||
|
url = "http://127.0.0.1:9009/prometheus";
|
||
|
}
|
||
|
];
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
postgresql = {
|
||
|
ensureDatabases = [ "grafana" ];
|
||
|
ensureUsers = [
|
||
|
{
|
||
|
name = "grafana";
|
||
|
ensureDBOwnership = true;
|
||
|
}
|
||
|
];
|
||
|
};
|
||
|
|
||
|
nginx = let
|
||
|
scfg = config.services.grafana.settings.server;
|
||
|
in {
|
||
|
enable = true;
|
||
|
virtualHosts."${scfg.domain}" = {
|
||
|
enableACME = true;
|
||
|
forceSSL = true;
|
||
|
locations."/" = {
|
||
|
proxyPass = "http://${scfg.http_addr}:${toString scfg.http_port}";
|
||
|
proxyWebsockets = true;
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
}
|