From 5127741ef7a589539f2d5bc09eb7be74bd4f8527 Mon Sep 17 00:00:00 2001 From: Florian Sesser <florian@private.storage> Date: Mon, 13 Feb 2023 17:19:53 +0000 Subject: [PATCH] Grafana config: Rewrite to new "settings" INI format and (try) fix up authentication --- nixos/modules/monitoring/server/grafana.nix | 73 +++++++++++---------- 1 file changed, 40 insertions(+), 33 deletions(-) diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix index 8cce63e0..7ce9eaef 100644 --- a/nixos/modules/monitoring/server/grafana.nix +++ b/nixos/modules/monitoring/server/grafana.nix @@ -7,16 +7,6 @@ let cfg = config.services.private-storage.monitoring.grafana; - grafanaAuth = if (cfg.googleOAuthClientID == "") then { - anonymous.enable = true; - } else { - google.enable = true; - # Grafana considers it "sign up" to let in a user it has - # never seen before. - google.allowSignUp = true; - google.clientSecretFile = cfg.googleOAuthClientSecretFile; - google.clientId = cfg.googleOAuthClientID; - }; in { @@ -93,35 +83,52 @@ in { enable = true; settings = { - server.domain = "${toString domain}"; - server.http_port = 2342; - server.http_addr = "127.0.0.1"; - }; - # No phoning home - settings.analytics.reporting_enabled = false; + server = { + domain = "${toString domain}"; + http_port = 2342; + http_addr = "127.0.0.1"; - # Force Grafana to believe it is reachable via https on the default port - # number because that's where the nginx that forwards traffic to it is - # listening. Grafana's own server listens on an internal address that - # doesn't matter to anyone except our nginx instance. - settings.server.root_url = "https://%(domain)s/"; + # Defend against DNS rebinding attacks. + enforce_domain = true; - # Defend against DNS rebinding attacks. - settings.server.enforce_domain = true; - # Same time zone for all users by default - settings.date_formats.default_timezone = "UTC"; + # Force Grafana to believe it is reachable via https on the default port + # number because that's where the nginx that forwards traffic to it is + # listening. Grafana's own server listens on an internal address that + # doesn't matter to anyone except our nginx instance. + root_url = "https://%(domain)s/"; + }; - auth = { - anonymous.org_role = "Admin"; - anonymous.org_name = "Main Org."; - } // grafanaAuth; + # No phoning home + analytics.reporting_enabled = false; - # Give users that come through GSuite SSO the highest possible privileges: - settings.users.auto_assign_org_role = "Editor"; + # Same time zone for all users by default + date_formats.default_timezone = "UTC"; - # Read the admin password from a file in our secrets folder: - settings.security.admin_password = "$__file{${toString cfg.adminPasswordFile}}"; + # The auth sections since NixOS 22.11 are named a bit funky with a dot in the name + # + # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/grafana/#anonymous-authentication + # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/google/ + "auth.anonymous" = lib.mkIf (cfg.googleOAuthClientID == "") { + enabled = true; + org_role = "Admin"; + org_name = "Main Org."; + }; + "auth.google" = lib.mkIf (cfg.googleOAuthClientID != "") { + enabled = true; + # Grafana considers it "sign up" to let in a user it has + # never seen before. + allowSignUp = true; + clientSecretFile = cfg.googleOAuthClientSecretFile; + clientId = cfg.googleOAuthClientID; + }; + + # Give users that come through GSuite SSO the highest possible privileges: + users.auto_assign_org_role = "Editor"; + + # Read the admin password from a file in our secrets folder: + security.admin_password = "$__file{${toString cfg.adminPasswordFile}}"; + }; provision = { enable = true; -- GitLab