From 5127741ef7a589539f2d5bc09eb7be74bd4f8527 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Mon, 13 Feb 2023 17:19:53 +0000
Subject: [PATCH] Grafana config: Rewrite to new "settings" INI format and
(try) fix up authentication
---
nixos/modules/monitoring/server/grafana.nix | 73 +++++++++++----------
1 file changed, 40 insertions(+), 33 deletions(-)
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index 8cce63e0..7ce9eaef 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -7,16 +7,6 @@
let
cfg = config.services.private-storage.monitoring.grafana;
- grafanaAuth = if (cfg.googleOAuthClientID == "") then {
- anonymous.enable = true;
- } else {
- google.enable = true;
- # Grafana considers it "sign up" to let in a user it has
- # never seen before.
- google.allowSignUp = true;
- google.clientSecretFile = cfg.googleOAuthClientSecretFile;
- google.clientId = cfg.googleOAuthClientID;
- };
in {
@@ -93,35 +83,52 @@ in {
enable = true;
settings = {
- server.domain = "${toString domain}";
- server.http_port = 2342;
- server.http_addr = "127.0.0.1";
- };
- # No phoning home
- settings.analytics.reporting_enabled = false;
+ server = {
+ domain = "${toString domain}";
+ http_port = 2342;
+ http_addr = "127.0.0.1";
- # Force Grafana to believe it is reachable via https on the default port
- # number because that's where the nginx that forwards traffic to it is
- # listening. Grafana's own server listens on an internal address that
- # doesn't matter to anyone except our nginx instance.
- settings.server.root_url = "https://%(domain)s/";
+ # Defend against DNS rebinding attacks.
+ enforce_domain = true;
- # Defend against DNS rebinding attacks.
- settings.server.enforce_domain = true;
- # Same time zone for all users by default
- settings.date_formats.default_timezone = "UTC";
+ # Force Grafana to believe it is reachable via https on the default port
+ # number because that's where the nginx that forwards traffic to it is
+ # listening. Grafana's own server listens on an internal address that
+ # doesn't matter to anyone except our nginx instance.
+ root_url = "https://%(domain)s/";
+ };
- auth = {
- anonymous.org_role = "Admin";
- anonymous.org_name = "Main Org.";
- } // grafanaAuth;
+ # No phoning home
+ analytics.reporting_enabled = false;
- # Give users that come through GSuite SSO the highest possible privileges:
- settings.users.auto_assign_org_role = "Editor";
+ # Same time zone for all users by default
+ date_formats.default_timezone = "UTC";
- # Read the admin password from a file in our secrets folder:
- settings.security.admin_password = "$__file{${toString cfg.adminPasswordFile}}";
+ # The auth sections since NixOS 22.11 are named a bit funky with a dot in the name
+ #
+ # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/grafana/#anonymous-authentication
+ # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/google/
+ "auth.anonymous" = lib.mkIf (cfg.googleOAuthClientID == "") {
+ enabled = true;
+ org_role = "Admin";
+ org_name = "Main Org.";
+ };
+ "auth.google" = lib.mkIf (cfg.googleOAuthClientID != "") {
+ enabled = true;
+ # Grafana considers it "sign up" to let in a user it has
+ # never seen before.
+ allowSignUp = true;
+ clientSecretFile = cfg.googleOAuthClientSecretFile;
+ clientId = cfg.googleOAuthClientID;
+ };
+
+ # Give users that come through GSuite SSO the highest possible privileges:
+ users.auto_assign_org_role = "Editor";
+
+ # Read the admin password from a file in our secrets folder:
+ security.admin_password = "$__file{${toString cfg.adminPasswordFile}}";
+ };
provision = {
enable = true;
--
GitLab