Skip to content
Snippets Groups Projects
Commit 3e12bb84 authored by Florian Sesser's avatar Florian Sesser
Browse files

Add Google OAuth2 authentication

parent 487f1418
Branches
No related tags found
No related merge requests found
...@@ -55,6 +55,8 @@ let ...@@ -55,6 +55,8 @@ let
stateVersion = "19.09"; stateVersion = "19.09";
}) })
]; ];
# Allow anonymous access to Grafana in local development environment:
services.private-storage.monitoring.grafana.googleOAuthClientID = "";
}; };
# TBD: derive these automatically: # TBD: derive these automatically:
......
...@@ -7,6 +7,14 @@ ...@@ -7,6 +7,14 @@
let let
cfg = config.services.private-storage.monitoring.grafana; cfg = config.services.private-storage.monitoring.grafana;
grafanaAuth = if (cfg.googleOAuthClientID == "") then {
anonymous.enable = true;
} else {
# Google OAuth2 SSO:
google.enable = true;
google.clientSecretFile = cfg.googleOAuthClientID;
google.clientId = cfg.googleOAuthClientSecretFile;
};
in { in {
options.services.private-storage.monitoring.grafana = { options.services.private-storage.monitoring.grafana = {
...@@ -27,6 +35,18 @@ in { ...@@ -27,6 +35,18 @@ in {
default = "http://localhost:3100/"; default = "http://localhost:3100/";
description = "The URL of the Loki host to access"; description = "The URL of the Loki host to access";
}; };
googleOAuthClientID = lib.mkOption
{ type = lib.types.str;
example = lib.literalExample "grafana-staging-345678";
default = "replace-by-your-client-id-or-set-empty-string-for-anonymous-access";
description = "The GSuite OAuth2 SSO Client ID. Empty string turns SSO auth off and anonymous (free for all) access on.";
};
googleOAuthClientSecretFile = lib.mkOption
{ type = lib.types.path;
example = lib.literalExample "\${privKeyPath}/grafana-gsuite-client-secret";
default = null;
description = "The path to the GSuite SSO secret file.";
};
}; };
config = { config = {
...@@ -38,13 +58,13 @@ in { ...@@ -38,13 +58,13 @@ in {
domain = cfg.domain; domain = cfg.domain;
port = 2342; port = 2342;
addr = "127.0.0.1"; addr = "127.0.0.1";
# All three are required to forego the user/pass prompt:
auth.anonymous.enable = true;
auth.anonymous.org_role = "Admin";
auth.anonymous.org_name = "Main Org.";
}; };
services.grafana.auth = {
anonymous.org_role = "Admin";
anonymous.org_name = "Main Org.";
} // grafanaAuth;
services.grafana.provision = { services.grafana.provision = {
enable = true; enable = true;
# See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources # See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment