114 lines
3.2 KiB
Nix
114 lines
3.2 KiB
Nix
{ pkgs, lib, config, ... }:
|
|
let
|
|
cfg = config.services.grafana;
|
|
fileProvider = path: "$__file{${path}}";
|
|
ldapServer = {
|
|
host = "ldap.federez.net ldap-ro.federez.net";
|
|
port = 636;
|
|
use_ssl = true;
|
|
start_tls = false;
|
|
bind_dn = "cn=grafana,ou=service-users,dc=federez,dc=net";
|
|
bind_password = fileProvider config.age.secrets.grafana-ldap-bind-password.path;
|
|
search_filter = "(&(objectClass=posixAccount)(cn=%s))";
|
|
search_base_dns = [ "cn=Utilisateurs,dc=federez,dc=net" ];
|
|
group_search_base_dns = [ "ou=posix,ou=groups,dc=federez,dc=net" ];
|
|
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))";
|
|
group_search_filter_user_attribute = "uid";
|
|
attributes = {
|
|
email = "mail";
|
|
};
|
|
"group_mappings" = [
|
|
{
|
|
group_dn = "cn=sudoldap,ou=posix,ou=groups,dc=federez,dc=net";
|
|
org_role = "Admin";
|
|
grafana_admin = true;
|
|
}
|
|
{
|
|
group_dn = "*";
|
|
org_role = "Viewer";
|
|
}
|
|
];
|
|
};
|
|
ldapConfig = (pkgs.formats.toml {}).generate "ldap.toml" {
|
|
servers = [ ldapServer ];
|
|
};
|
|
in {
|
|
age.secrets = {
|
|
grafana-admin-password = {
|
|
file = ../secrets/grafana-admin-password.age;
|
|
owner = "grafana";
|
|
group = "grafana";
|
|
};
|
|
grafana-secret-key = {
|
|
file = ../secrets/grafana-secret-key.age;
|
|
owner = "grafana";
|
|
group = "grafana";
|
|
};
|
|
grafana-ldap-bind-password = {
|
|
file = ../secrets/grafana-ldap-bind-password.age;
|
|
owner = "grafana";
|
|
group = "grafana";
|
|
};
|
|
};
|
|
|
|
services.grafana = {
|
|
enable = true;
|
|
|
|
settings = {
|
|
server.protocol = "socket";
|
|
analytics = {
|
|
reporting_enabled = false;
|
|
feedback_links_enabled = false;
|
|
};
|
|
security = {
|
|
admin_user = "admin";
|
|
admin_password = fileProvider config.age.secrets.grafana-admin-password.path;
|
|
secret_key = fileProvider config.age.secrets.grafana-secret-key.path;
|
|
};
|
|
"auth.ldap" = {
|
|
enabled = true;
|
|
allow_sign_up = true;
|
|
skip_org_role_sync = false;
|
|
config_file = toString ldapConfig;
|
|
};
|
|
};
|
|
|
|
declarativePlugins = lib.mkIf config.services.victoriametrics.enable
|
|
[ pkgs.grafanaPlugins.victoriametrics-metrics-datasource ];
|
|
|
|
provision.datasources.settings.datasources = lib.mkIf
|
|
config.services.victoriametrics.enable
|
|
[
|
|
{
|
|
name = "VictoriaMetrics";
|
|
type = "victoriametrics-metrics-datasource";
|
|
uid = "vm";
|
|
url = "http://localhost:8428";
|
|
editable = false;
|
|
jsonData = {
|
|
isDefault = true;
|
|
};
|
|
}
|
|
];
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
upstreams.grafana.servers."unix:/${cfg.settings.server.socket}" = {};
|
|
virtualHosts."grafana.federez.net" = {
|
|
root = cfg.settings.server.static_root_path;
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".tryFiles = "$uri @grafana";
|
|
locations."@grafana".proxyPass = "http://grafana";
|
|
};
|
|
};
|
|
|
|
users.users.${config.services.nginx.user}.extraGroups = [ "grafana" ];
|
|
}
|