prometheus: enable every where

2024-08-01 17:01:53 +08:00 · 2024-08-01 17:01:53 +08:00 · ced05f99fc
commit ced05f99fc
parent ddc7556324
10 changed files with 154 additions and 46 deletions
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@ -25,6 +25,9 @@
        owner = "prometheus";
        sopsFile = ../secrets.yaml;
      };
+      grafana_oauth_secret = {
+        owner = "grafana";
+      };
    };
  };

--- a/machines/massicot/kanidm-provision.nix
+++ b/machines/massicot/kanidm-provision.nix
@ -18,7 +18,19 @@
      members = [ "xin" ];
    };
    immich-users = {
-      members = [ "xin" "zhuo" ];
+      members = [ "xin" "zhuo" "ycm" ];
+    };
+    grafana-superadmins = {
+      members = [ "xin" ];
+    };
+    grafana-admins = {
+      members = [ "xin" ];
+    };
+    grafana-editors = {
+      members = [ "xin" ];
+    };
+    grafana-users = {
+      members = [ "xin" ];
    };
  };
  persons = {
@ -31,6 +43,11 @@
      displayName = "Zhuo";
      mailAddresses = [ "13681104320@163.com" ];
    };
+
+    ycm = {
+      displayName = "Chunming";
+      mailAddresses = [ "chunmingyou@gmail.com" ];
+    };
  };
  systems.oauth2 = {
    forgejo = {
@ -75,5 +92,22 @@
        immich-users = [ "openid" "email" "profile" ];
      };
    };
+    grafana = {
+      displayName = "Grafana";
+      originUrl = "https://grafana.xinyang.life/";
+      scopeMaps = {
+        grafana-users = [ "openid" "email" "profile" "groups" ];
+      };
+      claimMaps = {
+        grafana_role = {
+          joinType = "array";
+          valuesByGroup = {
+            grafana-superadmins = [ "GrafanaAdmin" ];
+            grafana-admins = [ "Admin" ];
+            grafana-editors = [ "Editor" ];
+          };
+        };
+      };
+    };
  };
 }
--- a/machines/massicot/secrets.yaml
+++ b/machines/massicot/secrets.yaml
@ -1,6 +1,7 @@
 storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
 gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str]
 hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
+grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -25,8 +26,8 @@ sops:
            dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
            V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-22T08:05:27Z"
-    mac: ENC[AES256_GCM,data:CiXU49arW+3w4/Lkh4l+6VjopyP7XNCU4AmuwZmnmQ7Vv4RCt84fC6lM6o4HiCc5jB07QY+2WZ5LvWz9zgSt636UpnCMgbG1w2Lxae38fW02RHJv90rn+cyyddB5kSucr5/P5NKBOZut54Cf4zVW9BaqajpQMxe4hEOn+xXpXz8=,iv:beWRlUvb6OUOK+mUXdvpvmM8S7xK0QIkIA2Bk9QA35c=,tag:KrBXqsAdBAhtwygdEHnUqQ==,type:str]
+    lastmodified: "2024-07-31T09:24:12Z"
+    mac: ENC[AES256_GCM,data:/TIuK0O0e3Kkb9yjVE4GEPLRRFo1wQEzfcuCcX/hS4eGSgVPu8p52meEzVW7Z9GLiKsmgSW+L5fW4k+kXGcOfKr1BarjfHa0pGcfoW/gb8BV2TFmX9rQk9ioh5m5NT97pv5KgrpPIU+HjUEe5ORebVZh5sW/R3Vh3PCyagINcIs=,iv:mU4P7BUnMjA/hIhX9SUImOuazoccPdnmeNIPGJUXaLw=,tag:EMXAVLgFZk3Mgv2O1rgibg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@ -1,4 +1,4 @@
-{ config, pkgs, inputs, ... }:
+{ config, pkgs, ... }:
 let
  kanidm_listen_port = 5324;
 in
@ -31,15 +31,16 @@ in
    exporters.blackbox.enable = true;
  };

-  systemd.mounts = map (share: {
-    what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
-    where = "/mnt/storage/${share}";
-    type = "cifs";
-    options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
-    before = [ "${share}.service" ];
-    after = [ "cachefilesd.service" ];
-    wantedBy = [ "${share}.service" ];
-  }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ];
+  systemd.mounts = map
+    (share: {
+      what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
+      where = "/mnt/storage/${share}";
+      type = "cifs";
+      options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
+      before = [ "${share}.service" ];
+      after = [ "cachefilesd.service" ];
+      wantedBy = [ "${share}.service" ];
+    }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ];

  services.cachefilesd.enable = true;

@ -53,9 +54,9 @@ in
  security.acme = {
    acceptTerms = true;
    certs."auth.xinyang.life" = {
-        email = "lixinyang411@gmail.com";
-        listenHTTP = "127.0.0.1:1360";
-        group = "kanidm";
+      email = "lixinyang411@gmail.com";
+      listenHTTP = "127.0.0.1:1360";
+      group = "kanidm";
    };
  };

@ -162,6 +163,38 @@ in
    };
  };

+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        http_addr = "127.0.0.1";
+        http_port = 3003;
+        root_url = "https://grafana.xinyang.life";
+        domain = "grafana.xinyang.life";
+      };
+      "auth.generic_oauth" = {
+        enabled = true;
+        name = "Kanidm";
+        client_id = "grafana";
+        scopes = "openid,profile,email,groups";
+        auth_url = "https://auth.xinyang.life/ui/oauth2";
+        token_url = "https://auth.xinyang.life/oauth2/token";
+        api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo";
+        use_pkce = true;
+        use_refresh_token = true;
+        allow_sign_up = true;
+        login_attribute_path = "preferred_username";
+        groups_attribute_path = "groups";
+        role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'";
+        allow_assign_grafana_admin = true;
+        auto_login = true;
+      };
+      "auth" = { disable_login_form = true; };
+    };
+  };
+
+  systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.secrets.grafana_oauth_secret.path;
+
  users.users.git = {
    isSystemUser = true;
    useDefaultShell = true;
@ -192,9 +225,9 @@ in
    virtualHosts."https://git.xinyang.life:443".extraConfig = ''
      reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
    '';
-    
+
    virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
-        reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
+      reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
    '';
    virtualHosts."https://auth.xinyang.life".extraConfig = ''
      reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
@ -205,7 +238,7 @@ in
          }
      }
    '';
-    virtualHosts."https://ntfy.xinyang.life".extraConfig =  ''
+    virtualHosts."https://ntfy.xinyang.life".extraConfig = ''
      reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix}
      @httpget {
        protocol http
@ -214,5 +247,13 @@ in
      }
      redir @httpget https://{host}{uri}
    '';
+
+    virtualHosts."https://grafana.xinyang.life".extraConfig =
+      let
+        grafanaSettings = config.services.grafana.settings.server;
+      in
+      ''
+        reverse_proxy http://${grafanaSettings.http_addr}:${toString grafanaSettings.http_port}
+      '';
  };
 }