From e13ec87217c949d0aea368fafb2808578e2ced05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristoffer=20F=C3=B8llesdal?= Date: Mon, 16 May 2022 16:37:02 +0200 Subject: [PATCH 1/3] nixos/grafana: add Azure AD OAuth options --- nixos/modules/services/monitoring/grafana.nix | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index b959379d331a..fa866a08f81e 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -44,6 +44,18 @@ let AUTH_ANONYMOUS_ENABLED = boolToString cfg.auth.anonymous.enable; AUTH_ANONYMOUS_ORG_NAME = cfg.auth.anonymous.org_name; AUTH_ANONYMOUS_ORG_ROLE = cfg.auth.anonymous.org_role; + + AUTH_AZUREAD_NAME = "Azure AD"; + AUTH_AZUREAD_ENABLED = boolToString cfg.auth.azuread.enable; + AUTH_AZUREAD_ALLOW_SIGN_UP = boolToString cfg.auth.azuread.allowSignUp; + AUTH_AZUREAD_CLIENT_ID = cfg.auth.azuread.clientId; + AUTH_AZUREAD_SCOPES = "openid email profile"; + AUTH_AZUREAD_AUTH_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/authorize"; + AUTH_AZUREAD_TOKEN_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/token"; + AUTH_AZUREAD_ALLOWED_DOMAINS = cfg.auth.azuread.allowedDomains; + AUTH_AZUREAD_ALLOWED_GROUPS = cfg.auth.azuread.allowedGroups; + AUTH_AZUREAD_ROLE_ATTRIBUTE_STRICT = false; + AUTH_GOOGLE_ENABLED = boolToString cfg.auth.google.enable; AUTH_GOOGLE_ALLOW_SIGN_UP = boolToString cfg.auth.google.allowSignUp; AUTH_GOOGLE_CLIENT_ID = cfg.auth.google.clientId; @@ -563,6 +575,53 @@ in { type = types.str; }; }; + azuread = { + enable = mkOption { + description = "Whether to allow Azure AD OAuth."; + default = false; + type = types.bool; + }; + allowSignUp = mkOption { + description = "Whether to allow sign up with Azure AD OAuth."; + default = false; + type = types.bool; + }; + clientId = mkOption { + description = "Azure AD OAuth client ID."; + default = ""; + type = types.str; + }; + clientSecretFile = mkOption { + description = "Azure AD OAuth client secret."; + default = null; + type = types.nullOr types.path; + }; + tenantId = mkOption { + description = '' + Tenant id used to create auth and token url. Default to "common" + , let user sign in with any tenant. + ''; + default = "common"; + type = types.str; + }; + allowedDomains = mkOption { + description = '' + To limit access to authenticated users who are members of one or more groups, + set allowedGroups to a comma- or space-separated list of group object IDs. + You can find object IDs for a specific group on the Azure portal. + ''; + default = ""; + type = types.str; + }; + allowedGroups = mkOption { + description = '' + Limits access to users who belong to specific domains. + Separate domains with space or comma. + ''; + default = ""; + type = types.str; + }; + }; google = { enable = mkOption { description = "Whether to allow Google OAuth2."; @@ -652,6 +711,10 @@ in { set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit + ${optionalString (cfg.auth.azuread.clientSecretFile != null) '' + GF_AUTH_AZUREAD_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.azuread.clientSecretFile})" + export GF_AUTH_AZUREAD_CLIENT_SECRET + ''} ${optionalString (cfg.auth.google.clientSecretFile != null) '' GF_AUTH_GOOGLE_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.google.clientSecretFile})" export GF_AUTH_GOOGLE_CLIENT_SECRET From ea8f7e7bbdea64e693fc09f0a68d55d5a260020f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristoffer=20F=C3=B8llesdal?= Date: Wed, 18 May 2022 16:07:56 +0200 Subject: [PATCH 2/3] nixos/grafana: add serveFromSubPath option --- nixos/modules/services/monitoring/grafana.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index fa866a08f81e..6e727a72aa9b 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -14,6 +14,7 @@ let PATHS_PLUGINS = if builtins.isNull cfg.declarativePlugins then "${cfg.dataDir}/plugins" else declarativePlugins; PATHS_LOGS = "${cfg.dataDir}/log"; + SERVER_SERVE_FROM_SUBPATH = boolToString cfg.server.serveFromSubPath; SERVER_PROTOCOL = cfg.protocol; SERVER_HTTP_ADDR = cfg.addr; SERVER_HTTP_PORT = cfg.port; @@ -496,6 +497,14 @@ in { }; }; + server = { + serveFromSubPath = mkOption { + description = "Serve Grafana from subpath specified in rootUrl setting"; + default = false; + type = types.bool; + }; + }; + smtp = { enable = mkEnableOption "smtp"; host = mkOption { From 298e2ce302c3d4eeacaca4bf4d0437253a8cafbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristoffer=20F=C3=B8llesdal?= Date: Wed, 18 May 2022 16:09:04 +0200 Subject: [PATCH 3/3] nixos/grafana: add disableLoginForm option --- nixos/modules/services/monitoring/grafana.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 6e727a72aa9b..497d46741381 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -42,6 +42,8 @@ let USERS_AUTO_ASSIGN_ORG = boolToString cfg.users.autoAssignOrg; USERS_AUTO_ASSIGN_ORG_ROLE = cfg.users.autoAssignOrgRole; + AUTH_DISABLE_LOGIN_FORM = boolToString cfg.auth.disableLoginForm; + AUTH_ANONYMOUS_ENABLED = boolToString cfg.auth.anonymous.enable; AUTH_ANONYMOUS_ORG_NAME = cfg.auth.anonymous.org_name; AUTH_ANONYMOUS_ORG_ROLE = cfg.auth.anonymous.org_role; @@ -567,6 +569,12 @@ in { }; auth = { + disableLoginForm = mkOption { + description = "Set to true to disable (hide) the login form, useful if you use OAuth"; + default = false; + type = types.bool; + }; + anonymous = { enable = mkOption { description = "Whether to allow anonymous access.";