Add OIDC to grafana

hosts/franz/arion/stats/arion-compose.nix

@@ -22,6 +22,22 @@
         "traefik.http.routers.grafana.tls" = "true";
         "traefik.http.routers.grafana.tls.certresolver" = "letsencrypt";
       };
+      environment = {
+        GF_SERVER_ROOT_URL = "https://grafana.ghoscht.com";
+
+        GF_AUTH_GENERIC_OAUTH_NAME = "authentik";
+        GF_AUTH_GENERIC_OAUTH_ENABLED = "true";
+        GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP = "true";
+        GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email";
+        GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://auth.ghoscht.com/application/o/authorize/";
+        GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://auth.ghoscht.com/application/o/token/";
+        GF_AUTH_GENERIC_OAUTH_API_URL = "https://auth.ghoscht.com/application/o/userinfo/";
+
+        # GF_AUTH_OAUTH_AUTO_LOGIN = "true";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/stats/grafana.env"
+      ];
       volumes = [
         "/storage/dataset/docker/stats/grafana_data:/var/lib/grafana"
       ];
@@ -47,12 +63,58 @@
       image = "grafana/promtail:3.0.0";
       volumes = [
         "/var/log:/var/log"
-        "/storage/dataset/docker/stats/promtail_data:/etc/promtail"
+        "/storage/dataset/docker/stats/promtail_data/promtail-config.yml:/etc/promtail/promtail-config.yml"
       ];
       command = "-config.file=/etc/promtail/promtail-config.yml";
       networks = [
         "internal"
       ];
     };
+    prometheus.service = {
+      image = "prom/prometheus:v2.53.0";
+      volumes = [
+        "/storage/dataset/docker/stats/prometheus_config/prometheus.yml:/etc/prometheus/prometheus.yml"
+        "/storage/dataset/docker/stats/prometheus_data:/prometheus"
+      ];
+      command = [
+        "--config.file=/etc/prometheus/prometheus.yml"
+        "--web.console.libraries=/etc/prometheus/console_libraries"
+        "--web.console.templates=/etc/prometheus/consoles"
+      ];
+      networks = [
+        "internal"
+      ];
+    };
+    node-exporter.service = {
+      image = "prom/node-exporter:v1.8.1";
+      volumes = [
+        "/proc:/host/proc:ro"
+        "/sys:/host/sys:ro"
+        "/:/rootfs:ro"
+      ];
+      command = [
+        "--path.procfs=/host/proc"
+        "--path.rootfs=/rootfs"
+        "--path.sysfs=/host/sys"
+        "--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)"
+      ];
+      networks = [
+        "internal"
+      ];
+    };
+    # cadvisor.service = {
+    #   image = "gcr.io/cadvisor/cadvisor:v0.49.1";
+    #   volumes = [
+    #     "/:/rootfs:ro"
+    #     "/var/run:/var/run:ro"
+    #     "/sys:/sys:ro"
+    #     "/var/lib/docker:/var/lib/docker:ro"
+    #     "/dev/disk:/dev/disk:ro"
+    #   ];
+    #   devices = ["/dev/kmsg"];
+    #   networks = [
+    #     "internal"
+    #   ];
+    # };
   };
 }

hosts/franz/arion/stats/default.nix

@@ -7,6 +7,23 @@ in {
     };
   };
 
+  sops.secrets."stats/oidc_client_id" = {
+    owner = vars.user;
+  };
+  sops.secrets."stats/oidc_client_secret" = {
+    owner = vars.user;
+  };
+
+  sops.templates."grafana.env" = {
+    path = "/home/${vars.user}/.docker/stats/grafana.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      GF_AUTH_GENERIC_OAUTH_CLIENT_ID="${config.sops.placeholder."stats/oidc_client_id"}"
+      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="${config.sops.placeholder."stats/oidc_client_secret"}"
+    '';
+  };
+
   systemd.services.add-loki-logging-driver = {
     description = "Add grafana loki docker driver";
     after = ["network.target"];

secrets/franz.yaml

@@ -53,6 +53,9 @@ diun:
     ntfy_access_token: ENC[AES256_GCM,data:37UYgaMlmpoMW74LqtxkuMqGQmCvLpVdJAgEmVxSULY=,iv:tZPlfIgo1vWvMPlQzCBPXj5xYDiTWJOsVwkxBjGNMDk=,tag:882g2UxFfg5VSKqAtEMk2Q==,type:str]
 crowdsec:
     traefik_bouncer_api_key: ENC[AES256_GCM,data:qNY3cWNxG2pyrTN1UnYCGWCmx1Yue1WAJZ8DEsLqnZ+RDoaJfvqqJazJUg==,iv:x0K9Vq+ZuojmeHSbS/0PoOQdLIRDMtGdmU+msv4PWzI=,tag:qgxQIBHtARTNv17x7N6zyw==,type:str]
+stats:
+    oidc_client_id: ENC[AES256_GCM,data:/0Y/qLyxGTKskcoQVdlQkEYHa1P7+0PYwv1GoXV5r48btzpPHYysLA==,iv:QT6GM3I38/kSDrzm5phPWnGQxjds0qamduYuIvj4dig=,tag:yGnM4jOwDtC81jrXUG6r+w==,type:str]
+    oidc_client_secret: ENC[AES256_GCM,data:ETl5Lm8GSk/xwD9+TZZlPwNA8CxdQ2teyjWVWShXrx0o0qdE72lIBnW7mW9bklx1RMhSBvhArZPMA9fFN29nCJ4E9zXNTxFFviHUZTr+8mdm5g9TYu4WJxiJ3rzIavgx4DQR0FIQyXzXXMSoLDpOl+u4oT8vfb3ef4bKIDktBGU=,iv:KMy70+IA8KKj4mjB4sV3uXg8iDjponO+AzYlNYvv3pE=,tag:WMsUg0PNILBz1jNyV6PggQ==,type:str]
 wiki:
     aws_access_key_id: ENC[AES256_GCM,data:Fqfa6XcDDpQ0l+/entQh6sxobBM=,iv:gbfHxTy0Oj9xYlucpN98CjNIURDrx9BuFF4Pfo90V0M=,tag:df8Z3J2ovO1MHPnzOsCtpg==,type:str]
     aws_secret_access_key: ENC[AES256_GCM,data:sbgzvlN5dP4jZIGKtDsMn5o2RqWTl+XNi80ydnOgrQkgnQ/HxluWWA==,iv:xyCKfbf/UF9cFunCYHwVBw4eVvOeZQtfPtrz2s6zIII=,tag:S0wzL8d5iEn20VbOVfrZBw==,type:str]
@@ -78,8 +81,8 @@ sops:
             VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI
             EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-14T16:33:02Z"
-    mac: ENC[AES256_GCM,data:tifzRssqaaej73Tm8bqcms0hrjQ27E7VY1UwfQ/oPXGYxtEdI3FRdDie7yRxOuaquX5JXcJquQyTKrHEXbUakwqddSsws3uKkdy8dfjmTbpGWjKUPnPASsix2l028ov1jIeQ80/QfMavtSmy/1ZI7O/cVGy9FMV0wFysEWMJ+KI=,iv:Nolz/xL+jifstC1sw1IzI7Fu3fR+6+TBMWjl7PQZGh4=,tag:jxVt7kCQwfTKdbd8CLmesA==,type:str]
+    lastmodified: "2024-08-09T13:53:16Z"
+    mac: ENC[AES256_GCM,data:5pANdrfnPuDf2mai0UgcFbwr4OzjLzLWraKOt38fX2MySYH2EryMzsk4prhehXPTkD3soMFwaVbuuqZUbkWCWM3CtjuyCisQH4uiZZw+slw6g8atr4h3tpHtD2SwgGVESMJouVQyfb9ko4O1ArBvml/0a6DAGmwoxlQwGboZR5M=,iv:oiZx4BsRBNAn+hjhzhV6oVZrYQJ32DAQlyNNsevaLpc=,tag:A0EsGeaP5vy9vA8WZjbxIQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1