From bb38cadb11030f68321981b83e9a14276114fa80 Mon Sep 17 00:00:00 2001
From: Victor <victor@xirion.net>
Date: Fri, 5 May 2023 11:19:01 +0200
Subject: [PATCH] add dex auth to grafana

---
 nixos/hosts/olympus/dex/configuration.nix     | 12 ++++++++--
 .../olympus/victoriametrics/configuration.nix | 24 +++++++++++++++----
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/nixos/hosts/olympus/dex/configuration.nix b/nixos/hosts/olympus/dex/configuration.nix
index b205de8..e9bcab8 100644
--- a/nixos/hosts/olympus/dex/configuration.nix
+++ b/nixos/hosts/olympus/dex/configuration.nix
@@ -62,12 +62,20 @@ in {
         };
       }];
 
-      staticClients = [{
+      staticClients = [
+        {
         id = "outline";
         name = "Outline";
         redirectURIs = [ "https://outline.0x76.dev/auth/oidc.callback" ];
         secretEnv = "OUTLINE_CLIENT_SECRET";
-      }];
+        }
+        {
+          id = "grafana";
+          name = "Grafana";
+          redirectURIs = [ "https://grafana.0x76.dev/login/generic_oauth" ];
+          secretEnv = "GRAFANA_CLIENT_SECRET";
+        }
+      ];
     };
 
     environmentFile = "${vs.dex}/environment";
diff --git a/nixos/hosts/olympus/victoriametrics/configuration.nix b/nixos/hosts/olympus/victoriametrics/configuration.nix
index da9d327..20374b4 100644
--- a/nixos/hosts/olympus/victoriametrics/configuration.nix
+++ b/nixos/hosts/olympus/victoriametrics/configuration.nix
@@ -5,6 +5,7 @@
 { config, pkgs, ... }:
 let
   vmPort = 8428;
+  grafanaDomain = config.meta.exposes.grafana.domain;
   grafanaPort = config.meta.exposes.grafana.port;
   vs = config.vault-secrets.secrets;
 in {
@@ -21,8 +22,7 @@ in {
   # Additional packages
   environment.systemPackages = with pkgs; [ ];
 
-  networking.firewall.allowedTCPPorts =
-    [ vmPort config.services.grafana.settings.server.http_port ];
+  networking.firewall.allowedTCPPorts = [ vmPort grafanaPort ];
   networking.firewall.allowedUDPPorts = [ vmPort ];
 
   services.victoriametrics = {
@@ -76,12 +76,28 @@ in {
     enable = true;
     settings = {
       server = {
-        domain = "grafana.0x76.dev";
-        root_url = "https://grafana.0x76.dev";
+        domain = grafanaDomain;
+        root_url = "https://${grafanaDomain}";
         http_addr = "0.0.0.0";
         http_port = grafanaPort;
       };
       security.admin_password = "$__file{${vs.grafana}/password}";
+
+      "auth.generic_oauth" = {
+        name = "Dex";
+        icon = "signin";
+        enabled = true;
+        allow_sign_up = true;
+        client_id = "grafana";
+        client_secret = "$__file{${vs.grafana}/dex_client_secret}";
+        scopes = toString [ "openid" "profile" "email" "groups" ];
+        auth_url = "https://dex.0x76.dev/auth";
+        token_url = "https://dex.0x76.dev/token";
+        api_url = "https://dex.0x76.dev/userinfo";
+        skip_org_role_sync = true;
+        auto_login = true;
+      };
+
     };
   };
 }