about summary refs log tree commit diff
path: root/ops/machines/whitby/default.nix
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2021-12-27T13·56+0300
committerclbot <clbot@tvl.fyi>2021-12-27T14·44+0000
commit906d6553c65f5eac1f6f77f3984bfd04963cb13f (patch)
tree9c0b44aeb37a5824bc0d66225f23b2982741afb5 /ops/machines/whitby/default.nix
parent7154507e78693cd609b1742f8fee51dfcff69d97 (diff)
fix(whitby): Point grafana at new auth provider r/3468
Grafana was still pointing at the (now non-existent) CAS setup. This
changes the endpoints to use Keycloak instead and updates the client
secret.

Change-Id: Ib25d38330aba2ef6d894e8c33d86852c884ab5be
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4706
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
Diffstat (limited to 'ops/machines/whitby/default.nix')
-rw-r--r--ops/machines/whitby/default.nix10
1 files changed, 6 insertions, 4 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 727859542938..e013c56196f5 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -500,15 +500,15 @@ in {
         auth = {
           generic_oauth = {
             enabled = true;
-            client_id = "OAUTH-TVL-grafana-f1A1EmHLDT";
+            client_id = "grafana";
             scopes = "openid profile email";
             name = "TVL";
             email_attribute_path = "mail";
             login_attribute_path = "sub";
             name_attribute_path = "displayName";
-            auth_url = "https://login.tvl.fyi/oidc/authorize";
-            token_url = "https://login.tvl.fyi/oidc/accessToken";
-            api_url = "https://login.tvl.fyi/oidc/profile";
+            auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
+            token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
+            api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";
 
             # Give lukegb, grfn, tazjin "Admin" rights.
             role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
@@ -516,11 +516,13 @@ in {
             # Allow creating new Grafana accounts from OAuth accounts.
             allow_sign_up = true;
           };
+
           anonymous = {
             enabled = true;
             org_name = "The Virus Lounge";
             org_role = "Viewer";
           };
+
           basic.enabled = false;
           oauth_auto_login = true;
           disable_login_form = true;