about summary refs log tree commit diff
path: root/ops/machines/whitby/default.nix
diff options
context:
space:
mode:
authorLuke Granger-Brown <git@lukegb.com>2021-04-12T23·32+0000
committerlukegb <lukegb@tvl.fyi>2021-04-13T00·08+0000
commita0cfa097e040f082d448288ca8a3c99231484b03 (patch)
tree32eb119a84b02d1792df95180ef93d8a929e7ee3 /ops/machines/whitby/default.nix
parentba30cd6bb2393d9b08d91b2cf49af8591d09907f (diff)
feat(whitby/grafana): use CAS SSO r/2500
There's a hard-coded list of Admin usernames for the moment. We should
revisit this and get an actual groups setup in LDAP that's propagated
through...

Change-Id: Ic3601f1a9753573076769f4912038e9f1b60e139
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2982
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
Diffstat (limited to 'ops/machines/whitby/default.nix')
-rw-r--r--ops/machines/whitby/default.nix52
1 files changed, 52 insertions, 0 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 82853a21e5ff..b2d3eca4465a 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -387,6 +387,56 @@ in {
     domain = "status.tvl.su";
     rootUrl = "https://status.tvl.su";
     analytics.reporting.enable = false;
+    extraOptions = let
+      options = {
+        auth = {
+          generic_oauth = {
+            enabled = true;
+            client_id = "OAUTH-TVL-grafana-f1A1EmHLDT";
+            scopes = "openid profile email";
+            name = "TVL";
+            email_attribute_path = "mail";
+            login_attribute_path = "sub";
+            name_attribute_path = "displayName";
+            auth_url = "https://login.tvl.fyi/oidc/authorize";
+            token_url = "https://login.tvl.fyi/oidc/accessToken";
+            api_url = "https://login.tvl.fyi/oidc/profile";
+
+            # Give lukegb, grfn, tazjin "Admin" rights.
+            role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
+
+            # Allow creating new Grafana accounts from OAuth accounts.
+            allow_sign_up = true;
+          };
+          anonymous = {
+            enabled = true;
+            org_name = "The Virus Lounge";
+            org_role = "Viewer";
+          };
+          basic.enabled = false;
+          oauth_auto_login = true;
+          disable_login_form = true;
+        };
+      };
+      inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
+      inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;
+
+      # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
+      encodeName = raw: replaceStrings ["."] ["_"] (toUpper (concatStringsSep "_" raw));
+
+      # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
+      optionToString = value:
+        if (typeOf value) == "bool" then
+          if value then "true" else "false"
+        else builtins.toString value;
+
+      # Turn an nested options attrset into a flat listToAttrs-compatible list.
+      encodeOptions = prefix: inp: concatLists (mapAttrsToList (name: value:
+        if (typeOf value) == "set"
+          then encodeOptions (prefix ++ [name]) value
+          else [ (nameValuePair (encodeName (prefix ++ [name])) (optionToString value)) ]
+        ) inp);
+    in listToAttrs (encodeOptions [] options);
 
     provision = {
       enable = true;
@@ -397,6 +447,8 @@ in {
       }];
     };
   };
+  # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
+  systemd.services.grafana.serviceConfig.EnvironmentFile = "/etc/secrets/grafana";
 
   security.sudo.extraRules = [
     {