diff options
author | Luke Granger-Brown <git@lukegb.com> | 2021-04-12T23·32+0000 |
---|---|---|
committer | lukegb <lukegb@tvl.fyi> | 2021-04-13T00·08+0000 |
commit | a0cfa097e040f082d448288ca8a3c99231484b03 (patch) | |
tree | 32eb119a84b02d1792df95180ef93d8a929e7ee3 /ops/machines/whitby | |
parent | ba30cd6bb2393d9b08d91b2cf49af8591d09907f (diff) |
feat(whitby/grafana): use CAS SSO r/2500
There's a hard-coded list of Admin usernames for the moment. We should revisit this and get an actual groups setup in LDAP that's propagated through... Change-Id: Ic3601f1a9753573076769f4912038e9f1b60e139 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2982 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi>
Diffstat (limited to 'ops/machines/whitby')
-rw-r--r-- | ops/machines/whitby/default.nix | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 82853a21e5ff..b2d3eca4465a 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -387,6 +387,56 @@ in { domain = "status.tvl.su"; rootUrl = "https://status.tvl.su"; analytics.reporting.enable = false; + extraOptions = let + options = { + auth = { + generic_oauth = { + enabled = true; + client_id = "OAUTH-TVL-grafana-f1A1EmHLDT"; + scopes = "openid profile email"; + name = "TVL"; + email_attribute_path = "mail"; + login_attribute_path = "sub"; + name_attribute_path = "displayName"; + auth_url = "https://login.tvl.fyi/oidc/authorize"; + token_url = "https://login.tvl.fyi/oidc/accessToken"; + api_url = "https://login.tvl.fyi/oidc/profile"; + + # Give lukegb, grfn, tazjin "Admin" rights. + role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'"; + + # Allow creating new Grafana accounts from OAuth accounts. + allow_sign_up = true; + }; + anonymous = { + enabled = true; + org_name = "The Virus Lounge"; + org_role = "Viewer"; + }; + basic.enabled = false; + oauth_auto_login = true; + disable_login_form = true; + }; + }; + inherit (builtins) typeOf replaceStrings listToAttrs concatLists; + inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep; + + # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED. + encodeName = raw: replaceStrings ["."] ["_"] (toUpper (concatStringsSep "_" raw)); + + # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "". + optionToString = value: + if (typeOf value) == "bool" then + if value then "true" else "false" + else builtins.toString value; + + # Turn an nested options attrset into a flat listToAttrs-compatible list. + encodeOptions = prefix: inp: concatLists (mapAttrsToList (name: value: + if (typeOf value) == "set" + then encodeOptions (prefix ++ [name]) value + else [ (nameValuePair (encodeName (prefix ++ [name])) (optionToString value)) ] + ) inp); + in listToAttrs (encodeOptions [] options); provision = { enable = true; @@ -397,6 +447,8 @@ in { }]; }; }; + # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET. + systemd.services.grafana.serviceConfig.EnvironmentFile = "/etc/secrets/grafana"; security.sudo.extraRules = [ { |