From a0cfa097e040f082d448288ca8a3c99231484b03 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Mon, 12 Apr 2021 23:32:40 +0000
Subject: feat(whitby/grafana): use CAS SSO

There's a hard-coded list of Admin usernames for the moment. We should
revisit this and get an actual groups setup in LDAP that's propagated
through...

Change-Id: Ic3601f1a9753573076769f4912038e9f1b60e139
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2982
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
---
 ops/machines/whitby/default.nix | 52 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 82853a21e5..b2d3eca446 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -387,6 +387,56 @@ in {
     domain = "status.tvl.su";
     rootUrl = "https://status.tvl.su";
     analytics.reporting.enable = false;
+    extraOptions = let
+      options = {
+        auth = {
+          generic_oauth = {
+            enabled = true;
+            client_id = "OAUTH-TVL-grafana-f1A1EmHLDT";
+            scopes = "openid profile email";
+            name = "TVL";
+            email_attribute_path = "mail";
+            login_attribute_path = "sub";
+            name_attribute_path = "displayName";
+            auth_url = "https://login.tvl.fyi/oidc/authorize";
+            token_url = "https://login.tvl.fyi/oidc/accessToken";
+            api_url = "https://login.tvl.fyi/oidc/profile";
+
+            # Give lukegb, grfn, tazjin "Admin" rights.
+            role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
+
+            # Allow creating new Grafana accounts from OAuth accounts.
+            allow_sign_up = true;
+          };
+          anonymous = {
+            enabled = true;
+            org_name = "The Virus Lounge";
+            org_role = "Viewer";
+          };
+          basic.enabled = false;
+          oauth_auto_login = true;
+          disable_login_form = true;
+        };
+      };
+      inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
+      inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;
+
+      # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
+      encodeName = raw: replaceStrings ["."] ["_"] (toUpper (concatStringsSep "_" raw));
+
+      # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
+      optionToString = value:
+        if (typeOf value) == "bool" then
+          if value then "true" else "false"
+        else builtins.toString value;
+
+      # Turn an nested options attrset into a flat listToAttrs-compatible list.
+      encodeOptions = prefix: inp: concatLists (mapAttrsToList (name: value:
+        if (typeOf value) == "set"
+          then encodeOptions (prefix ++ [name]) value
+          else [ (nameValuePair (encodeName (prefix ++ [name])) (optionToString value)) ]
+        ) inp);
+    in listToAttrs (encodeOptions [] options);
 
     provision = {
       enable = true;
@@ -397,6 +447,8 @@ in {
       }];
     };
   };
+  # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
+  systemd.services.grafana.serviceConfig.EnvironmentFile = "/etc/secrets/grafana";
 
   security.sudo.extraRules = [
     {
-- 
cgit 1.4.1