chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

working on grafana oidc and introduced new domain for hosting
Some checks are pending
Test action / Print hello world (push) Waiting to run
Details

Browse source
This commit is contained in:
Chris Kruining 2025-08-20 15:15:03 +02:00
parent 6511e513a3
commit 995fdaeb1d
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
4 changed files with 129 additions and 81 deletions
Download patch file Download diff file Expand all files Collapse all files

8
modules/nixos/services/authentication/zitadel/default.nix
View file

@ -26,7 +26,7 @@ in
tlsMode = "external"; tlsMode = "external";
settings = { settings = {
Port = 9092; Port = 9092;
ExternalDomain = "auth-z.kruining.eu"; ExternalDomain = "auth.amarth.cloud";
ExternalPort = 443; ExternalPort = 443;
ExternalSecure = true; ExternalSecure = true;
@ -47,9 +47,9 @@ in
}; };
steps = { steps = {
FirstInstance = { FirstInstance = {
InstanceName = "auth-z.kruining.eu"; InstanceName = "auth.amarth.cloud";
Org = { Org = {
Name = "Default"; Name = "Amarth";
Human = { Human = {
UserName = "chris"; UserName = "chris";
FirstName = "Chris"; FirstName = "Chris";
@ -86,7 +86,7 @@ in
caddy = { caddy = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"auth-z.kruining.eu".extraConfig = '' "auth.amarth.cloud".extraConfig = ''
reverse_proxy h2c://127.0.0.1:9092 reverse_proxy h2c://127.0.0.1:9092
''; '';
}; };

16
modules/nixos/services/development/forgejo/default.nix
View file

@ -3,7 +3,7 @@ let
inherit (lib) mkIf mkEnableOption; inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.development.forgejo; cfg = config.${namespace}.services.development.forgejo;
domain = "git.kruining.eu"; domain = "git.amarth.cloud";
in in
{ {
options.${namespace}.services.development.forgejo = { options.${namespace}.services.development.forgejo = {
@ -35,7 +35,7 @@ in
cors = { cors = {
ENABLED = true; ENABLED = true;
ALLOW_DOMAIN = "https://*.kruining.eu"; ALLOW_DOMAIN = "https://*.amarth.cloud";
}; };
security = { security = {
@ -63,8 +63,9 @@ in
service = { service = {
# Auth # Auth
ENABLE_BASIC_AUTHENTICATION = false; ENABLE_BASIC_AUTHENTICATION = false;
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true; ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
# Privacy # Privacy
DEFAULT_KEEP_EMAIL_PRIVATE = true; DEFAULT_KEEP_EMAIL_PRIVATE = true;
@ -78,12 +79,13 @@ in
openid = { openid = {
ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true; ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "https://auth-z.kruining.eu"; WHITELISTED_URIS = "https://auth.amarth.cloud";
}; };
oauth2_client = { oauth2_client = {
ENABLE_AUTO_REGISTRATION = true; ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true; UPDATE_AVATAR = true;
ACCOUNT_LINKING = "auto";
}; };
actions = { actions = {
@ -111,8 +113,8 @@ in
mailer = { mailer = {
ENABLED = true; ENABLED = true;
SMTP_ADDR = "smpts://smtp.black-mail.nl"; SMTP_ADDR = "smpts://smtp.black-mail.nl";
FROM = "noreply@kruining.eu"; FROM = "info@amarth.cloud";
USER = "noreply@kruining.eu"; USER = "amarth";
PASSWD = "/var/lib/forgejo/custom/mail_password"; PASSWD = "/var/lib/forgejo/custom/mail_password";
}; };
}; };
@ -125,7 +127,7 @@ in
instances.default = { instances.default = {
enable = true; enable = true;
name = "default"; name = "default";
url = "https://git.kruining.eu"; url = "https://git.amarth.cloud";
# Obtaining the path to the runner token file may differ # Obtaining the path to the runner token file may differ
# tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
# tokenFile = config.age.secrets.forgejo-runner-token.path; # tokenFile = config.age.secrets.forgejo-runner-token.path;

166
modules/nixos/services/observability/grafana/default.nix
View file

@ -14,87 +14,117 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.grafana = { services = {
enable = true; grafana = {
openFirewall = true;
settings = {
server = {
http_port = 9001;
http_addr = "0.0.0.0";
};
database = {
type = "postgres";
host = "/var/run/postgresql:5432";
name = db_name;
user = db_user;
ssl_mode = "disable";
};
users = {
allow_sign_up = false;
allow_org_create = false;
viewers_can_edit = false;
default_theme = "system";
};
analytics = {
reporting_enabled = false;
check_for_updates = false;
check_for_plugin_updates = false;
feedback_links_enabled = false;
};
};
provision = {
enable = true; enable = true;
openFirewall = true;
dashboards.settings = { settings = {
apiVersion = 1; server = {
providers = [ http_port = 9001;
http_addr = "0.0.0.0";
domain = "ulmo";
};
auth = {
disable_login_form = false;
oauth_auto_login = true;
};
"auth.basic".enable = false;
"auth.generic_oauth" = {
enable = true;
name = "Zitadel";
client_id = "334170712283611395";
client_secret = "AFjypmURdladmQn1gz2Ke0Ta5LQXapnuKkALVZ43riCL4qWicgV2Z6RlwpoWBZg1";
scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles";
email_attribute_path = "email";
login_attribute_path = "username";
name_attribute_path = "full_name";
role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'";
auth_url = "https://auth.amarth.cloud/oauth/v2/authorize";
token_url = "https://auth.amarth.cloud/oauth/v2/token";
api_url = "https://auth.amarth.cloud/oidc/v1/userinfo";
allow_sign_up = true;
auto_login = true;
use_pkce = true;
usr_refresh_token = true;
allow_assign_grafana_admin = true;
};
database = {
type = "postgres";
host = "/var/run/postgresql:5432";
name = db_name;
user = db_user;
ssl_mode = "disable";
};
users = {
allow_sign_up = false;
allow_org_create = false;
viewers_can_edit = false;
default_theme = "system";
};
analytics = {
reporting_enabled = false;
check_for_updates = false;
check_for_plugin_updates = false;
feedback_links_enabled = false;
};
};
provision = {
enable = true;
dashboards.settings = {
apiVersion = 1;
providers = [
{
name = "Default Dashboard";
disableDeletion = true;
allowUiUpdates = false;
options = {
path = "/etc/grafana/dashboards";
foldersFromFilesStructure = true;
};
}
];
};
datasources.settings.datasources = [
{ {
name = "Default Dashboard"; name = "Prometheus";
disableDeletion = true; type = "prometheus";
allowUiUpdates = false; url = "http://localhost:9005";
options = { isDefault = true;
path = "/etc/grafana/dashboards"; editable = false;
foldersFromFilesStructure = true; }
};
{
name = "Loki";
type = "loki";
url = "http://localhost:9003";
editable = false;
} }
]; ];
}; };
};
datasources.settings.datasources = [ postgresql = {
enable = true;
ensureDatabases = [ db_name ];
ensureUsers = [
{ {
name = "Prometheus"; name = db_user;
type = "prometheus"; ensureDBOwnership = true;
url = "http://localhost:9002";
isDefault = true;
editable = false;
}
{
name = "Loki";
type = "loki";
url = "http://localhost:9003";
editable = false;
} }
]; ];
}; };
}; };
services.postgresql = {
enable = true;
ensureDatabases = [ db_name ];
ensureUsers = [
{
name = db_user;
ensureDBOwnership = true;
}
];
};
environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json;
}; };
} }

20
modules/nixos/services/observability/prometheus/default.nix
View file

@ -1,7 +1,7 @@
{ pkgs, config, lib, namespace, ... }: { pkgs, config, lib, namespace, ... }:
let let
inherit (lib.modules) mkIf; inherit (builtins) toString;
inherit (lib.options) mkEnableOption; inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.observability.prometheus; cfg = config.${namespace}.services.observability.prometheus;
in in
@ -24,7 +24,23 @@ in
{ targets = [ "localhost:9002" ]; } { targets = [ "localhost:9002" ]; }
]; ];
} }
{
job_name = "node";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
];
}
]; ];
exporters = {
node = {
enable = true;
port = 9005;
enabledCollectors = [ "systemd" ];
openFirewall = true;
};
};
}; };
networking.firewall.allowedTCPPorts = [ 9002 ]; networking.firewall.allowedTCPPorts = [ 9002 ];