add oauth to grafana

hosts/web-01.cloonar.com/modules/grafana.nix

@@ -28,6 +28,24 @@ let
       grafana_admin = true # Available in Grafana v5.3 and above
     '';
   };
+  oauth = pkgs.writeTextFile {
+    name = "oauth.toml";
+    text = ''
+      name = Authelia
+      icon = signin
+      client_id = grafana
+      client_secret = "$__file{/run/secrets/grafana-oauth-secret}"
+      scopes = openid profile email groups
+      empty_scopes = false
+      auth_url = https://auth.cloonar.com/api/oidc/authorization
+      token_url = https://auth.cloonar.com/api/oidc/token
+      api_url = https://auth.cloonar.com/api/oidc/userinfo
+      login_attribute_path = preferred_username
+      groups_attribute_path = groups
+      name_attribute_path = name
+      use_pkce = true
+    '';;
+  };
 in
 {
   services.grafana = {
@@ -37,6 +55,9 @@ in
       "auth.ldap".enabled = true;
       "auth.ldap".config_file = toString ldap;
 
+      "auth.generic_oauth".enabled = true;
+      "auth.generic_oauth".config_file = toString oauth;
+
       "auth.anonymous".enabled = true;
       "auth.anonymous".org_name = "Cloonar e.U.";
       "auth.anonymous".org_role = "Viewer";
@@ -91,5 +112,6 @@ in
   sops.secrets = {
     grafana-admin-password.owner = "grafana";
     grafana-ldap-password.owner = "grafana";
+    grafana-oauth-secret.owner = "grafana";
   };
 }