add zammad to fw vm, add web-arm machine

2024-08-16 22:42:00 +02:00
parent d46990b7fb
commit f86996cd28
87 changed files with 4681 additions and 135 deletions
--- a/hosts/web-arm/modules/grafana.nix
+++ b/hosts/web-arm/modules/grafana.nix
@@ -0,0 +1,107 @@
+{ lib, pkgs, config, ...}:
+let
+  ldap = pkgs.writeTextFile {
+    name = "ldap.toml";
+    text = ''
+      [[servers]]
+      host = "ldap.cloonar.com"
+      port = 636
+      use_ssl = true
+      bind_dn = "cn=grafana,ou=system,ou=users,dc=cloonar,dc=com"
+      bind_password = "$__file{/run/secrets/grafana-ldap-password}"
+      search_filter = "(&(objectClass=cloonarUser)(mail=%s))"
+      search_base_dns = ["ou=users,dc=cloonar,dc=com"]
+
+      [servers.attributes]
+      name = "givenName"
+      surname = "sn"
+      username = "uid"
+      email =  "mail"
+      member_of = "memberOf"
+
+      [[servers.group_mappings]]
+      group_dn = "cn=Administrators,ou=groups,dc=cloonar,dc=com"
+      org_role = "Admin"
+      grafana_admin = true # Available in Grafana v5.3 and above
+    '';
+  };
+in
+{
+  systemd.services.grafana.script = lib.mkBefore "export GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$(cat /run/secrets/grafana-oauth-secret)";
+  services.grafana = {
+    enable = true;
+    settings = {
+      analytics.reporting_enabled = false;
+      # "auth.ldap".enabled = true;
+      # "auth.ldap".config_file = toString ldap;
+
+      "auth.generic_oauth" = {
+        enabled = true;
+        name = "Authelia";
+        icon = "signin";
+        client_id = "grafana";
+        scopes = "openid profile email groups";
+        empty_scopes = false;
+        auth_url = "https://auth.cloonar.com/api/oidc/authorization";
+        token_url = "https://auth.cloonar.com/api/oidc/token";
+        api_url = "https://auth.cloonar.com/api/oidc/userinfo";
+        login_attribute_path = "preferred_username";
+        groups_attribute_path = "groups";
+        name_attribute_path = "name";
+        use_pkce = true;
+      };
+
+      "auth.anonymous".enabled = true;
+      "auth.anonymous".org_name = "Cloonar e.U.";
+      "auth.anonymous".org_role = "Viewer";
+
+      server = {
+        root_url = "https://grafana.cloonar.com";
+        domain = "grafana.cloonar.com";
+        enforce_domain = true;
+        enable_gzip = true;
+        http_addr = "0.0.0.0";
+        http_port = 3001;
+      };
+
+      smtp = {
+        enabled = true;
+        host = "mail.cloonar.com:587";
+        user = "grafana@cloonar.com";
+        password = "$__file{${config.sops.secrets.grafana-ldap-password.path}}";
+        fromAddress = "grafana@cloonar.com";
+      };
+
+      database = {
+        type = "postgres";
+        name = "grafana";
+        host = "/run/postgresql";
+        user = "grafana";
+      };
+
+      security.admin_password = "$__file{${config.sops.secrets.grafana-admin-password.path}}";
+    };
+  };
+
+  services.nginx.virtualHosts."grafana.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    locations."/".extraConfig = "proxy_pass http://localhost:3001;";
+  };
+
+  services.postgresql.ensureUsers = [
+    {
+      name = "grafana";
+      ensureDBOwnership = true;
+    }
+  ];
+  services.postgresql.ensureDatabases = [ "grafana" ];
+  services.postgresqlBackup.databases = [ "grafana" ];
+
+  sops.secrets = {
+    grafana-admin-password.owner = "grafana";
+    grafana-ldap-password.owner = "grafana";
+    grafana-oauth-secret.owner = "grafana";
+  };
+}