grafana: configuration du service

2025-10-06 20:51:12 +02:00 · 2025-10-06 20:51:12 +02:00 · 15fcba2b26
commit 15fcba2b26
parent d98c1e47ce
9 changed files with 224 additions and 15 deletions
--- a/flake.nix
+++ b/flake.nix
@ -53,6 +53,13 @@
            ++ defaultConfig;
          in
          {
+            grafana = nixosSystem {
+              specialArgs = inputs;
+              modules = [
+                ./hosts/vm/grafana
+              ]
+              ++ defaultVM;
+            };
            # VL: Peut-être avoir de l'auto-discovery: On a beaucoup trop de machines
            jitsi = nixosSystem {
              specialArgs = inputs;
--- a/hosts/vm/grafana/default.nix
+++ b/hosts/vm/grafana/default.nix
@ -0,0 +1,52 @@
+{ ... }:
+
+{
+  imports = [
+    ./grafana.nix
+  ];
+
+  networking = {
+    hostName = "grafana";
+    domain = "ext.infra.auro.re";
+  };
+
+  boot.loader.systemd-boot.enable = true;
+
+  systemd.network = {
+    enable = true;
+
+    links = {
+      "10-ext" = {
+        matchConfig.MACAddress = "ae:ae:ae:a4:7d:ab";
+        linkConfig.Name = "ext";
+      };
+    };
+
+    networks = {
+      "10-ext" = {
+        domains = [
+          "ext.infra.auro.re"
+          "auro.re"
+        ];
+        matchConfig.Name = "ext";
+        linkConfig.RequiredForOnline = "routable";
+        address = [
+          "10.211.1.7/16"
+          "2a09:6840:211::1:7/64"
+        ];
+        routes = [
+          { Gateway = "10.211.0.1"; }
+          { Gateway = "2a09:6840:211::1"; }
+        ];
+        dns = [
+          "10.206.1.1"
+          "10.206.1.2"
+          "2a09:6840:206::1:1"
+          "2a09:6840:206::1:2"
+        ];
+      };
+    };
+  };
+
+  system.stateVersion = "25.05";
+}
--- a/hosts/vm/grafana/grafana.nix
+++ b/hosts/vm/grafana/grafana.nix
@ -0,0 +1,114 @@
+{ pkgs, config, ... }:
+
+let
+  cfg = config.services.grafana;
+  fileProvider = path: "$__file{${path}}";
+  ldapServer = {
+    host = "re2o-ldap.adm.auro.re ldap-replica-edc 10.128.0.21 10.128.4.249";
+    port = 389;
+    use_ssl = false;
+    start_tls = false;
+    bind_dn = "cn=grafana,ou=service-users,dc=auro,dc=re";
+    bind_password = fileProvider config.age.secrets.grafana-ldap-password.path;
+    search_filter = "(&(objectClass=posixAccount)(cn=%s))";
+    search_base_dns = [ "cn=Utilisateurs,dc=auro,dc=re" ];
+    group_search_base_dns = [ "ou=posix,ou=groups,dc=auro,dc=re" ];
+    group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))";
+    group_search_filter_user_attribute = "uid";
+    attributes = {
+      email = "mail";
+    };
+    "group_mappings" = [
+      {
+        group_dn = "cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re";
+        org_role = "Admin";
+        grafana_admin = true;
+      }
+      {
+        group_dn = "cn=technicien,ou=posix,ou=groups,dc=auro,dc=re";
+        org_role = "Editor";
+      }
+      {
+        group_dn = "*";
+        org_role = "Viewer";
+      }
+    ];
+  };
+  ldapConfig = (pkgs.formats.toml { }).generate "ldap.toml" {
+    servers = [ ldapServer ];
+  };
+in
+{
+  age.secrets = {
+    grafana-admin-password = {
+      file = ../../../secrets/grafana/admin_password.age;
+      owner = "grafana";
+      group = "grafana";
+    };
+    grafana-secret-key = {
+      file = ../../../secrets/grafana/secret_key.age;
+      owner = "grafana";
+      group = "grafana";
+    };
+    grafana-ldap-password = {
+      file = ../../../secrets/grafana/ldap_password.age;
+      owner = "grafana";
+      group = "grafana";
+    };
+  };
+
+  services.grafana = {
+    enable = true;
+
+    settings = {
+      server.protocol = "socket";
+      analytics = {
+        reporting_enabled = false;
+        feedback_links_enabled = false;
+      };
+      security = {
+        admin_user = "admin";
+        admin_password = fileProvider config.age.secrets.grafana-admin-password.path;
+        secret_key = fileProvider config.age.secrets.grafana-secret-key.path;
+      };
+      "auth.ldap" = {
+        enabled = true;
+        allow_sign_up = true;
+        skip_org_role_sync = false;
+        config_file = toString ldapConfig;
+      };
+    };
+
+    provision.datasources.settings.datasources =
+      [
+        {
+          name = "Infrastructure 1";
+          type = "prometheus";
+          uid = "infra-1";
+          url = "http://10.204.1.1:9090";
+          editable = false;
+          jsonData = {
+            isDefault = true;
+          };
+        }
+      ];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    upstreams.grafana.servers."unix:/${cfg.settings.server.socket}" = { };
+    virtualHosts."grafana-ng.auro.re" = {
+      root = cfg.settings.server.static_root_path;
+      locations."/".tryFiles = "$uri @grafana";
+      locations."@grafana".proxyPass = "http://grafana";
+    };
+  };
+
+  users.users.${config.services.nginx.user}.extraGroups = [ "grafana" ];
+}
--- a/profiles/common/ssh.nix
+++ b/profiles/common/ssh.nix
@ -1,16 +1,6 @@
 { config, ... }:

 {
-  age.secrets = {
-    ssh_users_ca = {
-      file = ../../secrets/common/ssh/users_ca.age;
-      path = "/etc/ssh/users_ca.pub";
-      owner = "root";
-      group = "root";
-      mode = "400";
-    };
-  };
-
  services.openssh = {
    enable = true;

@ -28,7 +18,6 @@
      SyslogFacility AUTH
      UsePAM no
      TCPKeepAlive yes
-      TrustedUserCAKeys ${config.age.secrets.ssh_users_ca.path}
      VersionAddendum none
    '';

--- a/secrets.nix
+++ b/secrets.nix
@ -1,17 +1,25 @@
 let
  # responsable technique
-  korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBu/fWY86IU7s5JIcxu8rsDwHd0JalvK1tUSzAAy3S3e korenstin@nixos";
-  lafeychine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHt8Bk4HAmuLYif/K6JAXteZFyihX6KKL5gM7gCA2Cl lafeychine@P14s";
+  korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBu/fWY86IU7s5JIcxu8rsDwHd0JalvK1tUSzAAy3S3e";
+  lafeychine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHt8Bk4HAmuLYif/K6JAXteZFyihX6KKL5gM7gCA2Cl";
+  hachino = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZ+Km78tkWXnmRTeg2F5kHgTGYS+JYM3SfAoTqvaisBRLpYHOtG889FvRjczVJn7A2q4aLGuejzjJ9V3wyF+aJjdzANPnVMUCGQXSnbHC4pMfL8fD67J+8gJil/QwGgpKpYlU0u81tgcjszYMv/ub8d9HnqLeYFkTvy2678vrsA2GoB/pO6iWOA4cubI0R0BYOP1zRnsgBM7L3swag/7lQ0L+6g+M8IcU2fr2Fp/L0gQ33e6H59fyuDaEp2GyQM66r0N+dMqjAyvB7tZlM2S28wji+DW46p4SJxNiqE8mzAjzWxV4rQDXfg+89LvzDN6iOKOtYAP9otWj14X4MOlQaKws4gicGjdUX9MiiChEjl3LET5i/zQqAMylMvm8qKTJ6PqIOootuUi6rv5d1IqLoaHXcU++h8HtYJU8o4MfGYBe4mFT4SRvJaX6C+UTdi6JKEJBmmBVwJIUCRCfXeqitc15Xb3xDgoOf0VsWiIaFnduYRDWfPKBCDl1raafxYO0=";
  respo_technique = [
    korenstin
    lafeychine
+    hachino
  ];

  # vm
  jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBwpK5qfEsuapx+8tOCmEY0hpy3V6M0OSqwoByriCX5 root@jitsi";
-  vm = [ jitsi ];
+  grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErGGJ9JNa7sZQOADXWCfcKpgF0xuYTLUC+ErMV9IkPJ root@grafana";
+  vm = [
+    jitsi
+    grafana
+  ];
 in
 {
-  "secrets/common/ssh/users_ca.age".publicKeys = respo_technique ++ vm;
+  "secrets/grafana/admin_password.age".publicKeys = respo_technique ++ [ grafana ];
+  "secrets/grafana/ldap_password.age".publicKeys = respo_technique ++ [ grafana ];
+  "secrets/grafana/secret_key.age".publicKeys = respo_technique ++ [ grafana ];
 }

--- a/secrets/common/ssh/users_ca.age
+++ b/secrets/common/ssh/users_ca.age
--- a/secrets/grafana/admin_password.age
+++ b/secrets/grafana/admin_password.age
@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 6qBTxA rpz6GQsKHdPX+Hc6pMvSpWzgBMYpYpKPOjIyU+rX21A
+KNLlxBgAVped7g3B24kHLJHyI0i8vwSB3tvXrMi+WiE
+-> ssh-ed25519 tQAKMw mPZPUXxd9THMuuR4KGnQu/9zKAXuoijEMp1RecaDGgU
+S8U2HxCLbHMMyo5JYsdhX6H+mtl9rkXgSVWBrX3Cf28
+-> ssh-rsa REaZBA
+PkLlexB3ZsI+Gc4dP9SDUTHDScPnZTMJ+cU5msrquFXhUbZd3xMRh17E0bH8dFD0
+JkTYNsMdPH5NtcsN2uPLHlB3KMDO32boPhCZOrWqyFeJ/os/wZm9wY7HzrbEYNV2
+RBGCzb4EhvctKPhQL5J0CkuemJI3RL+E20p2BdwWfUDQxcqxdUQHzszm3ONpyTkf
+20eN/rd0P2LBRc2NxHrbesRqsY4HmusTSBYBHqvNfkdBFV/GkMYUGlF1h2JhxLv0
+fK7AB3G+u+HX4Grhhl0Vdl+r7wjRVW6T6IC1iwHaPw7Iwg1QJ0PRuoJGo2+iJnnF
+yC8HvaqDdq+M/Z17SnAbdGaW+wpFam/GOxBRaS4atltdeZGXu911l6PUzvPqHaIZ
+FlhfGedLExcIetF1wzgvD/l+NT3Obu+On2Pa8JGec17d+bJekfG3Y1wXckOhoX26
+IbnT3iygJ99kxIXLvrYqEgJxL7QsgtIdlO1OMs1HYFT5H2X1O7ERW1z8htSKJF+A
+
+-> ssh-ed25519 1baUFg Q59tfDG1iM0EcTXiZ5pfEOJ7MjYSuuroljgtTvQ9CRE
+Xrk54B1FFiYxFFKAhHjgZB9a0RNVeGzPtLH2ATUqQ6g
+--- 3qwWrafWUzecR6Qxc3iBTsa1qHSgX6p9ef6H4svB0HI
+¸«öÌ’OK˜ø)3Oèwï½É¡ª1ÀQ(<28>1¶}S»¦çP/ÎêïN<>K	ÅFÏÂ
--- a/secrets/grafana/ldap_password.age
+++ b/secrets/grafana/ldap_password.age
--- a/secrets/grafana/secret_key.age
+++ b/secrets/grafana/secret_key.age
@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 6qBTxA fzgvb33y/ccMbjxrzPiBRpcM5KqHGv8lDsn/LFCvbgU
+HIQJNjELuFvyyncKiduNEwzII/Bcp9oYhbZWzvZkvK8
+-> ssh-ed25519 tQAKMw Jrhrys8NOiXukzc5fEbedoMV+ls8bW3wwzS7K41PS2Y
+gPU1H2QI0XObePui5CKf1pO5C93igQTwMcJSwTC4xYY
+-> ssh-rsa REaZBA
+XUsv/XEoyb2ckPE7pGV9ntH+Gn8vd06uDL3pMIv4CesEQcvn1Ppn0Uymlmm096jw
+umY66FHetl45tJbEWx9os2vNw420+ESHfyZCef32D+hM94VTYV6r3hMTPVEsHsrf
+lWXCLVhTaUpKfAb3w7E7gnKm0JTBX//hbrZKoQrBZ6nvn/5clkNBmRa43GKqi22
+FlfOe7y+DiNBp9c15K16FHijO2u8QONqcD/iHdVwOQncQAhVnzdTs048aLWefhFJ
+VHXcmX3/LLc1LtMnMTloHsOUa3UU8TEG9xet7KeWxgyeMITBKuY3nmVFKPHEl6Ty
+wSyarADyrTLV8tT2UUGPQmyGh868CHTg7Jy422riM8JG5FJRxg8sxK7UOokGflHI
+vHPTUx+94/goN3IyyW9qum+2Mr+Dee3k2kBWb25gOAIme3vnxOBCAVgw7irz7Nsg
+avYnQLuQR8T/8ldWgst2aDTIe0rijxtP2i6JwzfSQGfaENXe/6U06f50wuBcYdm9
+
+-> ssh-ed25519 1baUFg iEpEJcziOF24syWa7TiUNi904a/ajacQaws2Y+NjnG8
+09a1FRksRWGYYdpHHyWZ96OfbGzXXKfqX+hnfGpUjL8
+--- H/TyEYeNgKY1Q5p6bdw8AyEjXYcBjftRRayvUVq9Dy0
+"
+ûòjˆÜºÊ¢f$%UÌê“ÁëvøÓZ-¿]˜?KwQ‘¶€°«÷»UÂ}¹ª‡V