{ pkgs, config, ... }: let cfg = config.services.grafana; fileProvider = path: "$__file{${path}}"; ldapServer = { host = "re2o-ldap.adm.auro.re ldap-replica-edc 10.128.0.21 10.128.4.249"; port = 389; use_ssl = false; start_tls = false; bind_dn = "cn=grafana,ou=service-users,dc=auro,dc=re"; bind_password = fileProvider config.age.secrets.grafana-ldap-password.path; search_filter = "(&(objectClass=posixAccount)(cn=%s))"; search_base_dns = [ "cn=Utilisateurs,dc=auro,dc=re" ]; group_search_base_dns = [ "ou=posix,ou=groups,dc=auro,dc=re" ]; group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"; group_search_filter_user_attribute = "uid"; attributes = { email = "mail"; }; "group_mappings" = [ { group_dn = "cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re"; org_role = "Admin"; grafana_admin = true; } { group_dn = "cn=technicien,ou=posix,ou=groups,dc=auro,dc=re"; org_role = "Editor"; } { group_dn = "*"; org_role = "Viewer"; } ]; }; ldapConfig = (pkgs.formats.toml { }).generate "ldap.toml" { servers = [ ldapServer ]; }; in { age.secrets = { grafana-admin-password = { file = ../../../secrets/grafana/admin_password.age; owner = "grafana"; group = "grafana"; }; grafana-secret-key = { file = ../../../secrets/grafana/secret_key.age; owner = "grafana"; group = "grafana"; }; grafana-ldap-password = { file = ../../../secrets/grafana/ldap_password.age; owner = "grafana"; group = "grafana"; }; }; services.grafana = { enable = true; settings = { server.protocol = "socket"; analytics = { reporting_enabled = false; feedback_links_enabled = false; }; security = { admin_user = "admin"; admin_password = fileProvider config.age.secrets.grafana-admin-password.path; secret_key = fileProvider config.age.secrets.grafana-secret-key.path; }; "auth.ldap" = { enabled = true; allow_sign_up = true; skip_org_role_sync = false; config_file = toString ldapConfig; }; }; provision.datasources.settings.datasources = [ { name = "Infrastructure 1"; type = "prometheus"; uid = "infra-1"; url = "http://10.204.1.1:9090"; editable = false; jsonData = { isDefault = true; }; } ]; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { enable = true; upstreams.grafana.servers."unix:/${cfg.settings.server.socket}" = { }; virtualHosts."grafana-ng.auro.re" = { root = cfg.settings.server.static_root_path; locations."/".tryFiles = "$uri @grafana"; locations."@grafana".proxyPass = "http://grafana"; }; }; users.users.${config.services.nginx.user}.extraGroups = [ "grafana" ]; }