Merge pull request #118395 from jwygoda/grafana-google-oauth2

grafana: add google oauth2 config
2021-05-18 23:11:24 -04:00 · 2021-05-18 23:11:24 -04:00 · 58ddbfa71d
parent d904c14b34 df3be1718a
commit 58ddbfa71d
1 changed files with 44 additions and 15 deletions
--- a/nixos/modules/services/monitoring/grafana.nix
+++ b/nixos/modules/services/monitoring/grafana.nix
@ -42,6 +42,9 @@ let
    AUTH_ANONYMOUS_ENABLED = boolToString cfg.auth.anonymous.enable;
    AUTH_ANONYMOUS_ORG_NAME = cfg.auth.anonymous.org_name;
    AUTH_ANONYMOUS_ORG_ROLE = cfg.auth.anonymous.org_role;
+    AUTH_GOOGLE_ENABLED = boolToString cfg.auth.google.enable;
+    AUTH_GOOGLE_ALLOW_SIGN_UP = boolToString cfg.auth.google.allowSignUp;
+    AUTH_GOOGLE_CLIENT_ID = cfg.auth.google.clientId;

    ANALYTICS_REPORTING_ENABLED = boolToString cfg.analytics.reporting.enable;

@ -528,23 +531,46 @@ in {
      };
    };

-    auth.anonymous = {
-      enable = mkOption {
-        description = "Whether to allow anonymous access.";
-        default = false;
-        type = types.bool;
+    auth = {
+      anonymous = {
+        enable = mkOption {
+          description = "Whether to allow anonymous access.";
+          default = false;
+          type = types.bool;
+        };
+        org_name = mkOption {
+          description = "Which organization to allow anonymous access to.";
+          default = "Main Org.";
+          type = types.str;
+        };
+        org_role = mkOption {
+          description = "Which role anonymous users have in the organization.";
+          default = "Viewer";
+          type = types.str;
+        };
      };
-      org_name = mkOption {
-        description = "Which organization to allow anonymous access to.";
-        default = "Main Org.";
-        type = types.str;
+      google = {
+        enable = mkOption {
+          description = "Whether to allow Google OAuth2.";
+          default = false;
+          type = types.bool;
+        };
+        allowSignUp = mkOption {
+          description = "Whether to allow sign up with Google OAuth2.";
+          default = false;
+          type = types.bool;
+        };
+        clientId = mkOption {
+          description = "Google OAuth2 client ID.";
+          default = "";
+          type = types.str;
+        };
+        clientSecretFile = mkOption {
+          description = "Google OAuth2 client secret.";
+          default = null;
+          type = types.nullOr types.path;
+        };
      };
-      org_role = mkOption {
-        description = "Which role anonymous users have in the organization.";
-        default = "Viewer";
-        type = types.str;
-      };
-
    };

    analytics.reporting = {
@ -609,6 +635,9 @@ in {
        QT_QPA_PLATFORM = "offscreen";
      } // mapAttrs' (n: v: nameValuePair "GF_${n}" (toString v)) envOptions;
      script = ''
+        ${optionalString (cfg.auth.google.clientSecretFile != null) ''
+          export GF_AUTH_GOOGLE_CLIENT_SECRET="$(cat ${escapeShellArg cfg.auth.google.clientSecretFile})"
+        ''}
        ${optionalString (cfg.database.passwordFile != null) ''
          export GF_DATABASE_PASSWORD="$(cat ${escapeShellArg cfg.database.passwordFile})"
        ''}