From e13ec87217c949d0aea368fafb2808578e2ced05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristoffer=20F=C3=B8llesdal?= Date: Mon, 16 May 2022 16:37:02 +0200 Subject: [PATCH] nixos/grafana: add Azure AD OAuth options --- nixos/modules/services/monitoring/grafana.nix | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index b959379d331..fa866a08f81 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -44,6 +44,18 @@ let AUTH_ANONYMOUS_ENABLED = boolToString cfg.auth.anonymous.enable; AUTH_ANONYMOUS_ORG_NAME = cfg.auth.anonymous.org_name; AUTH_ANONYMOUS_ORG_ROLE = cfg.auth.anonymous.org_role; + + AUTH_AZUREAD_NAME = "Azure AD"; + AUTH_AZUREAD_ENABLED = boolToString cfg.auth.azuread.enable; + AUTH_AZUREAD_ALLOW_SIGN_UP = boolToString cfg.auth.azuread.allowSignUp; + AUTH_AZUREAD_CLIENT_ID = cfg.auth.azuread.clientId; + AUTH_AZUREAD_SCOPES = "openid email profile"; + AUTH_AZUREAD_AUTH_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/authorize"; + AUTH_AZUREAD_TOKEN_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/token"; + AUTH_AZUREAD_ALLOWED_DOMAINS = cfg.auth.azuread.allowedDomains; + AUTH_AZUREAD_ALLOWED_GROUPS = cfg.auth.azuread.allowedGroups; + AUTH_AZUREAD_ROLE_ATTRIBUTE_STRICT = false; + AUTH_GOOGLE_ENABLED = boolToString cfg.auth.google.enable; AUTH_GOOGLE_ALLOW_SIGN_UP = boolToString cfg.auth.google.allowSignUp; AUTH_GOOGLE_CLIENT_ID = cfg.auth.google.clientId; @@ -563,6 +575,53 @@ in { type = types.str; }; }; + azuread = { + enable = mkOption { + description = "Whether to allow Azure AD OAuth."; + default = false; + type = types.bool; + }; + allowSignUp = mkOption { + description = "Whether to allow sign up with Azure AD OAuth."; + default = false; + type = types.bool; + }; + clientId = mkOption { + description = "Azure AD OAuth client ID."; + default = ""; + type = types.str; + }; + clientSecretFile = mkOption { + description = "Azure AD OAuth client secret."; + default = null; + type = types.nullOr types.path; + }; + tenantId = mkOption { + description = '' + Tenant id used to create auth and token url. Default to "common" + , let user sign in with any tenant. + ''; + default = "common"; + type = types.str; + }; + allowedDomains = mkOption { + description = '' + To limit access to authenticated users who are members of one or more groups, + set allowedGroups to a comma- or space-separated list of group object IDs. + You can find object IDs for a specific group on the Azure portal. + ''; + default = ""; + type = types.str; + }; + allowedGroups = mkOption { + description = '' + Limits access to users who belong to specific domains. + Separate domains with space or comma. + ''; + default = ""; + type = types.str; + }; + }; google = { enable = mkOption { description = "Whether to allow Google OAuth2."; @@ -652,6 +711,10 @@ in { set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit + ${optionalString (cfg.auth.azuread.clientSecretFile != null) '' + GF_AUTH_AZUREAD_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.azuread.clientSecretFile})" + export GF_AUTH_AZUREAD_CLIENT_SECRET + ''} ${optionalString (cfg.auth.google.clientSecretFile != null) '' GF_AUTH_GOOGLE_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.google.clientSecretFile})" export GF_AUTH_GOOGLE_CLIENT_SECRET