wiro.world
yep, more dotfiles
weird-row-server: grafana: fix role mapping
+14
-3
+9
-2
hosts/weird-row-server/authelia.nix
+9
-2
hosts/weird-row-server/authelia.nix
···
134
134
miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ];
135
135
};
136
136
137
-
claims_policies.headscale = {
138
-
id_token = [
137
+
claims_policies = {
138
+
headscale.id_token = [
139
139
"email"
140
140
"name"
141
141
"preferred_username"
142
142
"picture"
143
143
"groups"
144
+
];
145
+
grafana.id_token = [
146
+
"email"
147
+
"name"
148
+
"groups"
149
+
"preferred_username"
144
150
];
145
151
};
146
152
···
166
172
client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs";
167
173
redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ];
168
174
authorization_policy = "grafana";
175
+
claims_policy = "grafana";
169
176
}
170
177
{
171
178
client_name = "Miniflux";
+5
-1
hosts/weird-row-server/grafana.nix
+5
-1
hosts/weird-row-server/grafana.nix
···
39
39
client_secret_path = config.age.secrets.grafana-oidc-secret.path;
40
40
auto_login = true;
41
41
42
-
role_attribute_path = "contains(roles[*], 'admin') && 'GrafanaAdmin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
42
+
login_attribute_path = "preferred_username";
43
+
groups_attribute_path = "groups";
44
+
name_attribute_path = "name";
45
+
46
+
role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
43
47
allow_assign_grafana_admin = true;
44
48
45
49
scopes = [