wiro.world
yep, more dotfiles
weird-row-server: grafana: properly pass oidc secret
hate myself, I spent way too much time on this issue
+9
-2
+9
-2
hosts/weird-row-server/grafana.nix
+9
-2
hosts/weird-row-server/grafana.nix
···
3
3
...
4
4
}:
5
5
6
+
# TODO: configure SMTP for alerts
7
+
6
8
let
7
9
grafana-port = 3002;
8
10
# grafana-hostname = "console.net.wiro.world";
···
36
38
icon = "signin";
37
39
38
40
client_id = "grafana";
39
-
client_secret_path = config.age.secrets.grafana-oidc-secret.path;
41
+
client_secret = "$__file{${config.age.secrets.grafana-oidc-secret.path}}";
40
42
auto_login = true;
41
43
42
44
login_attribute_path = "preferred_username";
43
45
groups_attribute_path = "groups";
44
46
name_attribute_path = "name";
45
47
46
-
role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
48
+
role_attribute_path = builtins.concatStringsSep " || " [
49
+
"contains(groups[*], 'admin') && 'GrafanaAdmin'"
50
+
"contains(groups[*], 'admin') && 'Admin'"
51
+
"contains(groups[*], 'editor') && 'Editor'"
52
+
"'Viewer'"
53
+
];
47
54
allow_assign_grafana_admin = true;
48
55
49
56
scopes = [