Infini-DL360/grafana: init

hosts/Infini-DL360/grafana.nix

@@ -0,0 +1,61 @@
+{
+  common,
+  config,
+  secrets,
+  ...
+}:
+let
+  domain = common.subdomain "graph";
+  secret = secret: "$__file{/etc/secrets/grafana/${secret}}";
+in
+{
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        inherit domain;
+      };
+      security = {
+        admin_email = common.email.withUser "admin";
+        cookie_secure = true;
+        secret_key = secret "secret_key";
+      };
+      auth = {
+        signout_redirect_url = "https://auth.inx.moe/application/o/grafana/end-session";
+        auto_login = "authentik";
+      };
+      "auth.anonymous".enabled = true;
+      "auth.basic".enabled = false;
+      "auth.generic_oauth" = {
+        name = "authentik";
+        enabled = true;
+        client_id = "yL4qqsKyc5i9mhvVUNFHcQyTGaYWxnqtMvceg0kY";
+        client_secret = secret "client_secret";
+        scopes = "openid email profile";
+        auth_url = "https://auth.inx.moe/application/o/authorize/";
+        token_url = "https://auth.inx.moe/application/o/token/";
+        api_url = "https://auth.inx.moe/application/o/userinfo/";
+        role_attribute_path = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'";
+      };
+      smtp = with common.email; {
+        user = outgoing;
+        from_address = withSubaddress "grafana";
+        from_name = "Grafana";
+        key_file = secrets.smtp-noreply;
+        startTLS_policy = "MandatoryStartTLS";
+        host = "${smtp.address}:${toString smtp.STARTTLS}";
+      };
+      users = {
+        allow_org_create = true;
+        hidden_users = "admin";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts.${domain} = common.nginx.ssl-inx // {
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+      proxyWebsockets = true;
+    };
+  };
+}