{ config, ... }: { services.grafana = { enable = true; settings = { server = { domain = "mesh.nekover.se"; root_url = "https://${config.services.grafana.settings.server.domain}"; }; security = { cookie_secure = true; cookie_samesite = "strict"; admin_user = "admin"; admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}"; admin_email = "fi@nekover.se"; }; smtp = { enabled = true; host = "mail.grzb.de:465"; user = "nekomesh@grzb.de"; password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}"; from_address = "nyareply@nekover.se"; from_name = "Nekomesh"; startTLS_policy = "NoStartTLS"; }; "auth.generic_oauth" = { enabled = true; name = "Nekoverse ID"; allow_sign_up = true; client_id = "nekomesh"; client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}"; scopes = "openid email profile offline_access roles"; email_attribute_path = "email"; login_attribute_path = "preferred_username"; name_attribute_path = "preferred_username"; auth_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/auth"; token_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/token"; api_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/userinfo"; use_refresh_token = true; allow_assign_grafana_admin = true; role_attribute_strict = true; role_attribute_path = "contains(resource_access.nekomesh.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.nekomesh.roles[*], 'admin') && 'Admin' || contains(resource_access.nekomesh.roles[*], 'editor') && 'Editor' || 'Viewer'"; }; }; provision.datasources.settings.datasources = [ { name = "Prometheus"; type = "prometheus"; url = "http://localhost:${builtins.toString config.services.prometheus.port}"; isDefault = true; } ]; }; }