torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

grafana-kanidm-oidc #35

Merged
torjus merged 2 commits from grafana-kanidm-oidc into master 2026-02-08 19:30:20 +00:00
Conversation 0 Commits 2 Files Changed 9 +230 -2
torjus commented 2026-02-08 19:29:15 +00:00
Owner
Copy Link

Summary

Deploy Grafana on monitoring02 with Kanidm OIDC authentication as a test instance (grafana-test.home.2rjus.net).

Changes

New service module (services/grafana/):

  • Grafana with Kanidm OIDC authentication
  • PKCE enabled (required by Kanidm)
  • Role mapping: admins group → Admin, others → Viewer
  • Declarative datasources for Prometheus and Loki on monitoring01
  • Local Caddy for TLS termination via internal ACME CA

Kanidm OAuth2 client (services/kanidm/):

  • OAuth2 client grafana with scope maps for users group
  • Vault secret for client secret

Terraform:

  • New secret: services/grafana/oauth2-client-secret
  • AppRole policies for kanidm01 and monitoring02

monitoring02 host:

  • Import grafana service
  • DNS CNAME grafana-test

Documentation updates:

  • docs/plans/auth-system-replacement.md - OAuth2 client marked complete, key findings documented
  • docs/plans/monitoring-migration-victoriametrics.md - Grafana progress noted
  • docs/user-management.md - OAuth2/OIDC login requirements (email, users group, primary credential)

Key Findings

  • Kanidm enforces PKCE - Grafana must set use_pkce = true
  • Grafana needs explicit attribute paths: email_attribute_path, login_attribute_path, name_attribute_path
  • Users require: primary credential (password + TOTP), users group membership, email address
  • Unix password ≠ primary credential (separate auth mechanisms)

Testing

  1. Apply Terraform: nix develop -c tofu -chdir=terraform/vault apply
  2. Deploy kanidm01 and monitoring02
  3. Visit https://grafana-test.home.2rjus.net/
  4. Click "Sign in with Kanidm"
## Summary Deploy Grafana on monitoring02 with Kanidm OIDC authentication as a test instance (`grafana-test.home.2rjus.net`). ### Changes **New service module (`services/grafana/`):** - Grafana with Kanidm OIDC authentication - PKCE enabled (required by Kanidm) - Role mapping: `admins` group → Admin, others → Viewer - Declarative datasources for Prometheus and Loki on monitoring01 - Local Caddy for TLS termination via internal ACME CA **Kanidm OAuth2 client (`services/kanidm/`):** - OAuth2 client `grafana` with scope maps for `users` group - Vault secret for client secret **Terraform:** - New secret: `services/grafana/oauth2-client-secret` - AppRole policies for `kanidm01` and `monitoring02` **monitoring02 host:** - Import grafana service - DNS CNAME `grafana-test` **Documentation updates:** - `docs/plans/auth-system-replacement.md` - OAuth2 client marked complete, key findings documented - `docs/plans/monitoring-migration-victoriametrics.md` - Grafana progress noted - `docs/user-management.md` - OAuth2/OIDC login requirements (email, users group, primary credential) ### Key Findings - Kanidm enforces PKCE - Grafana must set `use_pkce = true` - Grafana needs explicit attribute paths: `email_attribute_path`, `login_attribute_path`, `name_attribute_path` - Users require: primary credential (password + TOTP), `users` group membership, email address - Unix password ≠ primary credential (separate auth mechanisms) ### Testing 1. Apply Terraform: `nix develop -c tofu -chdir=terraform/vault apply` 2. Deploy kanidm01 and monitoring02 3. Visit https://grafana-test.home.2rjus.net/ 4. Click "Sign in with Kanidm"
torjus added 2 commits 2026-02-08 19:29:15 +00:00
grafana: add Grafana on monitoring02 with Kanidm OIDC
Some checks failed
Run nix flake check / flake-check (push) Failing after 4m3s
Details
030e8518c5 
Deploy Grafana test instance on monitoring02 with:
- Kanidm OIDC authentication (admins -> Admin role, others -> Viewer)
- PKCE enabled for secure OAuth2 flow (required by Kanidm)
- Declarative datasources for Prometheus and Loki on monitoring01
- Local Caddy for TLS termination via internal ACME CA
- DNS CNAME grafana-test.home.2rjus.net

Terraform changes add OAuth2 client secret and AppRole policies for
kanidm01 and monitoring02.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: update plans with Grafana OIDC progress
Some checks failed
Run nix flake check / flake-check (pull_request) Successful in 2m7s
Details
Run nix flake check / flake-check (push) Failing after 16m31s
Details
02270a0e4a 
- auth-system-replacement.md: Mark OAuth2 client (Grafana) as completed,
  document key findings (PKCE, attribute paths, user requirements)
- monitoring-migration-victoriametrics.md: Note Grafana deployment on
  monitoring02 with Kanidm OIDC as test instance

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
torjus merged commit 304cb117ce into master 2026-02-08 19:30:20 +00:00
torjus deleted branch grafana-kanidm-oidc 2026-02-08 19:30:20 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
torjus
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: torjus/nixos-servers#35
Delete Branch "grafana-kanidm-oidc"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?