viola: upstream

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>

viola/services/grafana.nix

@@ -0,0 +1,137 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services = {
+    grafana = {
+      enable = true;
+      declarativePlugins = with pkgs.grafanaPlugins; [
+        grafana-lokiexplore-app
+        grafana-exploretraces-app
+        grafana-metricsdrilldown-app
+        grafana-pyroscope-app
+
+        redis-datasource
+        redis-explorer-app
+
+        volkovlabs-rss-datasource
+      ];
+
+      settings = {
+        log = {
+          level = "info";
+          mode = "console";
+        };
+
+        security = {
+          secret_key = config.sops.secrets."grafanaKey".path;
+        };
+
+        server = {
+          http_addr = "0.0.0.0";
+          http_port = 3030;
+          domain = "grafana.hand7s.org";
+          root_url = "https://grafana.hand7s.org";
+        };
+
+        "auth.generic_oauth" = {
+          enabled = true;
+          name = "Zitadel";
+          icon = "signin";
+          scopes = "openid profile email offline_access urn:zitadel:iam:org:project:id:zitadel:aud";
+          client_id = "";
+          client_secret = "";
+          auth_url = "https://zitadel.hand7s.org/oauth/v2/authorize";
+          token_url = "http://zitadel.hand7s.org:8443/oauth/v2/token";
+          api_url = "http://zitadel.hand7s.org:8443/oidc/v1/userinfo";
+          tls_skip_verify_insecure = true;
+          allow_assign_grafana_admin = true;
+          role_attribute_strict = true;
+          skip_org_role_sync = false;
+          use_pkce = true;
+
+          role_attribute_path = ''"urn:zitadel:iam:org:project:roles"."grafana-admin" && 'GrafanaAdmin' || 'Viewer' '';
+        };
+
+        "auth" = {
+          disable_login_form = true;
+          signout_redirect_url = "https://zitadel.hand7s.org/oidc/v1/end_session";
+        };
+      };
+
+      provision = {
+        enable = true;
+
+        datasources = {
+          settings = {
+            datasources =
+              [
+                {
+                  name = "Loki-LGTM";
+                  type = "loki";
+                  url = "http://127.0.0.1:3100";
+                  isDefault = false;
+                  jsonData = {
+                    derivedFields = [
+                      {
+                        name = "traceID";
+                        matcherRegex = "traceID=(\\w+)";
+                        url = "http://127.0.0.1:3200";
+                        datasourceUid = "tempo";
+                      }
+                    ];
+                  };
+                }
+
+                {
+                  name = "Mimir-LGTM";
+                  type = "prometheus";
+                  url = "http://127.0.0.1:9009/prometheus";
+                  isDefault = true;
+                }
+
+                {
+                  name = "Tempo-LGTM";
+                  type = "tempo";
+                  uid = "tempo";
+                  url = "http://127.0.0.1:3200";
+                  jsonData = {
+                    lokiSearch = {
+                      datasourceUid = "loki";
+                    };
+
+                    serviceMap = {
+                      datasourceUid = "mimir";
+                    };
+
+                    nodeGraph = {
+                      enabled = true;
+                    };
+                  };
+                }
+              ]
+              ++ lib.forEach [
+                "forgejo"
+                "loki"
+                "mimir"
+                "stalwart"
+                "traefik"
+                "zitadel"
+              ] (
+                name: {
+                  name = "Redis-${name}";
+                  type = "redis-datasource";
+                  url = "unix:/run/redis-${name}/redis.sock";
+                  secureJsonData = {
+                    password = name;
+                  };
+                }
+              );
+          };
+        };
+      };
+    };
+  };
+}