From e4257215bf2e50232a0f91ab424a083e392c308b Mon Sep 17 00:00:00 2001
From: Peter Esselius <peter.esselius@pagero.com>
Date: Fri, 12 Jul 2024 23:38:16 +0200
Subject: [PATCH] refactor profiles

---
 nixos-configurations/adama.nix        | 17 ++++-----
 nixos-modules/profiles/auth.nix       |  3 ++
 nixos-modules/profiles/monitoring.nix | 55 +++++++++++++++------------
 tests/monitoring-auth.nix             | 17 ++++-----
 4 files changed, 49 insertions(+), 43 deletions(-)

diff --git a/nixos-configurations/adama.nix b/nixos-configurations/adama.nix
index 54c6116..40816f2 100644
--- a/nixos-configurations/adama.nix
+++ b/nixos-configurations/adama.nix
@@ -70,15 +70,14 @@
   }];
   profiles.monitoring = {
     enable = true;
-    grafana = {
-      domain = "adama";
-      oauth = {
-        client_id_file = builtins.toFile "grafana-client-id" "grafana";
-        client_secret_file = builtins.toFile "grafana-client-secret" "secret";
-        auth_url = "http://adama:9000/application/o/authorize/";
-        token_url = "http://adama:9000/application/o/token/";
-        api_url = "http://adama:9000/application/o/userinfo/";
-      };
+    domain = "adama";
+    oauth = {
+      name = "Authentik";
+      client_id_file = builtins.toFile "grafana-client-id" "grafana";
+      client_secret_file = builtins.toFile "grafana-client-secret" "secret";
+      auth_url = "http://adama:9000/application/o/authorize/";
+      token_url = "http://adama:9000/application/o/token/";
+      api_url = "http://adama:9000/application/o/userinfo/";
     };
   };
 }
diff --git a/nixos-modules/profiles/auth.nix b/nixos-modules/profiles/auth.nix
index 3f8453e..0aa5871 100644
--- a/nixos-modules/profiles/auth.nix
+++ b/nixos-modules/profiles/auth.nix
@@ -8,6 +8,9 @@ in
   options = {
     profiles.auth = {
       enable = mkEnableOption "auth";
+      domain = mkOption {
+        type = types.str;
+      };
       listen_http = mkOption {
         type = types.str;
         default = "0.0.0.0:9000";
diff --git a/nixos-modules/profiles/monitoring.nix b/nixos-modules/profiles/monitoring.nix
index a27324a..c313777 100644
--- a/nixos-modules/profiles/monitoring.nix
+++ b/nixos-modules/profiles/monitoring.nix
@@ -7,26 +7,31 @@ in
 {
   options.profiles.monitoring = {
     enable = mkEnableOption "Enable Grafana";
-    grafana = {
-      domain = mkOption {
+    domain = mkOption {
+      type = types.str;
+    };
+    root_url = mkOption {
+      type = types.str;
+      default = "%(protocol)s://%(domain)s:%(http_port)s/";
+    };
+    oauth = {
+      name = mkOption {
         type = types.str;
       };
-      oauth = {
-        auth_url = mkOption {
-          type = types.str;
-        };
-        token_url = mkOption {
-          type = types.str;
-        };
-        api_url = mkOption {
-          type = types.str;
-        };
-        client_id_file = mkOption {
-          type = types.path;
-        };
-        client_secret_file = mkOption {
-          type = types.path;
-        };
+      auth_url = mkOption {
+        type = types.str;
+      };
+      token_url = mkOption {
+        type = types.str;
+      };
+      api_url = mkOption {
+        type = types.str;
+      };
+      client_id_file = mkOption {
+        type = types.path;
+      };
+      client_secret_file = mkOption {
+        type = types.path;
       };
     };
   };
@@ -35,19 +40,19 @@ in
       enable = true;
       settings = {
         server = {
-          domain = cfg.grafana.domain;
+          inherit (cfg) domain root_url;
           http_port = 3000;
           http_addr = "0.0.0.0";
         };
         "auth.generic_oauth" = {
           enabled = true;
-          name = "Authentik";
-          client_id = "$__file{${cfg.grafana.oauth.client_id_file}}";
-          client_secret = "$__file{${cfg.grafana.oauth.client_secret_file}}";
+          name = cfg.oauth.name;
+          client_id = "$__file{${cfg.oauth.client_id_file}}";
+          client_secret = "$__file{${cfg.oauth.client_secret_file}}";
           scopes = "openid email profile offline_access";
-          auth_url = cfg.grafana.oauth.auth_url;
-          token_url = cfg.grafana.oauth.token_url;
-          api_url = cfg.grafana.oauth.api_url;
+          auth_url = cfg.oauth.auth_url;
+          token_url = cfg.oauth.token_url;
+          api_url = cfg.oauth.api_url;
           tls_skip_verify_insecure = true;
           allow_assign_grafana_admin = true;
           role_attribute_path = "contains(groups[*], 'Grafana Admin') && 'GrafanaAdmin' || 'Viewer'";
diff --git a/tests/monitoring-auth.nix b/tests/monitoring-auth.nix
index 2b48259..e1692dc 100644
--- a/tests/monitoring-auth.nix
+++ b/tests/monitoring-auth.nix
@@ -71,15 +71,14 @@
     }];
     profiles.monitoring = {
       enable = true;
-      grafana = {
-        domain = "localhost";
-        oauth = {
-          client_id_file = builtins.toFile "grafana-client-id" "grafana";
-          client_secret_file = builtins.toFile "grafana-client-secret" "secret";
-          auth_url = "http://127.0.0.1:9000/application/o/authorize/";
-          token_url = "http://127.0.0.1:9000/application/o/token/";
-          api_url = "http://127.0.0.1:9000/application/o/userinfo/";
-        };
+      domain = "localhost";
+      oauth = {
+        name = "Authentik";
+        client_id_file = builtins.toFile "grafana-client-id" "grafana";
+        client_secret_file = builtins.toFile "grafana-client-secret" "secret";
+        auth_url = "http://127.0.0.1:9000/application/o/authorize/";
+        token_url = "http://127.0.0.1:9000/application/o/token/";
+        api_url = "http://127.0.0.1:9000/application/o/userinfo/";
       };
     };
   };