diff options
| author | Joscha <joscha@plugh.de> | 2023-06-20 22:24:29 +0200 |
|---|---|---|
| committer | Joscha <joscha@plugh.de> | 2023-06-20 23:19:45 +0200 |
| commit | daa75a40939b039bd7af566ca6320d57f663948a (patch) | |
| tree | f65fdbc11ba525e0f300c7c922bf673b0731501e | |
| parent | 8407b20a4e732c3f1d28d2a9524641e3899e06b8 (diff) | |
| download | nixpkgs-daa75a40939b039bd7af566ca6320d57f663948a.tar nixpkgs-daa75a40939b039bd7af566ca6320d57f663948a.tar.gz nixpkgs-daa75a40939b039bd7af566ca6320d57f663948a.tar.bz2 nixpkgs-daa75a40939b039bd7af566ca6320d57f663948a.tar.lz nixpkgs-daa75a40939b039bd7af566ca6320d57f663948a.tar.xz nixpkgs-daa75a40939b039bd7af566ca6320d57f663948a.tar.zst nixpkgs-daa75a40939b039bd7af566ca6320d57f663948a.zip | |
nixos/grafana: Fix and adjust config options
| -rw-r--r-- | nixos/modules/services/monitoring/grafana.nix | 99 |
1 files changed, 73 insertions, 26 deletions
diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 1786b09e28a..c54b65057ab 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -10,7 +10,26 @@ let useMysql = cfg.settings.database.type == "mysql"; usePostgresql = cfg.settings.database.type == "postgres"; - settingsFormatIni = pkgs.formats.ini { }; + # Prefer using the values from the default config file[0] directly. This way, + # people reading the NixOS manual can see them without cross-referencing the + # official documentation. + # + # However, if there is no default entry or if the setting is optional, use + # `null` as the default value. It will be turned into the empty string. + # + # If a setting is a list, always allow setting it as a plain string as well. + # + # [0]: https://github.com/grafana/grafana/blob/main/conf/defaults.ini + settingsFormatIni = pkgs.formats.ini { + listToValue = concatMapStringsSep " " (generators.mkValueStringDefault { }); + mkKeyValue = generators.mkKeyValueDefault + { + mkValueString = v: + if v == null then "" + else generators.mkValueStringDefault { } v; + } + "="; + }; configFile = settingsFormatIni.generate "config.ini" cfg.settings; mkProvisionCfg = name: attr: provisionCfg: @@ -405,7 +424,6 @@ in This setting is also important if you have a reverse proxy in front of Grafana that exposes it through a subpath. In that case add the subpath to the end of this URL setting. ''; - # https://github.com/grafana/grafana/blob/cb7e18938b8eb6860a64b91aaba13a7eb31bc95b/conf/defaults.ini#L54 default = "%(protocol)s://%(domain)s:%(http_port)s/"; type = types.str; }; @@ -453,16 +471,16 @@ in description = lib.mdDoc '' Path to the certificate file (if `protocol` is set to `https` or `h2`). ''; - default = ""; - type = types.str; + default = null; + type = types.nullOr types.str; }; cert_key = mkOption { description = lib.mdDoc '' Path to the certificate key file (if `protocol` is set to `https` or `h2`). ''; - default = ""; - type = types.str; + default = null; + type = types.nullOr types.str; }; socket_gid = mkOption { @@ -505,8 +523,8 @@ in For example, given a cdn url like `https://cdn.myserver.com` grafana will try to load a javascript file from `http://cdn.myserver.com/grafana-oss/7.4.0/public/build/app.<hash>.js`. ''; - default = ""; - type = types.str; + default = null; + type = types.nullOr types.str; }; read_timeout = mkOption { @@ -572,7 +590,7 @@ in max_open_conn = mkOption { description = lib.mdDoc "The maximum number of open connections to the database."; - default = 0; # https://github.com/grafana/grafana/blob/cb7e18938b8eb6860a64b91aaba13a7eb31bc95b/conf/defaults.ini#L123-L124 + default = 0; type = types.int; }; @@ -606,7 +624,7 @@ in For Postgres, use either `disable`, `require` or `verify-full`. For MySQL, use either `true`, `false`, or `skip-verify`. ''; - default = "disable"; # https://github.com/grafana/grafana/blob/cb7e18938b8eb6860a64b91aaba13a7eb31bc95b/conf/defaults.ini#L134 + default = "disable"; type = types.enum [ "disable" "require" "verify-full" "true" "false" "skip-verify" ]; }; @@ -621,20 +639,20 @@ in ca_cert_path = mkOption { description = lib.mdDoc "The path to the CA certificate to use."; - default = ""; - type = types.str; + default = null; + type = types.nullOr types.str; }; client_key_path = mkOption { description = lib.mdDoc "The path to the client key. Only if server requires client authentication."; - default = ""; - type = types.str; + default = null; + type = types.nullOr types.str; }; client_cert_path = mkOption { description = lib.mdDoc "The path to the client cert. Only if server requires client authentication."; - default = ""; - type = types.str; + default = null; + type = types.nullOr types.str; }; server_cert_name = mkOption { @@ -642,8 +660,8 @@ in The common name field of the certificate used by the `mysql` or `postgres` server. Not necessary if `ssl_mode` is set to `skip-verify`. ''; - default = ""; - type = types.str; + default = null; + type = types.nullOr types.str; }; path = mkOption { @@ -751,8 +769,8 @@ in Format: `ip_or_domain:port` separated by spaces. PostgreSQL, MySQL, and MSSQL data sources do not use the proxy and are therefore unaffected by this setting. ''; - default = ""; - type = types.str; + default = [ ]; + type = types.oneOf [ types.str (types.listOf types.str) ]; }; disable_brute_force_login_protection = mkOption { @@ -870,6 +888,27 @@ in # how exactly the quoting of the default value works. See also # https://github.com/grafana/grafana/blob/cb7e18938b8eb6860a64b91aaba13a7eb31bc95b/conf/defaults.ini#L364 # https://github.com/grafana/grafana/blob/cb7e18938b8eb6860a64b91aaba13a7eb31bc95b/conf/defaults.ini#L373 + + # These two options are lists joined with spaces: + # https://github.com/grafana/grafana/blob/916d9793aa81c2990640b55a15dee0db6b525e41/pkg/middleware/csrf/csrf.go#L37-L38 + + csrf_trusted_origins = mkOption { + description = lib.mdDoc '' + List of additional allowed URLs to pass by the CSRF check. + Suggested when authentication comes from an IdP. + ''; + default = [ ]; + type = types.oneOf [ types.str (types.listOf types.str) ]; + }; + + csrf_additional_headers = mkOption { + description = lib.mdDoc '' + List of allowed headers to be set by the user. + Suggested to use for if authentication lives behind reverse proxies. + ''; + default = [ ]; + type = types.oneOf [ types.str (types.listOf types.str) ]; + }; }; smtp = { @@ -887,8 +926,8 @@ in user = mkOption { description = lib.mdDoc "User used for authentication."; - default = ""; - type = types.str; + default = null; + type = types.nullOr types.str; }; password = mkOption { @@ -905,14 +944,14 @@ in cert_file = mkOption { description = lib.mdDoc "File path to a cert file."; - default = ""; - type = types.str; + default = null; + type = types.nullOr types.str; }; key_file = mkOption { description = lib.mdDoc "File path to a key file."; - default = ""; - type = types.str; + default = null; + type = types.nullOr types.str; }; skip_verify = mkOption { @@ -933,6 +972,12 @@ in type = types.str; }; + ehlo_identity = mkOption { + description = lib.mdDoc "Name to be used as client identity for EHLO in SMTP dialog."; + default = null; + type = types.nullOr types.str; + }; + startTLS_policy = mkOption { description = lib.mdDoc "StartTLS policy when connecting to server."; default = null; @@ -1050,6 +1095,8 @@ in type = types.str; }; + # Lists are joined via space, so this option can't be a list. + # Users have to manually join their values. hidden_users = mkOption { description = lib.mdDoc '' This is a comma-separated list of usernames. |