From 4e2b4ecec825ac88b122d0885774ebc5e53028ad Mon Sep 17 00:00:00 2001
From: Mathieu Strypsteen <mathieu@strypsteen.me>
Date: Mon, 2 Dec 2024 10:37:50 +0100
Subject: [PATCH] Configure Grafana OAuth

---
 container-config/synapse/homeserver.yaml       | 2 +-
 infra/etc/containers/systemd/grafana.container | 9 +++++++++
 laptop/var/usrlocal/bin/enter-sandbox          | 1 +
 vps/etc/hostname                               | 2 +-
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/container-config/synapse/homeserver.yaml b/container-config/synapse/homeserver.yaml
index 880b37e..85f19ea 100644
--- a/container-config/synapse/homeserver.yaml
+++ b/container-config/synapse/homeserver.yaml
@@ -1,4 +1,5 @@
 server_name: strypsteen.me
+public_baseurl: https://matrix.strypsteen.com/
 report_stats: false
 log_config: /etc/synapse/log_config.yaml
 signing_key_path: /data/signing.key
@@ -17,4 +18,3 @@ turn_uris: ['turn:turn.strypsteen.com']
 turn_allow_guests: false
 delete_stale_devices_after: 1y
 max_upload_size: 500M
-enable_authenticated_media: true
diff --git a/infra/etc/containers/systemd/grafana.container b/infra/etc/containers/systemd/grafana.container
index fae33a0..bb717a8 100644
--- a/infra/etc/containers/systemd/grafana.container
+++ b/infra/etc/containers/systemd/grafana.container
@@ -4,6 +4,14 @@ Network=nginx.network
 Volume=grafana.volume:/var/lib/grafana:U,Z
 Environment=GF_ANALYTICS_REPORTING_ENABLED=false
 Environment=GF_AUTH_DISABLE_LOGIN_FORM=true
+Environment=GF_AUTH_GENERIC_OAUTH_ENABLED=true
+Environment=GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
+Environment=GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.strypsteen.com/realms/master/protocol/openid-connect/auth
+Environment=GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.strypsteen.com/realms/master/protocol/openid-connect/token
+Environment=GF_AUTH_GENERIC_OAUTH_SCOPES=email,openid,profile
+Environment=GF_AUTH_GENERIC_OAUTH_SKIP_ORG_ROLE_SYNC=true
+Environment=GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN=true
+Environment=GF_AUTH_GENERIC_OAUTH_USE_PKCE=true
 Environment=GF_DATABASE_WAL=true
 Environment=GF_LOG_LEVEL=warn
 Environment=GF_SERVER_ROOT_URL=https://monitoring.strypsteen.com
@@ -11,6 +19,7 @@ Environment=GF_SMTP_ENABLED=true
 Environment=GF_SMTP_HOST=vps.strypsteen.com:465
 Environment=GF_SMTP_USER=monitoring
 Environment=GF_SMTP_FROM_ADDRESS=monitoring@strypsteen.me
+Secret=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET,type=env
 Secret=GF_SMTP_PASSWORD,type=env
 AutoUpdate=registry
 [Install]
diff --git a/laptop/var/usrlocal/bin/enter-sandbox b/laptop/var/usrlocal/bin/enter-sandbox
index bfbcee7..b94adbd 100755
--- a/laptop/var/usrlocal/bin/enter-sandbox
+++ b/laptop/var/usrlocal/bin/enter-sandbox
@@ -1,3 +1,4 @@
 #!/bin/sh
 set -e
+systemctl --user start sandboxed-toolbox
 podman exec -it -e TERM=xterm-256color systemd-sandboxed-toolbox machinectl shell mathieu@
diff --git a/vps/etc/hostname b/vps/etc/hostname
index 62f9e00..00be796 100644
--- a/vps/etc/hostname
+++ b/vps/etc/hostname
@@ -1 +1 @@
-vps.strypsteen.com
+vps