diff --git a/infra/mainnet/sops/eu.wallet-connect.json b/infra/mainnet/sops/eu.wallet-connect.json index 95a12ced..f148135b 100644 --- a/infra/mainnet/sops/eu.wallet-connect.json +++ b/infra/mainnet/sops/eu.wallet-connect.json @@ -9,6 +9,9 @@ "grafana_admin_password": "ENC[AES256_GCM,data:27gPWARQDRtdMwgISKGtD6TUv0W7TWrsPLs/IKdHZ6PlezvBxWKzGVFJJdwahQESaVcii9nj+taYamxMZWCPSA==,iv:lBnXym3EJtsXDjKMra3r7B9AAoaUtLhLC0URd/tuBek=,tag:TWy/8shCn98sun6R9rdb/g==,type:str]", "prometheus_grafana_password": "ENC[AES256_GCM,data:YocKppohrNVh9HbYGhX9okQL2q4KFnCDf2l1UFB2gyr8AyzxOAjN9QZcXg==,iv:y6DfGaziRCAi97t9KtBzKqEfJnD25FOMttDxHrGrHjg=,tag:K+gglppWq1O11GXfsJF4ZQ==,type:str]", "prometheus_grafana_password_hash": "ENC[AES256_GCM,data:H9ctM9vzAIylW3fvzXSN2K1UzOX3J/M+fMuUddCEvlXwl8LZrYz0gzZk00hDK9elJObTL16BGLb0OWQt,iv:mVee/8D0R+/4M9ayZdJkK64XYYWeMTpaSZC3UaWwuKk=,tag:5aK4f4mWwD2lsDZxQrmbXg==,type:str]", + "grafana_oauth_client_id_unencrypted": "476524165225-5iqrtgnqgdbbc39hnnqq71tqbvcn2k6e.apps.googleusercontent.com", + "grafana_oauth_client_secret": "ENC[AES256_GCM,data:BOl6iUOKV/xaCEVSOO3FYvClvAUfO7i+uIModTU9YIh6Pak=,iv:qvkRT9ZD+aMudZvVcjax7ySfPgHb9vIn/UI+gwCSEl0=,tag:tbL1H6VFLQHTjLbcve5bFA==,type:str]", + "grafana_oauth_allowed_domains_unencrypted": "walletconnect.com reown.com", "sops": { "kms": [ { @@ -18,8 +21,8 @@ "aws_profile": "" } ], - "lastmodified": "2025-12-24T10:17:54Z", - "mac": "ENC[AES256_GCM,data:Zv0ZPTvb3rLvww+mkrZKaCleu/rmTjykM9UGgea6tY8O9sPqbT083cRKnVgjdgh4/GkO+svOznxAwZSACbf4xVclcoFuczLmucHuqFTG0XphjLfXhoqQhrfXFOq7aqT8E2+mD55TMDh+C5CZ09CsXuIdKE9iCyIdeqY9xD5/yWA=,iv:jrw9wlcNHFoxPRhuaaU5TM90WsWiv778EsXNE0OpKv0=,tag:woN547QaxYaPVOtSYOzbEg==,type:str]", + "lastmodified": "2026-02-06T15:11:52Z", + "mac": "ENC[AES256_GCM,data:CsT992ykGSIxzQEwL5qILUVwqsykMGwdBozggAs3sCfxLSBhbhi2fS7ypjAhHPVo/9PqFRcYvh2r7Y9XKxlfHTKP9c/8XPkc0l2fh3RqDwzbzT2zspF79nn8rcK0UYETNEZYljJtNBmG0ZtMJViCrH5KcuqmDFhI18v+zP33eRY=,iv:nS55swpLhV32NMAY5AtiE8CCBpaRE8FbOFUF/obJKbo=,tag:kJFKMEngHjcI0gMyvJ/klA==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.2" } diff --git a/infra/modules/node-operator/main.tf b/infra/modules/node-operator/main.tf index 55adeaf3..75cf2e15 100644 --- a/infra/modules/node-operator/main.tf +++ b/infra/modules/node-operator/main.tf @@ -100,7 +100,11 @@ module "secret" { source = "../secret" for_each = toset(concat( ["ecdsa_private_key", "ed25519_secret_key", "smart_contract_encryption_key", "rpc_provider_url"], - var.config.grafana == null ? [] : ["grafana_admin_password", "prometheus_grafana_password"], + var.config.grafana == null ? [] : [ + "grafana_admin_password", + "grafana_oauth_client_secret", + "prometheus_grafana_password" + ], )) name = "${var.config.name}-${each.key}" @@ -370,13 +374,27 @@ module "grafana" { ] environment = { - GF_SERVER_HTTP_PORT = tostring(local.grafana_port) + GF_SERVER_HTTP_PORT = tostring(local.grafana_port) + GF_SERVER_DOMAIN = local.grafana_domain_name + GF_SERVER_ROOT_URL = "https://${local.grafana_domain_name}/" + GF_PATHS_DATA = "/data" GF_SECURITY_ADMIN_USER = "admin" + + GF_AUTH_GOOGLE_ENABLED = "true" + GF_AUTH_GOOGLE_ALLOW_SIGN_UP = "true" + GF_AUTH_GOOGLE_CLIENT_ID = local.encrypted_sops.grafana_oauth_client_id_unencrypted + GF_AUTH_GOOGLE_SCOPES = "openid email profile" + GF_AUTH_GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth" + GF_AUTH_GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token" + GF_AUTH_GOOGLE_API_URL = "https://openidconnect.googleapis.com/v1/userinfo" + GF_AUTH_GOOGLE_ALLOWED_DOMAINS = local.encrypted_sops.grafana_oauth_allowed_domains_unencrypted + GF_AUTH_GOOGLE_USE_PKCE = "true" } secrets = { GF_SECURITY_ADMIN_PASSWORD = module.secret["grafana_admin_password"] + GF_AUTH_GOOGLE_CLIENT_SECRET = module.secret["grafana_oauth_client_secret"] PROMETHEUS_DATASOURCE_CONFIG = module.grafana_prometheus_datasource_config[0] } diff --git a/infra/testnet/sops/wallet-connect.json b/infra/testnet/sops/wallet-connect.json index bc939de0..8868ca62 100644 --- a/infra/testnet/sops/wallet-connect.json +++ b/infra/testnet/sops/wallet-connect.json @@ -9,6 +9,9 @@ "grafana_admin_password": "ENC[AES256_GCM,data:vjHieWD40PMIvONwSEdOoerD+1fDCAZAMcFV9cq9nkgXhPaROCIOi0euyIfyHTgKJ4sfyDU9+jYeh+tb2ZmNNQ==,iv:mvPJn4DO8JV1uewKf5mTPDtVhaMMNYURKgR06q67hNs=,tag:ljnUvAoM78Jm6akRQ7KHrQ==,type:str]", "prometheus_grafana_password": "ENC[AES256_GCM,data:nkxgVBRxusitxXUpofS4BrAverei0jDK1H5XRQVgQFVw9b+4N73j/x7SKw==,iv:w2MkO2yztke63WMl3xH5b+o3ug1txk8CPnpoungHVm0=,tag:Q6BnRSP+wr4+sZU5Pvp1XA==,type:str]", "prometheus_grafana_password_hash": "ENC[AES256_GCM,data:TwF3JW99an38Vj2kaXwNMu9QqnmWQiGWgnD1ZTRsWMUGz8d77tCXe1YFEKha86fXt60/1YvoM2wChzZs,iv:/bqBIIBLMfrpbYl8Enwqm2NaoUHi2Ic5p3tlh9gDJKg=,tag:I8s1hEDwEyuD2vwt9YqvPg==,type:str]", + "grafana_oauth_client_id_unencrypted": "476524165225-0cfbc0cma6lc7buajv5b1tls222uhtok.apps.googleusercontent.com", + "grafana_oauth_client_secret": "ENC[AES256_GCM,data:4U1i0OkfDhQ3dr+Y/ycuk3FweAGRc7XjsYuc1Lf5LngYgb8=,iv:p/CDnZUYN7vx1poUntQJ20p5wsr7UTLihujHsoqhcDw=,tag:Rk/eS1KGN/KiTj9t8oHywA==,type:str]", + "grafana_oauth_allowed_domains_unencrypted": "walletconnect.com reown.com", "sops": { "kms": [ { @@ -18,8 +21,8 @@ "aws_profile": "" } ], - "lastmodified": "2025-12-19T16:05:06Z", - "mac": "ENC[AES256_GCM,data:3cmZO4b7ZUXjfqWdHMfvAMh+0F22kASNw1wKnKpjBe/lzB43eSUkfpA6EtUWBBEAjc9DOZwBKLbsKTGwmfiicp8Sribx+GZof3aPio1UJYhWQG9ugcUUWsttfhwrsJ9m/fuXd+ilF3W5e5J23AlYpRs3myMGNQTMzhyBXbaJCiY=,iv:2sEofcf7cdKJCi+QYRuto/5yUpFAqdY7eKeYLL/9NbE=,tag:gwZHkcoVM2LKMhWSDiXN9g==,type:str]", + "lastmodified": "2026-02-06T15:10:52Z", + "mac": "ENC[AES256_GCM,data:BQcHbobLwJ7ue8oyKZJZeirNlQuG8Inkm6qhDBvqsytbSSvAr8zkI3P/91oj1dJ1qBHTTX/7qwwrfmWeMGUgyBBryyFIhqAprOw2SYnjn2u1uDhYpKLBdQErSRQ/11XGioFdwVydDEzPhtNkyVCl385B7fWHxLmwcxKubQMg/a0=,iv:ivj2ytx2SbXX0vU4TwNjD2tgqEWW9/tMQpQVVLXje2E=,tag:+LZQ3DN22EOAyeHqv8czeA==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.2" }