From c656edeaf75080da46ace5fc6fc6637670c1e1fc Mon Sep 17 00:00:00 2001
From: Dan Hamik <dan@hamik.net>
Date: Wed, 17 Jan 2024 01:17:30 -0600
Subject: [PATCH] switch to docker-compose env for oauth configuration,
 verified admin role maps properly

---
 .env.example        | 13 +++++++++++++
 Grafana/grafana.ini | 15 ---------------
 docker-compose.yml  | 31 +++++++++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 15 deletions(-)
 create mode 100644 .env.example
 delete mode 100644 Grafana/grafana.ini
 create mode 100644 docker-compose.yml

diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..60185dc
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,13 @@
+GF_AUTH_GENERIC_OAUTH_ENABLED=true
+GF_AUTH_GENERIC_OAUTH_NAME=authentik
+GF_AUTH_GENERIC_OAUTH_CLIENT_ID=CLIENT_ID_GOES_HERE
+GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=CLIENT_SECRET_GOES_HERE
+GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email
+GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.example.net/application/o/authorize/
+GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.example.net/application/o/token/
+GF_AUTH_GENERIC_OAUTH_API_URL=https://auth.example.net/application/o/userinfo/
+GF_AUTH_SIGNOUT_REDIRECT_URL=https:///auth.example.net/application/o/grafana/end-session/
+# Optionally enable auto-login (bypasses Grafana login screen)
+GF_AUTH_OAUTH_AUTO_LOGIN=true
+# Optionally map user groups to Grafana roles
+GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(groups, 'grafanaadmin') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'
diff --git a/Grafana/grafana.ini b/Grafana/grafana.ini
deleted file mode 100644
index fb6562c..0000000
--- a/Grafana/grafana.ini
+++ /dev/null
@@ -1,15 +0,0 @@
-[auth]
-oauth_auto_login = true
-;#################################### Generic OAuth ##########################
-
-[auth.generic_oauth]
-enabled = true
-name = Authentik
-allow_sign_up = true
-client_id = CLIENT_ID_RANDOM_STRING
-client_secret = CLIENT_SECRET_RANDOM_STRING
-scopes = openid,email,read:org
-auth_url = https://auth.hamik.net/application/o/authorize/
-token_url = https://auth.hamik.net/application/o/token/
-api_url = https://auth.hamik.net/application/o/userinfo/
-skip_org_role_sync=true
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..48889ae
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,31 @@
+version: '3'
+services:
+  grafana:
+    container_name: grafana
+    hostname: grafana
+    image: grafana/grafana
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    restart: always
+    volumes:
+      - ./grafana/var/lib/grafana:/var/lib/grafana
+      - ./grafana/etc/grafana/grafana.ini:/etc/grafana/grafana.ini
+    ports:
+      - "5000:3000"
+    environment:
+            #      - INSTALL_PLUGINS="digrich-bubblechart-panel"
+      - GF_SERVER_DOMAIN="ststats.hamik.net"
+      - GF_SERVER_ROOT_URL=https://ststats.hamik.net
+      - GF_AUTH_GENERIC_OAUTH_ENABLED=${GF_AUTH_GENERIC_OAUTH_ENABLED}
+      - GF_AUTH_GENERIC_OAUTH_NAME=${GF_AUTH_GENERIC_OAUTH_NAME}
+      - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=${GF_AUTH_GENERIC_OAUTH_CLIENT_ID}
+      - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
+      - GF_AUTH_GENERIC_OAUTH_SCOPES=${GF_AUTH_GENERIC_OAUTH_SCOPES}
+      - GF_AUTH_GENERIC_OAUTH_AUTH_URL=${GF_AUTH_GENERIC_OAUTH_AUTH_URL}
+      - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=${GF_AUTH_GENERIC_OAUTH_TOKEN_URL}
+      - GF_AUTH_GENERIC_OAUTH_API_URL=${GF_AUTH_GENERIC_OAUTH_API_URL}
+      - GF_AUTH_SIGNOUT_REDIRECT_URL=${GF_AUTH_SIGNOUT_REDIRECT_URL}
+      - GF_AUTH_OAUTH_AUTO_LOGIN=${GF_AUTH_OAUTH_AUTO_LOGIN}
+      - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=${GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH}