switch to docker-compose env for oauth configuration, verified admin role maps properly

2024-01-17 01:17:30 -06:00 · 2024-01-17 01:17:30 -06:00 · c656edeaf7
commit c656edeaf7
parent 9c06784555
3 changed files with 44 additions and 15 deletions
--- a/.env.example
+++ b/.env.example
@ -0,0 +1,13 @@
+GF_AUTH_GENERIC_OAUTH_ENABLED=true
+GF_AUTH_GENERIC_OAUTH_NAME=authentik
+GF_AUTH_GENERIC_OAUTH_CLIENT_ID=CLIENT_ID_GOES_HERE
+GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=CLIENT_SECRET_GOES_HERE
+GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email
+GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.example.net/application/o/authorize/
+GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.example.net/application/o/token/
+GF_AUTH_GENERIC_OAUTH_API_URL=https://auth.example.net/application/o/userinfo/
+GF_AUTH_SIGNOUT_REDIRECT_URL=https:///auth.example.net/application/o/grafana/end-session/
+# Optionally enable auto-login (bypasses Grafana login screen)
+GF_AUTH_OAUTH_AUTO_LOGIN=true
+# Optionally map user groups to Grafana roles
+GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(groups, 'grafanaadmin') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'
--- a/Grafana/grafana.ini
+++ b/Grafana/grafana.ini
@ -1,15 +0,0 @@
-[auth]
-oauth_auto_login = true
-;#################################### Generic OAuth ##########################
-
-[auth.generic_oauth]
-enabled = true
-name = Authentik
-allow_sign_up = true
-client_id = CLIENT_ID_RANDOM_STRING
-client_secret = CLIENT_SECRET_RANDOM_STRING
-scopes = openid,email,read:org
-auth_url = https://auth.hamik.net/application/o/authorize/
-token_url = https://auth.hamik.net/application/o/token/
-api_url = https://auth.hamik.net/application/o/userinfo/
-skip_org_role_sync=true
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,31 @@
+version: '3'
+services:
+  grafana:
+    container_name: grafana
+    hostname: grafana
+    image: grafana/grafana
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    restart: always
+    volumes:
+      - ./grafana/var/lib/grafana:/var/lib/grafana
+      - ./grafana/etc/grafana/grafana.ini:/etc/grafana/grafana.ini
+    ports:
+      - "5000:3000"
+    environment:
+            #      - INSTALL_PLUGINS="digrich-bubblechart-panel"
+      - GF_SERVER_DOMAIN="ststats.hamik.net"
+      - GF_SERVER_ROOT_URL=https://ststats.hamik.net
+      - GF_AUTH_GENERIC_OAUTH_ENABLED=${GF_AUTH_GENERIC_OAUTH_ENABLED}
+      - GF_AUTH_GENERIC_OAUTH_NAME=${GF_AUTH_GENERIC_OAUTH_NAME}
+      - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=${GF_AUTH_GENERIC_OAUTH_CLIENT_ID}
+      - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
+      - GF_AUTH_GENERIC_OAUTH_SCOPES=${GF_AUTH_GENERIC_OAUTH_SCOPES}
+      - GF_AUTH_GENERIC_OAUTH_AUTH_URL=${GF_AUTH_GENERIC_OAUTH_AUTH_URL}
+      - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=${GF_AUTH_GENERIC_OAUTH_TOKEN_URL}
+      - GF_AUTH_GENERIC_OAUTH_API_URL=${GF_AUTH_GENERIC_OAUTH_API_URL}
+      - GF_AUTH_SIGNOUT_REDIRECT_URL=${GF_AUTH_SIGNOUT_REDIRECT_URL}
+      - GF_AUTH_OAUTH_AUTO_LOGIN=${GF_AUTH_OAUTH_AUTO_LOGIN}
+      - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=${GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH}