version: "3.4" services: grafana: image: grafana/grafana:latest restart: unless-stopped labels: - "traefik.enable=true" - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default" - "traefik.http.routers.grafana.rule=Host(`grafana.tobiasmanske.de`)" - "traefik.http.routers.grafana.entryPoints=websecure" - "traefik.http.services.grafana.loadbalancer.server.port=3000" environment: - "GF_SERVER_ROOT_URL=https://grafana.tobiasmanske.de" - "GF_SECURITY_ADMIN_USER={{ grafana.admin.user }}" - "GF_SECURITY_ADMIN_PASSWORD={{ grafana.admin.password }}" - "GF_AUTH_GENERIC_OAUTH_NAME=Keycloak" - "GF_AUTH_GENERIC_OAUTH_ENABLED=true" - "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true" - "GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ grafana.oidc.client_id }}" - "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ grafana.oidc.client_secret }}" - "GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile offline_access roles" - "GF_AUTH_GENERIC_OAUTH_GROUP_ATTRIBUTE_PATH=groups" - "GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email" - "GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username" - "GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=full_name" - "GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/auth" - "GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/token" - "GF_AUTH_GENERIC_OAUTH_API_URL=https://{{ grafana.oidc.url }}/realms/{{ grafana.oidc.realm_name }}/protocol/openid-connect/userinfo" - "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(resource_access.grafana.roles[*], 'serveradmin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || contains(resource_access.grafana.roles[*], 'viewer') && 'Viewer' || 'None'" - "GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true" volumes: - data:/var/lib/grafana - ./grafana-ds.yml:/etc/grafana/provisioning/datasources/datasource.yml:ro,Z - ./grafana-db.yml:/etc/grafana/provisioning/dashboards/datasource.yml:ro,Z - ./grafana-dashboards:/var/lib/grafana/dashboards:ro,Z networks: - default - metrics volumes: data: networks: backend: internal: true metrics: external: true postgres: internal: true