From 6bb31d928614e5fff9771bdb064bc63ae3431464 Mon Sep 17 00:00:00 2001 From: Petru Paler Date: Wed, 16 Aug 2023 15:11:47 +0100 Subject: [PATCH] OAuth for Grafana. --- services/grafana.hcl | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/services/grafana.hcl b/services/grafana.hcl index c464108..5935de6 100644 --- a/services/grafana.hcl +++ b/services/grafana.hcl @@ -18,10 +18,25 @@ job "grafana" { } env { - GF_AUTH_BASIC_ENABLED = "false" GF_SERVER_HTTP_PORT = "${NOMAD_PORT_http}" GF_METRICS_ENABLED = "true" GF_METRICS_DISABLE_TOTAL_STATS = "false" + + GF_SERVER_ROOT_URL = "https://grafana.v.paler.net" + GF_AUTH_BASIC_ENABLED = "false" + GF_AUTH_GENERIC_OAUTH_ENABLED = "true" + GF_AUTH_GENERIC_OAUTH_NAME = "authentik" + GF_AUTH_GENERIC_OAUTH_CLIENT_ID = "E78NG1AZeW6FaAox0mUhaTSrHeqFgNkWG12My2zx" + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = "N7u2RfFZ5KVLdEkhlpUTzymGxeK5rLo9SYZLSGGBXJDr46p5g5uv1qZ4Jm2d1rP4aJX4PSzauZlxHhkG2byiBFMbdo6K742KXcEimZsOBFiNKeWOHxofYerBnPuoECQW" + GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email" + GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://authentik.v.paler.net/application/o/authorize/" + GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://authentik.v.paler.net/application/o/token/" + GF_AUTH_GENERIC_OAUTH_API_URL = "https://authentik.v.paler.net/application/o/userinfo/" + GF_AUTH_SIGNOUT_REDIRECT_URL = "https://authentik.v.paler.net/application/o/grafana/end-session/" + # Optionally enable auto-login (bypasses Grafana login screen) + GF_AUTH_OAUTH_AUTO_LOGIN = "true" + # Optionally map user groups to Grafana roles + GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" } service { @@ -34,7 +49,7 @@ job "grafana" { ] check { type = "http" - path = "/" + path = "/api/health" interval = "10s" timeout = "5s" }