OAuth for Grafana.

services/grafana.hcl

@@ -18,10 +18,25 @@ job "grafana" {
       }
 
       env {
-        GF_AUTH_BASIC_ENABLED = "false"
         GF_SERVER_HTTP_PORT = "${NOMAD_PORT_http}"
         GF_METRICS_ENABLED = "true"
         GF_METRICS_DISABLE_TOTAL_STATS = "false"
+
+        GF_SERVER_ROOT_URL = "https://grafana.v.paler.net"
+        GF_AUTH_BASIC_ENABLED = "false"
+        GF_AUTH_GENERIC_OAUTH_ENABLED = "true"
+        GF_AUTH_GENERIC_OAUTH_NAME = "authentik"
+        GF_AUTH_GENERIC_OAUTH_CLIENT_ID = "E78NG1AZeW6FaAox0mUhaTSrHeqFgNkWG12My2zx"
+        GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = "N7u2RfFZ5KVLdEkhlpUTzymGxeK5rLo9SYZLSGGBXJDr46p5g5uv1qZ4Jm2d1rP4aJX4PSzauZlxHhkG2byiBFMbdo6K742KXcEimZsOBFiNKeWOHxofYerBnPuoECQW"
+        GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email"
+        GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://authentik.v.paler.net/application/o/authorize/"
+        GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://authentik.v.paler.net/application/o/token/"
+        GF_AUTH_GENERIC_OAUTH_API_URL = "https://authentik.v.paler.net/application/o/userinfo/"
+        GF_AUTH_SIGNOUT_REDIRECT_URL = "https://authentik.v.paler.net/application/o/grafana/end-session/"
+        # Optionally enable auto-login (bypasses Grafana login screen)
+        GF_AUTH_OAUTH_AUTO_LOGIN = "true"
+        # Optionally map user groups to Grafana roles
+        GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
       }
 
       service {
@@ -34,7 +49,7 @@ job "grafana" {
         ]
         check {
           type     = "http"
-          path     = "/"
+          path     = "/api/health"
           interval = "10s"
           timeout  = "5s"
         }