job "grafana" { datacenters = ["alo"] group "monitoring" { network { port "http" { #host_network = "tailscale" } } task "grafana" { driver = "docker" config { image = "grafana/grafana-enterprise:latest" ports = [ "http" ] volumes = [ "/data/services/grafana:/var/lib/grafana" ] } env { GF_SERVER_HTTP_PORT = "${NOMAD_PORT_http}" GF_METRICS_ENABLED = "true" GF_METRICS_DISABLE_TOTAL_STATS = "false" GF_SERVER_ROOT_URL = "https://grafana.v.paler.net" GF_AUTH_BASIC_ENABLED = "false" GF_AUTH_GENERIC_OAUTH_ENABLED = "true" GF_AUTH_GENERIC_OAUTH_NAME = "Pocket ID" GF_AUTH_GENERIC_OAUTH_CLIENT_ID = "99e44cf2-ecc6-4e82-8882-129c017f8a4a" GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = "NjJ9Uro4MK7siqLGSmkiQmjFuESulqQN" GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email groups" GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://pocket-id.v.paler.net/authorize" GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://pocket-id.v.paler.net/api/oidc/token" GF_AUTH_GENERIC_OAUTH_API_URL = "https://pocket-id.v.paler.net/api/oidc/userinfo" GF_AUTH_SIGNOUT_REDIRECT_URL = "https://pocket-id.v.paler.net/logout" # Optionally enable auto-login (bypasses Grafana login screen) GF_AUTH_OAUTH_AUTO_LOGIN = "true" # Optionally map user groups to Grafana roles GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH = "contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'residents') && 'Editor' || 'Viewer'" GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN = "true" GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH = "email" GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH = "preferred_username" GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH = "name" #GF_LOG_LEVEL = "debug" } service { port = "http" name = "grafana" tags = [ "traefik.enable=true", "traefik.http.routers.grafana.entryPoints=websecure", "metrics", ] check { type = "http" path = "/api/health" interval = "10s" timeout = "5s" } } resources { cpu = 1000 memory = 256 } } } }