job "grafana" { datacenters = ["alo"] group "monitoring" { network { port "http" { #host_network = "tailscale" } } task "grafana" { driver = "docker" config { image = "grafana/grafana-enterprise:latest" ports = [ "http" ] volumes = [ "/data/services/grafana:/var/lib/grafana" ] } env { GF_SERVER_HTTP_PORT = "${NOMAD_PORT_http}" GF_METRICS_ENABLED = "true" GF_METRICS_DISABLE_TOTAL_STATS = "false" GF_SERVER_ROOT_URL = "https://grafana.v.paler.net" GF_AUTH_BASIC_ENABLED = "false" GF_AUTH_GENERIC_OAUTH_ENABLED = "true" GF_AUTH_GENERIC_OAUTH_NAME = "authentik" GF_AUTH_GENERIC_OAUTH_CLIENT_ID = "E78NG1AZeW6FaAox0mUhaTSrHeqFgNkWG12My2zx" GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = "N7u2RfFZ5KVLdEkhlpUTzymGxeK5rLo9SYZLSGGBXJDr46p5g5uv1qZ4Jm2d1rP4aJX4PSzauZlxHhkG2byiBFMbdo6K742KXcEimZsOBFiNKeWOHxofYerBnPuoECQW" GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email offline_access" GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://authentik.v.paler.net/application/o/authorize/" GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://authentik.v.paler.net/application/o/token/" GF_AUTH_GENERIC_OAUTH_API_URL = "https://authentik.v.paler.net/application/o/userinfo/" GF_AUTH_SIGNOUT_REDIRECT_URL = "https://authentik.v.paler.net/application/o/grafana/end-session/" # Optionally enable auto-login (bypasses Grafana login screen) GF_AUTH_OAUTH_AUTO_LOGIN = "true" # Optionally map user groups to Grafana roles GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN = "true" #GF_LOG_LEVEL = "debug" } service { port = "http" name = "grafana" tags = [ "traefik.enable=true", "traefik.http.routers.grafana.entryPoints=websecure", "metrics", ] check { type = "http" path = "/api/health" interval = "10s" timeout = "5s" } } resources { cpu = 1000 memory = 256 } } } }