alo-cluster/services/grafana.hcl

job "grafana" {
  datacenters = ["alo"]

  group "monitoring" {
    network {
      port "http" {
        #host_network = "tailscale"
      }
    }

    task "grafana" {
      driver = "docker"

      config {
        image = "grafana/grafana-enterprise:latest"
        ports = [ "http" ]
        volumes = [ "/data/services/grafana:/var/lib/grafana" ]
      }

      env {
        GF_SERVER_HTTP_PORT = "${NOMAD_PORT_http}"
        GF_METRICS_ENABLED = "true"
        GF_METRICS_DISABLE_TOTAL_STATS = "false"

        GF_SERVER_ROOT_URL = "https://grafana.v.paler.net"
        GF_AUTH_BASIC_ENABLED = "false"
        GF_AUTH_GENERIC_OAUTH_ENABLED = "true"
        GF_AUTH_GENERIC_OAUTH_NAME = "Pocket ID"
        GF_AUTH_GENERIC_OAUTH_CLIENT_ID = "99e44cf2-ecc6-4e82-8882-129c017f8a4a"
        GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = "NjJ9Uro4MK7siqLGSmkiQmjFuESulqQN"
        GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email groups"
        GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://pocket-id.v.paler.net/authorize"
        GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://pocket-id.v.paler.net/api/oidc/token"
        GF_AUTH_GENERIC_OAUTH_API_URL = "https://pocket-id.v.paler.net/api/oidc/userinfo"
        GF_AUTH_SIGNOUT_REDIRECT_URL = "https://pocket-id.v.paler.net/logout"
        # Optionally enable auto-login (bypasses Grafana login screen)
        GF_AUTH_OAUTH_AUTO_LOGIN = "true"
        # Optionally map user groups to Grafana roles
        GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH = "contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'residents') && 'Editor' || 'Viewer'"
        GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN = "true"
        GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH = "email"
        GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH = "preferred_username"
        GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH = "name"
        #GF_LOG_LEVEL = "debug"
      }

      service {
        port = "http"
	name = "grafana"
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.grafana.entryPoints=websecure",
          "metrics",
        ]
        check {
          type     = "http"
          path     = "/api/health"
          interval = "10s"
          timeout  = "5s"
        }
      }

      resources {
        cpu    = 1000
        memory = 256
      }
    }
  }
}