alo-cluster/services/grafana.hcl

job "grafana" {
  datacenters = ["alo"]

  group "monitoring" {
    network {
      port "http" {
        #host_network = "tailscale"
      }
    }

    task "grafana" {
      driver = "docker"

      config {
        image = "grafana/grafana-enterprise:latest"
        ports = [ "http" ]
        volumes = [ "/data/compute/appdata/grafana:/var/lib/grafana" ]
      }

      env {
        GF_SERVER_HTTP_PORT = "${NOMAD_PORT_http}"
        GF_METRICS_ENABLED = "true"
        GF_METRICS_DISABLE_TOTAL_STATS = "false"

        GF_SERVER_ROOT_URL = "https://grafana.v.paler.net"
        GF_AUTH_BASIC_ENABLED = "false"
        GF_AUTH_GENERIC_OAUTH_ENABLED = "true"
        GF_AUTH_GENERIC_OAUTH_NAME = "authentik"
        GF_AUTH_GENERIC_OAUTH_CLIENT_ID = "E78NG1AZeW6FaAox0mUhaTSrHeqFgNkWG12My2zx"
        GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = "N7u2RfFZ5KVLdEkhlpUTzymGxeK5rLo9SYZLSGGBXJDr46p5g5uv1qZ4Jm2d1rP4aJX4PSzauZlxHhkG2byiBFMbdo6K742KXcEimZsOBFiNKeWOHxofYerBnPuoECQW"
        GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email offline_access"
        GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://authentik.v.paler.net/application/o/authorize/"
        GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://authentik.v.paler.net/application/o/token/"
        GF_AUTH_GENERIC_OAUTH_API_URL = "https://authentik.v.paler.net/application/o/userinfo/"
        GF_AUTH_SIGNOUT_REDIRECT_URL = "https://authentik.v.paler.net/application/o/grafana/end-session/"
        # Optionally enable auto-login (bypasses Grafana login screen)
        GF_AUTH_OAUTH_AUTO_LOGIN = "true"
        # Optionally map user groups to Grafana roles
        GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
        GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN = "true"
        #GF_LOG_LEVEL = "debug"
      }

      service {
        port = "http"
	name = "grafana"
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.grafana.entryPoints=websecure",
          "metrics",
        ]
        check {
          type     = "http"
          path     = "/api/health"
          interval = "10s"
          timeout  = "5s"
        }
      }

      resources {
        cpu    = 1000
        memory = 256
      }
    }
  }
}