Trammell Hudson
3 years ago
parent
628f37fa37
commit
8cc7d6e3c9
@ -0,0 +1,26 @@ |
|||||||
|
version: "3" |
||||||
|
|
||||||
|
services: |
||||||
|
grafana: |
||||||
|
image: grafana/grafana-oss:8.5.1 |
||||||
|
user: "0:0" |
||||||
|
environment: |
||||||
|
GF_AUTH_GENERIC_OAUTH_ENABLED: 'True' |
||||||
|
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: 'True' # otherwise no login is possible |
||||||
|
#GF_AUTH_GENERIC_OAUTH_TEAM_IDS: '' |
||||||
|
#GF_AUTH_GENERIC_OAUTH_ALLOWED_ORGANIZATIONS: '' |
||||||
|
#GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS: '<domains>' |
||||||
|
GF_AUTH_GENERIC_OAUTH_NAME: Keycloak |
||||||
|
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana |
||||||
|
GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email |
||||||
|
# GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET is in env.secrets |
||||||
|
# auth URLs are in the env.secrets since they have hostname expansion |
||||||
|
volumes: |
||||||
|
- ./data/grafana:/var/lib/grafana |
||||||
|
restart: unless-stopped |
||||||
|
ports: |
||||||
|
- 8000:3000 |
||||||
|
env_file: |
||||||
|
- ../env.production |
||||||
|
- env.production |
||||||
|
- env.secrets |
||||||
@ -0,0 +1,46 @@ |
|||||||
|
#!/bin/bash |
||||||
|
die() { echo >&2 "$@" ; exit 1 ; } |
||||||
|
|
||||||
|
DIRNAME="$(dirname $0)" |
||||||
|
cd "$DIRNAME" |
||||||
|
source ../env.production || die "no top level env?" |
||||||
|
source env.production || die "no local env?" |
||||||
|
|
||||||
|
BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect" |
||||||
|
|
||||||
|
if [ ! -r "env.secrets" ]; then |
||||||
|
GRAFANA_CLIENT_SECRET="$(openssl rand -hex 32)" |
||||||
|
GRAFANA_ADMIN_PASSWORD="$(openssl rand -hex 4)" |
||||||
|
|
||||||
|
echo "Generating secrets: admin password $GRAFANA_ADMIN_PASSWORD" |
||||||
|
cat <<EOF > env.secrets |
||||||
|
# Do not check in! |
||||||
|
GRAFANA_ADMIN_PASSWORD=$GRAFANA_ADMIN_PASSWORD |
||||||
|
GF_SERVER_ROOT_URL=https://$GRAFANA_HOSTNAME/ |
||||||
|
GF_SERVER_DOMAIN=$GRAFANA_HOSTNAME |
||||||
|
GF_AUTH_GENERIC_OAUTH_AUTH_URL=$BASE/auth |
||||||
|
GF_AUTH_GENERIC_OAUTH_TOKEN_URL=$BASE/token |
||||||
|
GF_AUTH_GENERIC_OAUTH_API_URL=$BASE/userinfo |
||||||
|
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$GRAFANA_CLIENT_SECRET |
||||||
|
EOF |
||||||
|
else |
||||||
|
source env.secrets || die "no secret env?" |
||||||
|
fi |
||||||
|
|
||||||
|
docker-compose down |
||||||
|
|
||||||
|
../keycloak/client-delete 'grafana' || echo "client did not exist?" |
||||||
|
|
||||||
|
../keycloak/client-create << EOF || die "unable to create client id" |
||||||
|
{ |
||||||
|
"clientId": "grafana", |
||||||
|
"rootUrl": "https://$GRAFANA_HOSTNAME/", |
||||||
|
"adminUrl": "https://$GRAFANA_HOSTNAME/", |
||||||
|
"redirectUris": [ "https://$GRAFANA_HOSTNAME/*" ], |
||||||
|
"webOrigins": [ "https://$GRAFANA_HOSTNAME" ], |
||||||
|
"clientAuthenticatorType": "client-secret", |
||||||
|
"secret": "$GRAFANA_CLIENT_SECRET" |
||||||
|
} |
||||||
|
EOF |
||||||
|
|
||||||
|
docker-compose up -d || die "unable to bring up grafana" |
||||||
@ -0,0 +1,60 @@ |
|||||||
|
server { |
||||||
|
listen 80; |
||||||
|
server_name ${GRAFANA_HOSTNAME}; |
||||||
|
location / { |
||||||
|
return 301 https://$host$request_uri; |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
map $http_upgrade $connection_upgrade { |
||||||
|
default upgrade; |
||||||
|
'' close; |
||||||
|
} |
||||||
|
|
||||||
|
server { |
||||||
|
server_name ${GRAFANA_HOSTNAME}; |
||||||
|
client_max_body_size 128m; |
||||||
|
|
||||||
|
sendfile on; |
||||||
|
tcp_nopush on; |
||||||
|
tcp_nodelay on; |
||||||
|
keepalive_timeout 65; |
||||||
|
types_hash_max_size 2048; |
||||||
|
#include /etc/nginx/mime.types; |
||||||
|
#default_type application/octet-stream; |
||||||
|
|
||||||
|
gzip on; |
||||||
|
gzip_disable "msie6"; |
||||||
|
|
||||||
|
proxy_read_timeout 1800s; |
||||||
|
|
||||||
|
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486) |
||||||
|
chunked_transfer_encoding on; |
||||||
|
|
||||||
|
location / { |
||||||
|
proxy_pass http://host.docker.internal:8000; |
||||||
|
proxy_set_header Host $host; |
||||||
|
proxy_set_header X-Real-IP $remote_addr; |
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||||
|
proxy_set_header X-Forwarded-Proto $scheme; |
||||||
|
} |
||||||
|
|
||||||
|
location /socket.io/ { |
||||||
|
proxy_pass http://host.docker.internal:8000; |
||||||
|
proxy_set_header Host $host; |
||||||
|
proxy_set_header X-Real-IP $remote_addr; |
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||||
|
proxy_set_header X-Forwarded-Proto $scheme; |
||||||
|
proxy_set_header Upgrade $http_upgrade; |
||||||
|
proxy_set_header Connection $connection_upgrade; |
||||||
|
} |
||||||
|
|
||||||
|
listen 443 ssl; |
||||||
|
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; |
||||||
|
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; |
||||||
|
include /etc/nginx/includes/options-ssl-nginx.conf; |
||||||
|
include /etc/nginx/includes/challenge.conf; |
||||||
|
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; |
||||||
|
} |
||||||
|
|
||||||
|
|
||||||
Loading…
Reference in new issue