Trammell Hudson
3 years ago
parent
628f37fa37
commit
8cc7d6e3c9
@ -0,0 +1,26 @@
|
|||||||
|
version: "3"
|
||||||
|
|
||||||
|
services:
|
||||||
|
grafana:
|
||||||
|
image: grafana/grafana-oss:8.5.1
|
||||||
|
user: "0:0"
|
||||||
|
environment:
|
||||||
|
GF_AUTH_GENERIC_OAUTH_ENABLED: 'True'
|
||||||
|
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: 'True' # otherwise no login is possible
|
||||||
|
#GF_AUTH_GENERIC_OAUTH_TEAM_IDS: ''
|
||||||
|
#GF_AUTH_GENERIC_OAUTH_ALLOWED_ORGANIZATIONS: ''
|
||||||
|
#GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS: '<domains>'
|
||||||
|
GF_AUTH_GENERIC_OAUTH_NAME: Keycloak
|
||||||
|
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
|
||||||
|
GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
|
||||||
|
# GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET is in env.secrets
|
||||||
|
# auth URLs are in the env.secrets since they have hostname expansion
|
||||||
|
volumes:
|
||||||
|
- ./data/grafana:/var/lib/grafana
|
||||||
|
restart: unless-stopped
|
||||||
|
ports:
|
||||||
|
- 8000:3000
|
||||||
|
env_file:
|
||||||
|
- ../env.production
|
||||||
|
- env.production
|
||||||
|
- env.secrets
|
||||||
@ -0,0 +1,46 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
die() { echo >&2 "$@" ; exit 1 ; }
|
||||||
|
|
||||||
|
DIRNAME="$(dirname $0)"
|
||||||
|
cd "$DIRNAME"
|
||||||
|
source ../env.production || die "no top level env?"
|
||||||
|
source env.production || die "no local env?"
|
||||||
|
|
||||||
|
BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
|
||||||
|
|
||||||
|
if [ ! -r "env.secrets" ]; then
|
||||||
|
GRAFANA_CLIENT_SECRET="$(openssl rand -hex 32)"
|
||||||
|
GRAFANA_ADMIN_PASSWORD="$(openssl rand -hex 4)"
|
||||||
|
|
||||||
|
echo "Generating secrets: admin password $GRAFANA_ADMIN_PASSWORD"
|
||||||
|
cat <<EOF > env.secrets
|
||||||
|
# Do not check in!
|
||||||
|
GRAFANA_ADMIN_PASSWORD=$GRAFANA_ADMIN_PASSWORD
|
||||||
|
GF_SERVER_ROOT_URL=https://$GRAFANA_HOSTNAME/
|
||||||
|
GF_SERVER_DOMAIN=$GRAFANA_HOSTNAME
|
||||||
|
GF_AUTH_GENERIC_OAUTH_AUTH_URL=$BASE/auth
|
||||||
|
GF_AUTH_GENERIC_OAUTH_TOKEN_URL=$BASE/token
|
||||||
|
GF_AUTH_GENERIC_OAUTH_API_URL=$BASE/userinfo
|
||||||
|
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$GRAFANA_CLIENT_SECRET
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
source env.secrets || die "no secret env?"
|
||||||
|
fi
|
||||||
|
|
||||||
|
docker-compose down
|
||||||
|
|
||||||
|
../keycloak/client-delete 'grafana' || echo "client did not exist?"
|
||||||
|
|
||||||
|
../keycloak/client-create << EOF || die "unable to create client id"
|
||||||
|
{
|
||||||
|
"clientId": "grafana",
|
||||||
|
"rootUrl": "https://$GRAFANA_HOSTNAME/",
|
||||||
|
"adminUrl": "https://$GRAFANA_HOSTNAME/",
|
||||||
|
"redirectUris": [ "https://$GRAFANA_HOSTNAME/*" ],
|
||||||
|
"webOrigins": [ "https://$GRAFANA_HOSTNAME" ],
|
||||||
|
"clientAuthenticatorType": "client-secret",
|
||||||
|
"secret": "$GRAFANA_CLIENT_SECRET"
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
docker-compose up -d || die "unable to bring up grafana"
|
||||||
@ -0,0 +1,60 @@
|
|||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name ${GRAFANA_HOSTNAME};
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' close;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name ${GRAFANA_HOSTNAME};
|
||||||
|
client_max_body_size 128m;
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
#include /etc/nginx/mime.types;
|
||||||
|
#default_type application/octet-stream;
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
gzip_disable "msie6";
|
||||||
|
|
||||||
|
proxy_read_timeout 1800s;
|
||||||
|
|
||||||
|
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
|
||||||
|
chunked_transfer_encoding on;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://host.docker.internal:8000;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /socket.io/ {
|
||||||
|
proxy_pass http://host.docker.internal:8000;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
}
|
||||||
|
|
||||||
|
listen 443 ssl;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
|
||||||
|
include /etc/nginx/includes/options-ssl-nginx.conf;
|
||||||
|
include /etc/nginx/includes/challenge.conf;
|
||||||
|
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
Loading…
Reference in new issue