services: database: image: postgres:17 container_name: infra-db restart: unless-stopped environment: POSTGRES_PASSWORD: {{ postgres_pass }} logging: driver: local networks: infra-network: ipv4_address: 172.28.0.2 volumes: - type: bind source: ./postgres/init-scripts target: /docker-entrypoint-initdb.d - type: volume source: psql-data target: /var/lib/postgresql/data keycloak: build: context: ./keycloak dockerfile: Containerfile container_name: infra-keycloak restart: unless-stopped logging: driver: local networks: infra-network: ipv4_address: 172.28.0.3 aliases: - sso.mforcen.dev environment: KC_DB: postgres KC_DB_URL: jdbc:postgresql://infra-db/keycloak KC_DB_USERNAME: keycloak KC_DB_PASSWORD: {{ keycloak_pass }} KC_BOOTSTRAP_ADMIN_USERNAME: admin KC_BOOTSTRAP_ADMIN_PASSWORD: Radiola.123 KC_HOSTNAME: sso.mforcen.dev KC_HTTPS_PORT: 443 depends_on: - database labels: - traefik.enable=true - traefik.tcp.routers.keycloak.rule=HostSNI(`sso.mforcen.dev`) - traefik.tcp.routers.keycloak.entrypoints=websecure - traefik.tcp.routers.keycloak.service=keycloak - traefik.tcp.routers.keycloak.tls=true - traefik.tcp.routers.keycloak.tls.passthrough=true - traefik.tcp.services.keycloak.loadbalancer.server.port=443 grafana: container_name: infra-grafana image: grafana/grafana:latest restart: unless-stopped volumes: - grafana-storage:/var/lib/grafana - type: bind source: ./grafana/mforcen.crt target: /etc/ssl/mforcen.crt - type: bind source: ./grafana/ssl target: /ssl logging: driver: local depends_on: - keycloak networks: infra-network: ipv4_address: 172.28.0.4 environment: GF_DATABASE_TYPE: postgres GF_DATABASE_HOST: infra-db:5432 GF_DATABASE_NAME: grafana GF_DATABASE_USER: grafana GF_DATABASE_PASSWORD: {{ grafana_pass }} GF_SERVER_PROTOCOL: https GF_SERVER_PORT: 443 GF_SERVER_DOMAIN: grafana.mforcen.dev GF_SERVER_CERT_FILE: /ssl/grafana.mforcen.dev.fullchain.pem GF_SERVER_CERT_KEY: /ssl/grafana.mforcen.dev.key GF_AUTH_GENERIC_OAUTH_NAME: SSO GF_AUTH_GENERIC_OAUTH_ENABLED: true GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: {{ grafana_kc_client_secret }} GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH: email GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH: username GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH: full_name GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer' GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://sso.mforcen.dev/realms/infra/protocol/openid-connect/auth GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://sso.mforcen.dev/realms/infra/protocol/openid-connect/token GF_AUTH_GENERIC_OAUTH_API_URL: https://sso.mforcen.dev/realms/infra/protocol/openid-connect/userinfo labels: - traefik.enable=true - traefik.tcp.routers.grafana.rule=HostSNI(`grafana.mforcen.dev`) - traefik.tcp.routers.grafana.entrypoints=websecure - traefik.tcp.routers.grafana.service=grafana - traefik.tcp.routers.grafana.tls=true - traefik.tcp.routers.grafana.tls.passthrough=true - traefik.tcp.services.grafana.loadbalancer.server.port=443 volumes: psql-data: grafana-storage: networks: infra-network: ipam: driver: default config: - subnet: 172.28.0.0/24 ip_range: 172.28.0.0/24 gateway: 172.28.0.254 name: infra-network