forcen/infra-iac
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
infra-iac/templates/compose.yml
Manuel Forcén Muñoz e2e7f4c511 Fixed SSO grafana authentication
2024-10-21 11:10:50 +02:00

117 lines
3.9 KiB
YAML
Raw Blame History

services:
database:
image: postgres:17
container_name: infra-db
restart: unless-stopped
environment:
POSTGRES_PASSWORD: {{ postgres_pass }}
logging:
driver: local
networks:
infra-network:
ipv4_address: 172.28.0.2
volumes:
- type: bind
source: ./postgres/init-scripts
target: /docker-entrypoint-initdb.d
- type: volume
source: psql-data
target: /var/lib/postgresql/data
keycloak:
build:
context: ./keycloak
dockerfile: Containerfile
container_name: infra-keycloak
restart: unless-stopped
logging:
driver: local
networks:
infra-network:
ipv4_address: 172.28.0.3
aliases:
- sso.mforcen.dev
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://infra-db/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: {{ keycloak_pass }}
KC_BOOTSTRAP_ADMIN_USERNAME: admin
KC_BOOTSTRAP_ADMIN_PASSWORD: Radiola.123
KC_HOSTNAME: sso.mforcen.dev
KC_HTTPS_PORT: 443
depends_on:
- database
labels:
- traefik.enable=true
- traefik.tcp.routers.keycloak.rule=HostSNI(`sso.mforcen.dev`)
- traefik.tcp.routers.keycloak.entrypoints=websecure
- traefik.tcp.routers.keycloak.service=keycloak
- traefik.tcp.routers.keycloak.tls=true
- traefik.tcp.routers.keycloak.tls.passthrough=true
- traefik.tcp.services.keycloak.loadbalancer.server.port=443
grafana:
container_name: infra-grafana
image: grafana/grafana:latest
restart: unless-stopped
volumes:
- grafana-storage:/var/lib/grafana
- type: bind
source: ./grafana/mforcen.crt
target: /usr/local/share/ca-certificates/mforcen.crt
- type: bind
source: ./grafana/ssl
target: /ssl
logging:
driver: local
depends_on:
- keycloak
networks:
infra-network:
ipv4_address: 172.28.0.4
environment:
GF_DATABASE_TYPE: postgres
GF_DATABASE_HOST: infra-db:5432
GF_DATABASE_NAME: grafana
GF_DATABASE_USER: grafana
GF_DATABASE_PASSWORD: {{ grafana_pass }}
GF_SERVER_PROTOCOL: https
GF_SERVER_HTTP_PORT: 443
GF_SERVER_DOMAIN: grafana.mforcen.dev
GF_SERVER_ROOT_URL: https://grafana.mforcen.dev/
GF_SERVER_CERT_FILE: /ssl/grafana.mforcen.dev.fullchain.pem
GF_SERVER_CERT_KEY: /ssl/grafana.mforcen.dev.key
GF_AUTH_GENERIC_OAUTH_NAME: SSO
GF_AUTH_GENERIC_OAUTH_ENABLED: true
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: {{ grafana_kc_client_secret }}
GF_AUTH_GENERIC_OAUTH_SCOPES: openid email profile offline_access roles
GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH: email
GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH: username
GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH: full_name
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://sso.mforcen.dev/realms/infra/protocol/openid-connect/auth
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://sso.mforcen.dev/realms/infra/protocol/openid-connect/token
GF_AUTH_GENERIC_OAUTH_API_URL: https://sso.mforcen.dev/realms/infra/protocol/openid-connect/userinfo
labels:
- traefik.enable=true
- traefik.tcp.routers.grafana.rule=HostSNI(`grafana.mforcen.dev`)
- traefik.tcp.routers.grafana.entrypoints=websecure
- traefik.tcp.routers.grafana.service=grafana
- traefik.tcp.routers.grafana.tls=true
- traefik.tcp.routers.grafana.tls.passthrough=true
- traefik.tcp.services.grafana.loadbalancer.server.port=443
volumes:
psql-data:
grafana-storage:
networks:
infra-network:
ipam:
driver: default
config:
- subnet: 172.28.0.0/24
ip_range: 172.28.0.0/24
gateway: 172.28.0.254
name: infra-network
Reference in a new issue View git blame Copy permalink