grafana: Update, use Quadlet, use LDAP for auth
This commit is contained in:
parent
08b39ff5e2
commit
6304685aa6
|
@ -73,3 +73,6 @@ GOTOSOCIAL_SMTP_FROM=noreply@social.localhost
|
|||
|
||||
# Configuration for Slidge.
|
||||
SLIDGE_SECRET_KEY=password
|
||||
|
||||
# Configuration for Grafana.
|
||||
GRAFANA_DOMAIN=metrics.localhost
|
||||
|
|
|
@ -1,2 +1,16 @@
|
|||
FROM docker.io/grafana/grafana:8.5.0
|
||||
FROM docker.io/debian:bookworm-slim
|
||||
ARG VERSION=10.2.1
|
||||
|
||||
RUN apt-get update -y && apt-get upgrade -y && \
|
||||
apt-get install -y --no-install-recommends curl ca-certificates
|
||||
|
||||
RUN addgroup --system --gid 10000 grafana
|
||||
RUN adduser --system --uid 10000 --ingroup grafana --home /var/lib/grafana grafana
|
||||
|
||||
RUN curl --silent --show-error -L https://dl.grafana.com/oss/release/grafana-${VERSION}.linux-amd64.tar.gz | \
|
||||
tar -C /opt --no-same-owner -xvzf - && mv /opt/grafana-v${VERSION} /opt/grafana
|
||||
|
||||
COPY container/config /etc/grafana
|
||||
USER grafana
|
||||
|
||||
ENTRYPOINT ["/opt/grafana/bin/grafana", "server", "--config", "/etc/grafana/grafana.ini", "--homepath", "/opt/grafana", "web"]
|
||||
|
|
|
@ -1,8 +1,16 @@
|
|||
[paths]
|
||||
# Folders used for persistent data files, logs, plugins, etc.
|
||||
data = /var/lib/grafana
|
||||
logs = /var/lib/grafana/logs
|
||||
plugins = /var/lib/grafana/plugins
|
||||
|
||||
# Folder used for static provisioning of dependencies.
|
||||
provisioning = /etc/grafana/provisioning
|
||||
|
||||
[server]
|
||||
# The domain name used to serve Grafana.
|
||||
domain = ${GRAFANA_DOMAIN}
|
||||
|
||||
# The HTTP port to use.
|
||||
http_port = 8080
|
||||
|
||||
|
@ -10,6 +18,31 @@ http_port = 8080
|
|||
# Only log to standard output.
|
||||
mode = console
|
||||
|
||||
[news]
|
||||
# Disable the news feed section.
|
||||
news_feed_enabled = false
|
||||
|
||||
[analytics]
|
||||
# Disable anonymous usage collection.
|
||||
reporting_enabled = false
|
||||
|
||||
# Disable automated update checks.
|
||||
check_for_updates = false
|
||||
check_for_plugin_updates = false
|
||||
|
||||
[security]
|
||||
# Don't create default users, instead relying on LDAP.
|
||||
disable_initial_admin_creation = true
|
||||
|
||||
# Assume that Grafana is served behind HTTPS.
|
||||
cookie_secure = false
|
||||
|
||||
[auth.basic]
|
||||
# Don't allow authentication via HTTP Basic auth.
|
||||
enabled = false
|
||||
|
||||
[auth.ldap]
|
||||
# Enable LDAP authentication.
|
||||
enabled = true
|
||||
config_file = /etc/grafana/ldap.toml
|
||||
allow_sign_up = true
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
[[servers]]
|
||||
host = "${GRAFANA_AUTH_LDAP_HOST}"
|
||||
port = ${GRAFANA_AUTH_LDAP_PORT}
|
||||
use_ssl = false
|
||||
start_tls = false
|
||||
ssl_skip_verify = false
|
||||
|
||||
bind_dn = "uid=${GRAFANA_AUTH_LDAP_BIND_UID},ou=people,dc=ldap,dc=local"
|
||||
bind_password = "${GRAFANA_AUTH_LDAP_BIND_PASSWORD}"
|
||||
|
||||
search_filter = "(|(uid=%s)(mail=%s))"
|
||||
search_base_dns = ["dc=ldap,dc=local"]
|
||||
|
||||
[servers.attributes]
|
||||
member_of = "memberOf"
|
||||
email = "mail"
|
||||
name = "givenName"
|
||||
surname = "sn"
|
||||
username = "uid"
|
||||
|
||||
[[servers.group_mappings]]
|
||||
group_dn = "cn=grafana_admin,ou=groups,dc=ldap,dc=local"
|
||||
org_role = "Admin"
|
||||
grafana_admin = true
|
||||
|
||||
[[servers.group_mappings]]
|
||||
group_dn = "cn=grafana_user,ou=groups,dc=ldap,dc=local"
|
||||
org_role = "Editor"
|
|
@ -0,0 +1,8 @@
|
|||
# Virtual host options.
|
||||
GRAFANA_DOMAIN=${GRAFANA_DOMAIN}
|
||||
|
||||
# Authentication options.
|
||||
GRAFANA_AUTH_LDAP_HOST=lldap
|
||||
GRAFANA_AUTH_LDAP_PORT=3890
|
||||
GRAFANA_AUTH_LDAP_BIND_UID=${LLDAP_ADMIN_USERNAME}
|
||||
GRAFANA_AUTH_LDAP_BIND_PASSWORD=${LLDAP_ADMIN_PASSWORD}
|
|
@ -0,0 +1,20 @@
|
|||
[Unit]
|
||||
Description=Grafana Visualization and Analytics
|
||||
Wants=container-build@%N.service container-volume@%N.service prometheus.service lldap.service
|
||||
After=container-build@%N.service container-volume@%N.service prometheus.service lldap.service
|
||||
|
||||
[Container]
|
||||
AutoUpdate=local
|
||||
ContainerName=%N
|
||||
EnvironmentFile=%E/coreos-home-server/%N/%N.env
|
||||
HealthCmd=timeout 5s curl --fail --silent --show-error -o /dev/null localhost:8080/api/health
|
||||
Image=localhost/%N:latest
|
||||
Network=internal
|
||||
PodmanArgs=--sdnotify=healthy
|
||||
Volume=%N:/var/lib/%N:z
|
||||
|
||||
[Service]
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -6,7 +6,5 @@ storage:
|
|||
local: service/grafana/
|
||||
- path: /etc/systemd/system
|
||||
local: service/grafana/systemd/
|
||||
systemd:
|
||||
units:
|
||||
- name: grafana.service
|
||||
enabled: true
|
||||
- path: /etc/containers/systemd
|
||||
local: service/grafana/quadlet/
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
[Unit]
|
||||
Description=Grafana Visualization and Analytics
|
||||
Wants=container-build@%N.service container-volume@%N.service prometheus.service
|
||||
After=container-build@%N.service container-volume@%N.service prometheus.service
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
NotifyAccess=all
|
||||
SyslogIdentifier=%N
|
||||
Restart=on-failure
|
||||
Environment=PODMAN_SYSTEMD_UNIT=%n
|
||||
ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon --volume %N:/var/lib/%N:z localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --ignore --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --ignore --force %N
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in New Issue