{{ ansible_managed | comment }}

# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

version: "2"
services:
  grafana:
    image: docker.io/grafana/grafana:{{ monitoring_grafana_image_version }}
    mem_limit: 512mb
    memswap_limit: 768mb
    read_only: true
    security_opt:
      - no-new-privileges
    tmpfs:
      - "/tmp:size=64M"
    environment:
      - "GF_SERVER_ROOT_URL=https://{{ monitoring_grafana_domain }}"
      - "GF_RENDERING_SERVER_URL=http://renderer:8081/render"
      - "GF_RENDERING_CALLBACK_URL=http://grafana:3000/"
      - "GF_INSTALL_PLUGINS={{ monitoring_grafana_plugins | join(',') }}"

{% if monitoring_grafana_oauth is defined and monitoring_grafana_oauth.enabled %}
      - "GF_AUTH_OAUTH_AUTO_LOGIN=true"
      - "GF_AUTH_SIGNOUT_REDIRECT_URL={{ monitoring_grafana_oauth.signout_url }}"
      - "GF_AUTH_GENERIC_OAUTH_ENABLED=true"
      - "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP={{ monitoring_grafana_oauth.allow_sign_up }}"
      - "GF_AUTH_GENERIC_OAUTH_NAME={{ monitoring_grafana_oauth.name }}"
      - "GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ monitoring_grafana_oauth.client_id }}"
      - "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ monitoring_grafana_oauth.client_secret }}"
      - "GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile"
      - "GF_AUTH_GENERIC_OAUTH_AUTH_URL={{ monitoring_grafana_oauth.auth_url }}"
      - "GF_AUTH_GENERIC_OAUTH_TOKEN_URL={{ monitoring_grafana_oauth.token_url }}"
      - "GF_AUTH_GENERIC_OAUTH_API_URL={{ monitoring_grafana_oauth.api_url }}"
      - "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'Admin') && 'Admin' || contains(roles[*], 'Editor') && 'Editor' || 'Viewer'"
{% endif %}

{% if monitoring_grafana_feature_toggles is defined and monitoring_grafana_feature_toggles is iterable and monitoring_grafana_feature_toggles | length > 0 %}
      - "GF_FEATURE_TOGGLES_ENABLE={% for item in monitoring_grafana_feature_toggles %}{{item}} {% endfor %}"
{% endif %}

    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.grafana.rule=Host(`{{ monitoring_grafana_domain }}`) && PathPrefix(`/`)"
      - "traefik.http.routers.grafana.entrypoints=websecure"
      - "traefik.http.routers.grafana.tls=true"
      - "traefik.http.routers.grafana.tls.certresolver={{ monitoring_traefik_certresolver }}"
      - "traefik.http.routers.grafana.middlewares=grafana,compress"
      - "traefik.http.middlewares.grafana.headers.sslredirect=true"
      - "traefik.http.middlewares.grafana.headers.stsSeconds=63072000"
      - "traefik.http.middlewares.grafana.headers.referrerPolicy=no-referrer"
      - "traefik.http.middlewares.grafana.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.grafana.headers.browserXssFilter=true"

{% if proxy_network is defined %}
      - "traefik.docker.network={{ proxy_network }}"
{% endif %}
    networks:
      grafana:
{% if proxy_network is defined %}
      {{ proxy_network }}:
{% endif %}
    volumes:
      - "{{ monitoring_grafana_location }}:/var/lib/grafana"

  renderer:
    image: docker.io/grafana/grafana-image-renderer:latest
    mem_limit: 512mb
    memswap_limit: 768mb
    depends_on:
      - grafana
    restart: always
    security_opt:
      - no-new-privileges
    networks:
      grafana:

  influxdb:
    image: docker.io/library/influxdb:{{ monitoring_influxdb_image_version }}
    mem_limit: 1536mb
    memswap_limit: 2048mb
    read_only: true
    security_opt:
      - no-new-privileges
    tmpfs:
      - "/tmp:size=64M"
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.influxdb.rule=Host(`{{ monitoring_influxdb_domain }}`) && PathPrefix(`/`)"
      - "traefik.http.routers.influxdb.entrypoints=websecure"
      - "traefik.http.routers.influxdb.tls=true"
      - "traefik.http.routers.influxdb.tls.certresolver={{ monitoring_traefik_certresolver }}"
      - "traefik.http.routers.influxdb.middlewares=influxdb,compress"
      - "traefik.http.middlewares.influxdb.headers.sslredirect=true"
      - "traefik.http.middlewares.influxdb.headers.stsSeconds=63072000"
      - "traefik.http.middlewares.influxdb.headers.referrerPolicy=no-referrer"
      - "traefik.http.middlewares.influxdb.headers.contentTypeNosniff=true"

{% if proxy_network is defined %}
      - "traefik.docker.network={{ proxy_network }}"
{% endif %}

    networks:
{% if proxy_network is defined %}
      {{ proxy_network }}:
{% endif %}

    volumes:
      - "{{ monitoring_influxdb_location }}:/var/lib/influxdb"
    environment:
      - INFLUXDB_HTTP_AUTH_ENABLED=true
      - INFLUXDB_HTTP_PPROF_ENABLED=true
      - INFLUXDB_HTTP_PPROF_AUTH_ENABLED=true

      - INFLUXDB_REPORTING_DISABLED=true
networks:
  grafana:
{% if proxy_network is defined %}
  {{ proxy_network }}:
    external: true
{% endif %}