143 lines
5.7 KiB
YAML
143 lines
5.7 KiB
YAML
{{ ansible_managed | comment }}
|
|
|
|
# Infrastructure
|
|
# Ansible instructions to deploy the infrastructure
|
|
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, version 3 of the License.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
version: "2"
|
|
services:
|
|
grafana:
|
|
image: docker.io/grafana/grafana:{{ monitoring_grafana_image_version }}
|
|
mem_limit: 512mb
|
|
memswap_limit: 768mb
|
|
read_only: true
|
|
security_opt:
|
|
- no-new-privileges
|
|
tmpfs:
|
|
- "/tmp:size=64M"
|
|
environment:
|
|
- "GF_SERVER_ROOT_URL=https://{{ monitoring_grafana_domain }}"
|
|
- "GF_RENDERING_SERVER_URL=http://renderer:8081/render"
|
|
- "GF_RENDERING_CALLBACK_URL=http://grafana:3000/"
|
|
- "GF_INSTALL_PLUGINS={{ monitoring_grafana_plugins | join(',') }}"
|
|
- "GF_UNIFIED_ALERTING_ENABLED=true"
|
|
|
|
{% if monitoring_grafana_oauth is defined and monitoring_grafana_oauth.enabled %}
|
|
- "GF_AUTH_DISABLE_LOGIN_FORM=true"
|
|
- "GF_AUTH_SIGNOUT_REDIRECT_URL={{ monitoring_grafana_oauth.signout_url }}"
|
|
- "GF_AUTH_GENERIC_OAUTH_ENABLED=true"
|
|
- "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP={{ monitoring_grafana_oauth.allow_sign_up }}"
|
|
- "GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN=true"
|
|
- "GF_AUTH_GENERIC_OAUTH_USE_PKCE=true"
|
|
- "GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=false"
|
|
- "GF_AUTH_GENERIC_OAUTH_SKIP_ORG_ROLE_SYNC=true"
|
|
- "GF_AUTH_GENERIC_OAUTH_NAME={{ monitoring_grafana_oauth.name }}"
|
|
- "GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ monitoring_grafana_oauth.client_id }}"
|
|
- "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ monitoring_grafana_oauth.client_secret }}"
|
|
- "GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile roles offline_access"
|
|
- "GF_AUTH_GENERIC_OAUTH_AUTH_URL={{ monitoring_grafana_oauth.auth_url }}"
|
|
- "GF_AUTH_GENERIC_OAUTH_TOKEN_URL={{ monitoring_grafana_oauth.token_url }}"
|
|
- "GF_AUTH_GENERIC_OAUTH_API_URL={{ monitoring_grafana_oauth.api_url }}"
|
|
- "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'Admin') && 'Admin' || contains(roles[*], 'Editor') && 'Editor' || 'Viewer'"
|
|
{% endif %}
|
|
|
|
{% if monitoring_grafana_feature_toggles is defined and monitoring_grafana_feature_toggles is iterable and monitoring_grafana_feature_toggles | length > 0 %}
|
|
- "GF_FEATURE_TOGGLES_ENABLE={% for item in monitoring_grafana_feature_toggles %}{{item}} {% endfor %}"
|
|
{% endif %}
|
|
|
|
restart: always
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.grafana.rule=Host(`{{ monitoring_grafana_domain }}`) && PathPrefix(`/`)"
|
|
- "traefik.http.routers.grafana.entrypoints=websecure"
|
|
- "traefik.http.routers.grafana.tls=true"
|
|
- "traefik.http.routers.grafana.tls.certresolver={{ monitoring_traefik_certresolver }}"
|
|
- "traefik.http.routers.grafana.middlewares=grafana,compress"
|
|
- "traefik.http.middlewares.grafana.headers.sslredirect=true"
|
|
- "traefik.http.middlewares.grafana.headers.stsSeconds=63072000"
|
|
- "traefik.http.middlewares.grafana.headers.referrerPolicy=no-referrer"
|
|
- "traefik.http.middlewares.grafana.headers.contentTypeNosniff=true"
|
|
- "traefik.http.middlewares.grafana.headers.browserXssFilter=true"
|
|
|
|
{% if proxy_network is defined %}
|
|
- "traefik.docker.network={{ proxy_network }}"
|
|
{% endif %}
|
|
networks:
|
|
grafana:
|
|
{% if proxy_network is defined %}
|
|
{{ proxy_network }}:
|
|
{% endif %}
|
|
volumes:
|
|
- "{{ monitoring_grafana_location }}:/var/lib/grafana"
|
|
|
|
{% if monitoring_grafana_renderer_enabled %}
|
|
renderer:
|
|
image: docker.io/grafana/grafana-image-renderer:latest
|
|
mem_limit: 512mb
|
|
memswap_limit: 768mb
|
|
depends_on:
|
|
- grafana
|
|
restart: always
|
|
security_opt:
|
|
- no-new-privileges
|
|
networks:
|
|
grafana:
|
|
{% endif %}
|
|
|
|
influxdb:
|
|
image: docker.io/library/influxdb:{{ monitoring_influxdb_image_version }}
|
|
mem_limit: 1536mb
|
|
memswap_limit: 2048mb
|
|
read_only: true
|
|
security_opt:
|
|
- no-new-privileges
|
|
tmpfs:
|
|
- "/tmp:size=64M"
|
|
restart: always
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.influxdb.rule=Host(`{{ monitoring_influxdb_domain }}`) && PathPrefix(`/`)"
|
|
- "traefik.http.routers.influxdb.entrypoints=websecure"
|
|
- "traefik.http.routers.influxdb.tls=true"
|
|
- "traefik.http.routers.influxdb.tls.certresolver={{ monitoring_traefik_certresolver }}"
|
|
- "traefik.http.routers.influxdb.middlewares=influxdb,compress"
|
|
- "traefik.http.middlewares.influxdb.headers.sslredirect=true"
|
|
- "traefik.http.middlewares.influxdb.headers.stsSeconds=63072000"
|
|
- "traefik.http.middlewares.influxdb.headers.referrerPolicy=no-referrer"
|
|
- "traefik.http.middlewares.influxdb.headers.contentTypeNosniff=true"
|
|
|
|
{% if proxy_network is defined %}
|
|
- "traefik.docker.network={{ proxy_network }}"
|
|
{% endif %}
|
|
|
|
networks:
|
|
{% if proxy_network is defined %}
|
|
{{ proxy_network }}:
|
|
{% endif %}
|
|
|
|
volumes:
|
|
- "{{ monitoring_influxdb_location }}:/var/lib/influxdb"
|
|
environment:
|
|
- INFLUXDB_HTTP_AUTH_ENABLED=true
|
|
- INFLUXDB_HTTP_PPROF_ENABLED=true
|
|
- INFLUXDB_HTTP_PPROF_AUTH_ENABLED=true
|
|
|
|
- INFLUXDB_REPORTING_DISABLED=true
|
|
networks:
|
|
grafana:
|
|
{% if proxy_network is defined %}
|
|
{{ proxy_network }}:
|
|
external: true
|
|
{% endif %}
|