From 9c1ad79d7e982f0c5302e04d7895d0c29b1dcfa4 Mon Sep 17 00:00:00 2001
From: feldjaeger <feldjaeger@users.noreply.github.com>
Date: Fri, 3 Apr 2026 20:02:19 +0200
Subject: [PATCH] feat: Grafana Authentik OIDC einrichten

---
 compose.yaml | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/compose.yaml b/compose.yaml
index e44e5e8..3d66cd4 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -54,9 +54,20 @@ services:
       - GF_SECURITY_ADMIN_USER=${GRAFANA_USER}
       - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PW}
       - GF_AUTH_ANONYMOUS_ENABLED=false
-      - GF_SERVER_DOMAIN=${FQDN_TM}
-      - GF_SERVER_ROOT_URL=%(protocol)s://grafana.sascha-lutz.de
-      - GF_SERVER_SERVE_FROM_SUB_PATH=true
+      - GF_SERVER_DOMAIN=grafana.sascha-lutz.de
+      - GF_SERVER_ROOT_URL=https://grafana.sascha-lutz.de
+      - GF_SERVER_SERVE_FROM_SUB_PATH=false
+      - GF_AUTH_GENERIC_OAUTH_ENABLED=true
+      - GF_AUTH_GENERIC_OAUTH_NAME=Authentik
+      - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=${GF_OAUTH_CLIENT_ID}
+      - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GF_OAUTH_CLIENT_SECRET}
+      - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email
+      - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.sascha-lutz.de/application/o/authorize/
+      - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.sascha-lutz.de/application/o/token/
+      - GF_AUTH_GENERIC_OAUTH_API_URL=https://auth.sascha-lutz.de/application/o/userinfo/
+      - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(groups[*], 'authentik Admins') && 'Admin' || 'Viewer'
+      - GF_AUTH_SIGNOUT_REDIRECT_URL=https://auth.sascha-lutz.de/application/o/grafana/end-session/
+      - GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN=false
     volumes:
       - /app-config/grafana_data:/var/lib/grafana
     ports:
@@ -137,6 +148,20 @@ services:
     networks:
       - monitoring_network
 
+  embyexporter_chris:
+    image: bagul/goemby_exporter:latest
+    container_name: embyexporter_chris
+    environment:
+      - TZ=Europe/Berlin
+      - CONFIG_FILE=/emby/guck.tv.yml
+    volumes:
+      - /app-config/embyexporter_data:/emby/
+    expose:
+      - 9210
+    restart: unless-stopped
+    networks:
+      - monitoring_network
+
   node_exporter:
     image: quay.io/prometheus/node-exporter:latest
     container_name: node_exporter