feat: Grafana Authentik OIDC einrichten

compose.yaml

@@ -54,9 +54,20 @@ services:
       - GF_SECURITY_ADMIN_USER=${GRAFANA_USER}
       - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PW}
       - GF_AUTH_ANONYMOUS_ENABLED=false
-      - GF_SERVER_DOMAIN=${FQDN_TM}
-      - GF_SERVER_ROOT_URL=%(protocol)s://grafana.sascha-lutz.de
-      - GF_SERVER_SERVE_FROM_SUB_PATH=true
+      - GF_SERVER_DOMAIN=grafana.sascha-lutz.de
+      - GF_SERVER_ROOT_URL=https://grafana.sascha-lutz.de
+      - GF_SERVER_SERVE_FROM_SUB_PATH=false
+      - GF_AUTH_GENERIC_OAUTH_ENABLED=true
+      - GF_AUTH_GENERIC_OAUTH_NAME=Authentik
+      - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=${GF_OAUTH_CLIENT_ID}
+      - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GF_OAUTH_CLIENT_SECRET}
+      - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email
+      - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.sascha-lutz.de/application/o/authorize/
+      - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.sascha-lutz.de/application/o/token/
+      - GF_AUTH_GENERIC_OAUTH_API_URL=https://auth.sascha-lutz.de/application/o/userinfo/
+      - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(groups[*], 'authentik Admins') && 'Admin' || 'Viewer'
+      - GF_AUTH_SIGNOUT_REDIRECT_URL=https://auth.sascha-lutz.de/application/o/grafana/end-session/
+      - GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN=false
     volumes:
       - /app-config/grafana_data:/var/lib/grafana
     ports:
@@ -137,6 +148,20 @@ services:
     networks:
       - monitoring_network
 
+  embyexporter_chris:
+    image: bagul/goemby_exporter:latest
+    container_name: embyexporter_chris
+    environment:
+      - TZ=Europe/Berlin
+      - CONFIG_FILE=/emby/guck.tv.yml
+    volumes:
+      - /app-config/embyexporter_data:/emby/
+    expose:
+      - 9210
+    restart: unless-stopped
+    networks:
+      - monitoring_network
+
   node_exporter:
     image: quay.io/prometheus/node-exporter:latest
     container_name: node_exporter