Moves oidc and smtp to a seperate compose config

fix: Removes duplicate basic auth from prometheus and a few other improvements
2025-11-05 15:28:49 +01:00 · 2025-02-21 18:31:54 +01:00
10 changed files with 51 additions and 22 deletions
--- a/.env.sample
+++ b/.env.sample
@ -50,6 +50,7 @@ ENABLE_BACKUPS=true
 #GRAFANA_DOMAIN=grafana.example.com
 #
 ## Single-Sign-On with OIDC
+# COMPOSE_FILE="$COMPOSE_FILE:compose.grafana-oidc.yml"
 # OIDC_ENABLED=1
 # SECRET_GRAFANA_OIDC_CLIENT_SECRET_VERSION=v1
 # OIDC_CLIENT_ID=grafana
@ -62,6 +63,7 @@ ENABLE_BACKUPS=true
 # GF_INSTALL_PLUGINS=grafana-piechart-panel
 #
 ## grafana SMTP configuration (optional)
+# COMPOSE_FILE="$COMPOSE_FILE:compose.grafana-smtp.yml"
 # GF_SMTP_HOST=changeme
 # GF_SMTP_USER=changme
 # GF_SMTP_ENABLED=true
--- a/README.md
+++ b/README.md
@ -36,7 +36,7 @@ Where gathering.org is the node you want to gather metrics from.
  SECRET_USERSFILE_VERSION=v1
  ```
  - Generate userslist with httpasswd hashed password
-    `abra app secret insert traefik.gathering.org userslist v1 'admin:<hashed-secret>'`
+    `abra app secret insert traefik.gathering.org usersfile v1 'admin:<hashed-secret>'`
    make sure there is no whitespace in between `admin:<hashed-secret>`, it seems to break stuff...
  - `abra app deploy -f traefik`
 1. `abra app new monitoring-ng`
--- a/compose.grafana-oidc.yml
+++ b/compose.grafana-oidc.yml
@ -0,0 +1,16 @@
+version: '3.8'
+
+services:
+  grafana:
+      - grafana_oidc_client_secret
+    environment:
+      - OIDC_API_URL
+      - OIDC_AUTH_URL
+      - OIDC_CLIENT_ID
+      - OIDC_ENABLED
+      - OIDC_TOKEN_URL
+
+secrets:
+  grafana_oidc_client_secret:
+    external: true
+    name: ${STACK_NAME}_grafana_oidc_client_secret_${SECRET_GRAFANA_OIDC_CLIENT_SECRET_VERSION}
--- a/compose.grafana-smtp.yml
+++ b/compose.grafana-smtp.yml
@ -0,0 +1,18 @@
+version: '3.8'
+
+services:
+  grafana:
+    secrets:
+      - grafana_smtp_password
+    environment:
+      - GF_SMTP_HOST
+      - GF_SMTP_USER
+      - GF_SMTP_PASSWORD__FILE=/run/secrets/grafana_smtp_password
+      - GF_SMTP_ENABLED
+      - GF_SMTP_FROM_ADDRESS
+      - GF_SMTP_SKIP_VERIFY
+
+secrets:
+  grafana_smtp_password:
+    external: true
+    name: ${STACK_NAME}_grafana_smtp_password_${SECRET_GRAFANA_SMTP_PASSWORD_VERSION}
--- a/compose.grafana.yml
+++ b/compose.grafana.yml
@ -7,8 +7,6 @@ services:
      - grafana-data:/var/lib/grafana:rw
    secrets:
      - grafana_admin_password
-      - grafana_oidc_client_secret
-      - grafana_smtp_password
    configs:
      - source: grafana_custom_ini
        target: /etc/grafana/grafana.ini
@ -32,22 +30,12 @@ services:
    environment:
      - GF_SERVER_ROOT_URL
      - GF_SECURITY_ADMIN_PASSWORD__FILE=/run/secrets/grafana_admin_password
-      - GF_SMTP_HOST
-      - GF_SMTP_USER
-      - GF_SMTP_PASSWORD__FILE=/run/secrets/grafana_smtp_password
-      - GF_SMTP_ENABLED
-      - GF_SMTP_FROM_ADDRESS
-      - GF_SMTP_SKIP_VERIFY
      - GF_SECURITY_ALLOW_EMBEDDING
      - GF_INSTALL_PLUGINS
-      - OIDC_API_URL
-      - OIDC_AUTH_URL
-      - OIDC_CLIENT_ID
-      - OIDC_ENABLED
-      - OIDC_TOKEN_URL
    deploy:
      labels:
        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}-grafana.loadbalancer.server.port=3000"
        - "traefik.http.routers.${STACK_NAME}-grafana.rule=Host(`${GRAFANA_DOMAIN:-$DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}-grafana.entrypoints=web-secure"
@ -96,9 +84,3 @@ secrets:
  grafana_admin_password:
    external: true
    name: ${STACK_NAME}_grafana_admin_password_${SECRET_GRAFANA_ADMIN_PASSWORD_VERSION}
-  grafana_oidc_client_secret:
-    external: true
-    name: ${STACK_NAME}_grafana_oidc_client_secret_${SECRET_GRAFANA_OIDC_CLIENT_SECRET_VERSION}
-  grafana_smtp_password:
-    external: true
-    name: ${STACK_NAME}_grafana_smtp_password_${SECRET_GRAFANA_SMTP_PASSWORD_VERSION}
--- a/compose.loki.yml
+++ b/compose.loki.yml
@ -27,6 +27,7 @@ services:
        condition: on-failure
      labels:
        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}-loki.loadbalancer.server.port=3100"
        - "traefik.http.routers.${STACK_NAME}-loki.rule=Host(`loki.${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}-loki.entrypoints=web-secure"
@ -48,4 +49,4 @@ volumes:
 # secrets:
 #   loki_aws_secret_access_key:
 #     external: true
-#     name: ${STACK_NAME}_loki_aws_secret_access_key_${SECRET_LOKI_AWS_SECRET_ACCESS_KEY_VERSION}
+#     name: ${STACK_NAME}_loki_aws_secret_access_key_${SECRET_LOKI_AWS_SECRET_ACCESS_KEY_VERSION}
--- a/compose.prometheus.yml
+++ b/compose.prometheus.yml
@ -24,12 +24,12 @@ services:
        condition: on-failure
      labels:
        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}-prometheus.loadbalancer.server.port=9090"
        - "traefik.http.routers.${STACK_NAME}-prometheus.rule=Host(`prometheus.${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}-prometheus.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}-prometheus.tls=true"
        - "traefik.http.routers.${STACK_NAME}-prometheus.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}-prometheus.middlewares=basicauth@file"

 configs:
  prometheus_yml:
--- a/compose.pushgateway.yml
+++ b/compose.pushgateway.yml
@ -17,6 +17,7 @@ services:
        condition: on-failure
      labels:
        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}-pushgateway.loadbalancer.server.port=9191"
        - "traefik.http.routers.${STACK_NAME}-pushgateway.rule=Host(`pushgateway.${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}-pushgateway.entrypoints=web-secure"
--- a/compose.yml
+++ b/compose.yml
@ -32,6 +32,7 @@ services:
      labels:
        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}-node.loadbalancer.server.port=9100"
        - "traefik.http.routers.${STACK_NAME}-node.rule=Host(`node.${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}-node.entrypoints=web-secure"
@ -63,6 +64,7 @@ services:
        condition: on-failure
      labels:
        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}-cadvisor.loadbalancer.server.port=8080"
        - "traefik.http.routers.${STACK_NAME}-cadvisor.rule=Host(`cadvisor.${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}-cadvisor.entrypoints=web-secure"
--- a/release/next
+++ b/release/next
@ -0,0 +1,7 @@
+1. OIDC was moved into a seperate compose file. If you have oidc configured you need to add the following line to you .env file:
+
+COMPOSE_FILE="$COMPOSE_FILE:compose.grafana-oidc.yml"
+
+2. SMTP was moved into a seperate compose file. If you have smtp configured you need to add the following line to you .env file:
+
+COMPOSE_FILE="$COMPOSE_FILE:compose.grafana-smtp.yml"
Author	SHA1	Message	Date
p4u1	5af3f8c643	Moves oidc and smtp to a seperate compose config	2025-11-05 15:28:49 +01:00
p4u1	7dbe5bf22e	fix: Removes duplicate basic auth from prometheus and a few other improvements	2025-02-21 18:31:54 +01:00