version: '3.8'

services:
  grafana:
    image: grafana/grafana:10.4.2
    volumes:
      - grafana-data:/var/lib/grafana:rw
    secrets:
      - grafana_admin_password
      - grafana_oidc_client_secret
      - grafana_smtp_password
    configs:
      - source: grafana_custom_ini
        target: /etc/grafana/grafana.ini
      - source: grafana_datasources_yml
        target: /etc/grafana/provisioning/datasources/datasources.yml
      - source: grafana_dashboards_yml
        target: /etc/grafana/provisioning/dashboards/dashboards.yml
      - source: grafana_swarm_dashboard_json
        target: /var/lib/grafana/dashboards/docker-swarm-nodes.json
      - source: grafana_stacks_dashboard_json
        target: /var/lib/grafana/dashboards/docker-swarm-stacks.json
      - source: grafana_traefik_dashboard_json
        target: /var/lib/grafana/dashboards/traefik.json
    networks:
      - proxy
      - internal
    environment:
      - GF_SERVER_ROOT_URL
      - GF_SECURITY_ADMIN_PASSWORD__FILE=/run/secrets/grafana_admin_password
      - GF_SMTP_HOST
      - GF_SMTP_USER
      - GF_SMTP_PASSWORD__FILE=/run/secrets/grafana_smtp_password
      - GF_SMTP_ENABLED
      - GF_SMTP_FROM_ADDRESS
      - GF_SMTP_SKIP_VERIFY
      - GF_SECURITY_ALLOW_EMBEDDING
      - GF_INSTALL_PLUGINS
      - OIDC_API_URL
      - OIDC_AUTH_URL
      - OIDC_CLIENT_ID
      - OIDC_ENABLED
      - OIDC_TOKEN_URL
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}-grafana.loadbalancer.server.port=3000"
        - "traefik.http.routers.${STACK_NAME}-grafana.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}-grafana.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}-grafana.tls=true"
        - "traefik.http.routers.${STACK_NAME}-grafana.tls.certresolver=${LETS_ENCRYPT_ENV}"
    healthcheck:
      test: "wget -q http://localhost:3000/ -O/dev/null"
      interval: 5s
      timeout: 10s
      retries: 3
      start_period: 10s

configs:
  grafana_custom_ini:
    template_driver: golang
    name: ${STACK_NAME}_grafana_custom_ini_${GRAFANA_CUSTOM_INI_VERSION}
    file: grafana_custom.ini
  grafana_datasources_yml:
    name: ${STACK_NAME}_grafana_datasources_yml_${GRAFANA_DATASOURCES_YML_VERSION}
    file: grafana-datasources.yml
  grafana_dashboards_yml:
    name: ${STACK_NAME}_grafana_dashboards_yml_${GRAFANA_DASHBOARDS_YML_VERSION}
    file: grafana-dashboards.yml
  grafana_swarm_dashboard_json:
    name: ${STACK_NAME}_grafana_swarm_dashboard_json_${GRAFANA_SWARM_DASHBOARD_JSON_VERSION}
    file: grafana-swarm-dashboard.json
  grafana_stacks_dashboard_json:
    name: ${STACK_NAME}_grafana_stacks_dashboard_json_${GRAFANA_STACKS_DASHBOARD_JSON_VERSION}
    file: grafana-stacks-dashboard.json
  grafana_traefik_dashboard_json:
    name: ${STACK_NAME}_grafana_traefik_dashboard_json_${GRAFANA_TRAEFIK_DASHBOARD_JSON_VERSION}
    file: grafana-traefik-dashboard.json

volumes:
  grafana-data:


secrets:
  grafana_admin_password:
    external: true
    name: ${STACK_NAME}_grafana_admin_password_${SECRET_GRAFANA_ADMIN_PASSWORD_VERSION}
  grafana_oidc_client_secret:
    external: true
    name: ${STACK_NAME}_grafana_oidc_client_secret_${SECRET_GRAFANA_OIDC_CLIENT_SECRET_VERSION}
  grafana_smtp_password:
    external: true
    name: ${STACK_NAME}_grafana_smtp_password_${SECRET_GRAFANA_SMTP_PASSWORD_VERSION}