Default role: admin

- give OAuth users default Editor role

.gitignore

@@ -0,0 +1,31 @@
+# Environment files with credentials
+.env
+.env.local
+.env.*.local
+
+# Database files
+*.sqlite3
+*.db
+
+# Logs
+*.log
+logs/
+
+# Dependencies
+node_modules/
+venv/
+env/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Letsencrypt
+letsencrypt/

authelia/config/configuration.yml

@@ -117,3 +117,15 @@ identity_providers:
           - email
           - groups
         userinfo_signed_response_alg: 'none'
+      - id: grafana
+        description: Grafana via Authelia
+        secret: '$argon2id$v=19$m=65536,t=3,p=4$IoJjIPmtn81rI0te8lV5Yw$tptaXFfI1NOsPctEzyAYiRblzFNsWgbS9Gh160OkoqQ'
+        public: false
+        authorization_policy: one_factor
+        redirect_uris:
+          - https://grafana.quangkhai.ch/login/generic_oauth
+        scopes:
+          - openid
+          - profile
+          - email
+        userinfo_signed_response_alg: 'none'        

authelia/docker-compose.yml

@@ -5,7 +5,7 @@ networks:
 
 services:
   authelia:
-    image: authelia/authelia:latest
+    image: authelia/authelia:4.37.5
     container_name: authelia
     volumes:
       - ./config:/config
@@ -14,6 +14,19 @@ services:
     environment:
       - TZ=UTC
     restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:9091/api/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    resources:
+      limits:
+        cpus: '0.5'
+        memory: 512M
+      reservations:
+        cpus: '0.25'
+        memory: 256M
     labels:
       - "traefik.enable=true"
       # The URL where you will actually log in
@@ -21,8 +34,6 @@ services:
       - "traefik.http.routers.authelia.entrypoints=websecure"
       - "traefik.http.routers.authelia.tls.certresolver=myresolver"
       - "traefik.http.services.authelia.loadbalancer.server.port=9091"
-
-# --- ADD THESE THREE LINES BELOW ---
       - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
       - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
       - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"

deploy.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Deploy Authelia configuration
+# Copies all files from authelia folder to /home/quangkhai/authelia
+
+set -e
+
+SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/authelia" && pwd)"
+DEST_DIR="/home/quangkhai/authelia"
+
+echo "Starting deployment..."
+echo "Source: $SOURCE_DIR"
+echo "Destination: $DEST_DIR"
+
+# Create destination directory if it doesn't exist
+if [ ! -d "$DEST_DIR" ]; then
+    echo "Creating destination directory: $DEST_DIR"
+    mkdir -p "$DEST_DIR"
+fi
+
+# Copy all files
+echo "Copying files..."
+cp -rv "$SOURCE_DIR"/* "$DEST_DIR/"
+
+echo "✓ Deployment completed successfully!"
+echo "Files copied to: $DEST_DIR"
+
+

prometheus/docker-compose.yml

@@ -18,17 +18,26 @@ services:
     image: pdreker/fritz_exporter:2
     container_name: fritz-exporter
     restart: always
+    env_file:
+      - ./.env
     environment:
-      FRITZ_HOSTNAME: '192.168.178.1'
-      FRITZ_USERNAME: 'fritz9297'
-      FRITZ_PASSWORD: 'VeNuocNuocVe26!'
+      FRITZ_HOSTNAME: '${FRITZ_HOSTNAME}'
+      FRITZ_USERNAME: '${FRITZ_USERNAME}'
+      FRITZ_PASSWORD: '${FRITZ_PASSWORD}'
     ports:
       - "9787:9787"
     networks:
       - back-tier
+    resources:
+      limits:
+        cpus: '0.2'
+        memory: 128M
+      reservations:
+        cpus: '0.1'
+        memory: 64M
 
   prometheus:
-    image: prom/prometheus:latest
+    image: prom/prometheus:v2.54.0
     volumes:
       - ./prometheus/:/etc/prometheus/
       - prometheus_data:/prometheus
@@ -44,13 +53,26 @@ services:
     networks:
       - back-tier
     restart: always
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:9090/-/healthy"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    resources:
+      limits:
+        cpus: '1'
+        memory: 1G
+      reservations:
+        cpus: '0.5'
+        memory: 512M
 #    deploy:
 #      placement:
 #        constraints:
 #          - node.hostname == ${HOSTNAME}
 
   grafana:
-    image: grafana/grafana
+    image: grafana/grafana:11.0.0
     user: "472"
     depends_on:
       - prometheus
@@ -68,6 +90,19 @@ services:
       - front-tier
       - proxy_tier
     restart: always
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:3000/api/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    resources:
+      limits:
+        cpus: '1'
+        memory: 512M
+      reservations:
+        cpus: '0.5'
+        memory: 256M
     labels:
       - "traefik.enable=true"
       # HTTP to HTTPS Redirect

prometheus/grafana/config.monitoring

@@ -0,0 +1,37 @@
+GF_SERVER_ROOT_URL=https://grafana.quangkhai.ch
+GF_AUTH_ANONYMOUS_ENABLED=false
+GF_AUTH_DISABLE_LOGIN_FORM=true
+
+GF_AUTH_GENERIC_OAUTH_ENABLED=true
+GF_AUTH_GENERIC_OAUTH_NAME=Authelia
+GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true
+GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
+GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=VeNuocNuocVe26!
+GF_AUTH_GENERIC_OAUTH_SCOPES="openid profile email"
+GF_AUTH_GENERIC_OAUTH_USE_ID_TOKEN=true
+
+GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.quangkhai.ch/api/oidc/authorization
+GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.quangkhai.ch/api/oidc/token
+GF_AUTH_GENERIC_OAUTH_API_URL=https://auth.quangkhai.ch/api/oidc/userinfo
+
+# 2. Map the ID (used for login)
+# Many OIDC providers use 'preferred_username' or 'sub'
+GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
+
+# 3. Map the Email
+GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email
+
+# 4. Map the Name (optional, but good for profile)
+GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name
+
+# Example mapping: 
+# If 'groups' contains 'admin', make them 'Admin'. 
+# If 'groups' contains 'editor', make them 'Editor'. 
+# Otherwise, default to 'Viewer'.
+#GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
+# Sets the default role for ALL OAuth users
+GF_AUTH_GENERIC_OAUTH_AUTO_ASSIGN_ORG_ROLE=Admin
+GF_USERS_AUTO_ASSIGN_ORG_ROLE=Admin
+# Tell Grafana NOT to try and sync roles from the OIDC claims
+GF_AUTH_GENERIC_OAUTH_SKIP_ORG_ROLE_SYNC=true
+GF_LOG_LEVEL=debug

traefik/docker-compose.yaml

@@ -3,8 +3,8 @@ services:
     image: traefik:v3.6
     container_name: traefik
     command:
-      #- "--api.dashboard=true"
-      - "--api.insecure=true"
+      - "--api.dashboard=true"
+      - "--api.insecure=false"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
 
@@ -33,6 +33,20 @@ services:
       - ./letsencrypt:/letsencrypt
     networks:
       - proxy_tier
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "traefik", "healthcheck", "--ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 5s
+    resources:
+      limits:
+        cpus: '2'
+        memory: 512M
+      reservations:
+        cpus: '1'
+        memory: 256M
     labels:
       # THE MIDDLEWARE DEFINITION
       - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"