FIX SSO Login setting from Grafana

authelia/config/configuration.yml

@@ -117,3 +117,15 @@ identity_providers:
           - email
           - groups
         userinfo_signed_response_alg: 'none'
+      - id: grafana
+        description: Grafana via Authelia
+        secret: '$argon2id$v=19$m=65536,t=3,p=4$IoJjIPmtn81rI0te8lV5Yw$tptaXFfI1NOsPctEzyAYiRblzFNsWgbS9Gh160OkoqQ'
+        public: false
+        authorization_policy: one_factor
+        redirect_uris:
+          - https://grafana.quangkhai.ch/login/generic_oauth
+        scopes:
+          - openid
+          - profile
+          - email
+        userinfo_signed_response_alg: 'none'        

deploy.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Deploy Authelia configuration
+# Copies all files from authelia folder to /home/quangkhai/authelia
+
+set -e
+
+SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/authelia" && pwd)"
+DEST_DIR="/home/quangkhai/authelia"
+
+echo "Starting deployment..."
+echo "Source: $SOURCE_DIR"
+echo "Destination: $DEST_DIR"
+
+# Create destination directory if it doesn't exist
+if [ ! -d "$DEST_DIR" ]; then
+    echo "Creating destination directory: $DEST_DIR"
+    mkdir -p "$DEST_DIR"
+fi
+
+# Copy all files
+echo "Copying files..."
+cp -rv "$SOURCE_DIR"/* "$DEST_DIR/"
+
+echo "✓ Deployment completed successfully!"
+echo "Files copied to: $DEST_DIR"
+
+

prometheus/grafana/config.monitoring

@@ -0,0 +1,25 @@
+GF_SERVER_ROOT_URL=https://grafana.quangkhai.ch
+GF_AUTH_ANONYMOUS_ENABLED=false
+GF_AUTH_DISABLE_LOGIN_FORM=true
+
+GF_AUTH_GENERIC_OAUTH_ENABLED=true
+GF_AUTH_GENERIC_OAUTH_NAME=Authelia
+GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true
+GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
+GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=VeNuocNuocVe26!
+GF_AUTH_GENERIC_OAUTH_SCOPES="openid profile email"
+GF_AUTH_GENERIC_OAUTH_USE_ID_TOKEN=true
+
+GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.quangkhai.ch/api/oidc/authorization
+GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.quangkhai.ch/api/oidc/token
+GF_AUTH_GENERIC_OAUTH_API_URL=https://auth.quangkhai.ch/api/oidc/userinfo
+
+# 2. Map the ID (used for login)
+# Many OIDC providers use 'preferred_username' or 'sub'
+GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
+
+# 3. Map the Email
+GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email
+
+# 4. Map the Name (optional, but good for profile)
+GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name

traefik/crowdsec/acquis.yaml

@@ -1,4 +0,0 @@
-filenames:
-  - /var/log/traefik/access.log
-labels:
-  type: traefik

traefik/docker-compose.yaml

@@ -2,17 +2,11 @@ services:
   traefik:
     image: traefik:v3.6
     container_name: traefik
-    depends_on:
-      - crowdsec
     command:
       - "--api.dashboard=true"
       - "--api.insecure=false"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
-      - "--experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
-      - "--experimental.plugins.crowdsec-bouncer.version=v1.4.2"
-      - "--accesslog=true"
-      - "--accesslog.filepath=/var/log/traefik/access.log"
 
 #      - "--entrypoints.https.address=:443"
 
@@ -20,7 +14,6 @@ services:
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
       - "--entrypoints.mqtt-secure.address=:8883"
-      - "--entrypoints.websecure.http.middlewares=crowdsec@docker"
       # Global HTTP -> HTTPS Redirection
       - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
       - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
@@ -38,7 +31,6 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./letsencrypt:/letsencrypt
-      - ./logs:/var/log/traefik
     networks:
       - proxy_tier
     restart: unless-stopped
@@ -48,48 +40,21 @@ services:
       timeout: 10s
       retries: 3
       start_period: 5s
-    deploy:
+    resources:
-      resources:
+      limits:
-        limits:
+        cpus: '2'
-          cpus: '2'
+        memory: 512M
-          memory: 512M
+      reservations:
-        reservations:
+        cpus: '1'
-          cpus: '1'
+        memory: 256M
-          memory: 256M
     labels:
       # THE MIDDLEWARE DEFINITION
       - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
       - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
       - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
-      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true"
-      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.logLevel=INFO"
-      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecMode=live"
-      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiHost=crowdsec:8080"
-      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiScheme=http"
-      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiKey=${CROWDSEC_BOUNCER_KEY:-change-me}"
-
-  crowdsec:
-    image: crowdsecurity/crowdsec:latest
-    container_name: crowdsec
-    environment:
-      - TZ=UTC
-      - COLLECTIONS=crowdsecurity/traefik
-      - BOUNCER_KEY_TRAEFIK=${CROWDSEC_BOUNCER_KEY:-change-me}
-    volumes:
-      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
-      - ./logs:/var/log/traefik:ro
-      - crowdsec-db:/var/lib/crowdsec/data
-      - crowdsec-config:/etc/crowdsec
-    networks:
-      - proxy_tier
-    restart: unless-stopped
 
 
 networks:
   proxy_tier:
     name: proxy_tier
     external: true
-
-volumes:
-  crowdsec-db:
-  crowdsec-config: