GF_SERVER_ROOT_URL=https://grafana.quangkhai.ch
GF_AUTH_ANONYMOUS_ENABLED=false
GF_AUTH_DISABLE_LOGIN_FORM=true

GF_AUTH_GENERIC_OAUTH_ENABLED=true
GF_AUTH_GENERIC_OAUTH_NAME=Authelia
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true
GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=VeNuocNuocVe26!
GF_AUTH_GENERIC_OAUTH_SCOPES="openid profile email"
GF_AUTH_GENERIC_OAUTH_USE_ID_TOKEN=true

GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.quangkhai.ch/api/oidc/authorization
GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.quangkhai.ch/api/oidc/token
GF_AUTH_GENERIC_OAUTH_API_URL=https://auth.quangkhai.ch/api/oidc/userinfo

# 2. Map the ID (used for login)
# Many OIDC providers use 'preferred_username' or 'sub'
GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username

# 3. Map the Email
GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email

# 4. Map the Name (optional, but good for profile)
GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name

# Example mapping: 
# If 'groups' contains 'admin', make them 'Admin'. 
# If 'groups' contains 'editor', make them 'Editor'. 
# Otherwise, default to 'Viewer'.
#GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
# Sets the default role for ALL OAuth users
GF_AUTH_GENERIC_OAUTH_AUTO_ASSIGN_ORG_ROLE=Admin
GF_USERS_AUTO_ASSIGN_ORG_ROLE=Admin
# Tell Grafana NOT to try and sync roles from the OIDC claims
GF_AUTH_GENERIC_OAUTH_SKIP_ORG_ROLE_SYNC=true
GF_LOG_LEVEL=debug