diff --git a/modules/swarm/grafana/cfg/grafana.ini b/modules/swarm/grafana/cfg/grafana.ini index 5146bde..9d54902 100644 --- a/modules/swarm/grafana/cfg/grafana.ini +++ b/modules/swarm/grafana/cfg/grafana.ini @@ -38,7 +38,7 @@ http_addr = 0.0.0.0 http_port = 3000 # The public facing domain name used to access grafana from a browser -domain = "grafana.montage2.de" +domain = "grafana.chaoswest.tv" # Redirect to correct domain if host header does not match domain # Prevents DNS rebinding attacks @@ -47,7 +47,7 @@ domain = "grafana.montage2.de" # The full public facing url you use in browser, used for redirects and emails # If you use reverse proxy and sub path specify full url (with sub path) ;root_url = %(protocol)s://%(domain)s:%(http_port)s/ -root_url = "https://grafana.montage2.de/" +root_url = "https://grafana.chaoswest.tv/" # Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons. ;serve_from_sub_path = false @@ -307,7 +307,7 @@ verify_email_enabled = false enabled = true # specify organization name that should be used for unauthenticated users -org_name = Montage2 +org_name = CWTV # specify role for unauthenticated users org_role = Viewer @@ -328,14 +328,14 @@ org_role = Viewer #################################### GitLab Auth ######################### [auth.gitlab] -enabled = true -allow_sign_up = true +;enabled = true +;allow_sign_up = true ;client_id = some_id ;client_secret = some_secret -scopes = read_user -auth_url = https://gitlab.montage2.de/oauth/authorize -token_url = https://gitlab.montage2.de/oauth/token -api_url = https://gitlab.montage2.de/api/v4 +;scopes = read_user +;auth_url = https://gitlab.montage2.de/oauth/authorize +;token_url = https://gitlab.montage2.de/oauth/token +;api_url = https://gitlab.montage2.de/api/v4 ;allowed_domains = ;allowed_groups = diff --git a/modules/swarm/grafana/main.tf b/modules/swarm/grafana/main.tf index 80470d8..a516bc5 100644 --- a/modules/swarm/grafana/main.tf +++ b/modules/swarm/grafana/main.tf @@ -8,15 +8,12 @@ data "docker_network" "traefik" { locals { labels = { - "shepherd.auto-update" = "true", - "traefik.enable" = "true" - "traefik.http.services.grafana.loadbalancer.server.port" = "3000", - "traefik.http.routers.grafana.rule" = "Host(`grafana.montage2.de`)||Host(`grafana.chaoswest.tv`)", - "traefik.http.routers.grafana.tls" = "true", - "traefik.http.routers.grafana.tls.certresolver" = "default", - "traefik.http.routers.grafana.middlewares" = "grafana-redirect", - "traefik.http.middlewares.grafana-redirect.redirectregex.regex" = "^https://grafana.chaoswest.tv/(.*)", - "traefik.http.middlewares.grafana-redirect.redirectregex.replacement" = "https://grafana.montage2.de/$$${1}", # double escaping is necessary here + "shepherd.auto-update" = "true", + "traefik.enable" = "true" + "traefik.http.services.grafana.loadbalancer.server.port" = "3000", + "traefik.http.routers.grafana.rule" = "Host(`grafana.chaoswest.tv`)", + "traefik.http.routers.grafana.tls" = "true", + "traefik.http.routers.grafana.tls.certresolver" = "default", } } @@ -72,3 +69,15 @@ resource "docker_service" "grafana" { } } } + + +data "hetznerdns_zone" "primary" { + name = "chaoswest.tv" +} + +resource "hetznerdns_record" "primary" { + zone_id = data.hetznerdns_zone.primary.id + name = "grafana" + value = "ax41-1.fsn.mon2.de." + type = "CNAME" +} diff --git a/stacks/ax41-1/secrets.enc.yaml b/stacks/ax41-1/secrets.enc.yaml index c8b8bc5..6ce81e2 100644 --- a/stacks/ax41-1/secrets.enc.yaml +++ b/stacks/ax41-1/secrets.enc.yaml @@ -2,8 +2,7 @@ hetzner_dns_api_token: ENC[AES256_GCM,data:6m0svnZBgwLeMu12tSz1oUHHaA69dU/dHi7oW swarm: grafana: gf_security_secret_key: ENC[AES256_GCM,data:o6iR/KCnM1Ru56i0ANylmZFqiERuNfwx8sHeM4wE/k7aHI8l0Lg2oifrTx38m5puCBw79U4qqFQqe9QJjZMROhRblBK/RWi+3vSv+rwYv2W8wcvMeqcjJgZV0erOMyFkuZpapbfTnbDvidWg4kKbS0k2OmdRHVYc89IETU7hdow=,iv:B5EC8gwEK0g8T2I/EgoLFGCzR0Uhtaot01xeoWU0mp0=,tag:vlYNnn+fI5m6Dw+IpTPfuw==,type:str] - gf_auth_gitlab_client_id: ENC[AES256_GCM,data:xZfnyduTnDVpenAMqqcETqQiaphfVdKXJ7lsloynL1ka1V6FTz5i85MK8mgrRPY4zLiPCgmp8gzFiV2PDxDLOQ==,iv:egOxWveuFg9hyQAhO9V5ILwNSjmm4QLSYZQhknZPjvU=,tag:GRLP3QERCZ0hhJ9GpSmWxg==,type:str] - gf_auth_gitlab_client_secret: ENC[AES256_GCM,data:SgNbtzg8o0U2NJi2CN3Dmlox7F3v7boURNBZytxuOgnFi6N30xSUW0gHT1UivSEz9V+lo1km4tMI2+HqrukzPQ==,iv:Qbo/T5Er+8oY6rYfbPNHRKFuWLpAnRMAlQQ0Fp/FEKg=,tag:sUNsXhywIkt3Vcq+rIABoA==,type:str] + gf_security_admin_password: ENC[AES256_GCM,data:BJbUVen8wlU2QxJ99dD0ZrmHMKoC3En4qKkv6JFzqXxZm10elP1EtY6dscnVAaGWOPOv3O+OZ1+bJ24jVvXjVg==,iv:6g+KWKFv14ZAifRqWG01GfCyGhLa0f3hk896rsFR6to=,tag:WVDDaeloZycEERhzuSYwag==,type:str] gf_auth_generic_oauth_client_id: ENC[AES256_GCM,data:XLp880bI5ANkbk1t49839gs8EwI1LlfZwJgtlVPd21jmhXkpRSuKLw==,iv:u+wkKImGyNo0t7nXg7MdbRBBDEC08tWfE1sMo5fbIcY=,tag:CXl/6P9U6kANNFrmDlLvnA==,type:str] gf_auth_generic_oauth_client_secret: ENC[AES256_GCM,data:AHWpqQbHVyL6rliQeOsf+hVEwDI0mFOuOtllz3Aqfm/FWQTai4sgdQ9F+AkuiqCsKtdvOyCYdsBNv6BolR1Ef8vNBECKpkt1N97hPvlEuStBzbt0Hcu9uHxo0h1+L10SaM7VzUfVcYJ2gNY/HdU01C7av1NUHsYBMlIb8vE+Eww=,iv:ax6nnqrvYrxa5m08Hby6hCkawJZoJYBVA4JiPur10AU=,tag:ilSrpwsp3GC/AT9CgrfsGw==,type:str] jitsi: @@ -32,8 +31,8 @@ sops: WmlRUnowa2lMNWpDT0xEU0htV0w3U00K1f/SO/FBvC9lIBzveBEwhopj5ryMVCmD jw8AdxvmMwsCSfIROKkzMqiUs2zsj6FOMlYFI1Rb07mItSO2Yd7TsA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-30T17:00:41Z" - mac: ENC[AES256_GCM,data:GvVUAo5Qtp0Dcnffh42jGkpT3khDRYXf6ws6Q3n2dWk+q39+xDQ3oxCGKMsYwbxrQ5s1oSI7dENSfxQA1Rwk3+Z0wmrRry9fxlYEnDeYLiR2Jxp0+7zDWUcusfSnjC/ASmwCYSFBcQM4jhD4uyVmhluS0E5KrjOD223Z6vtjxck=,iv:5OFMGJatztWTUR2Xb49CYl0Z42UsieYPTR6YoBn9UmM=,tag:yibooLYgoAN+IeiHVyexKg==,type:str] + lastmodified: "2024-01-31T16:00:34Z" + mac: ENC[AES256_GCM,data:XJsH39oi1N0JRwoIP6mvdQfSsBtaxn4N6KZYIHhTXR6Yz2/U2HpGyYoKl7vl2HJBPdjECeje4R1lS4w/I0G++qMpsZHdQglVrSjkpq2P1yZVYFRjN1Xyfjzi58O3WegNLftQpXdlx0T9FCNDLdD6+8BSownLxWWUlp0bpwOIWBc=,iv:f8TSh+aBUuFbLHD/kbA2qkqsZI5oGvlyQt2sO4TRQxk=,tag:DVS91MmrQa8I1Hbz07Ff8Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1