bitwarden

home-assistant/docker-compose.yaml

@@ -101,6 +101,20 @@ services:
     #   - GF_AUTH_ANONYMOUS_ENABLED=true
     #   - GF_AUTH_ANONYMOUS_ORG_ROLE=Admin
     #   - GF_SECURITY_ALLOW_EMBEDDING=true
+    environment:
+      GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
+      GF_AUTH_GENERIC_OAUTH_NAME: "authentik"
+      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "xc8AKsYOvHFmYnRjfnvt2YfgR5pg8Mlfc9YEqd3T"
+      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "gb5ThPlyIUN2I8UPvIKAqQBoGFmTAb7tFxt5OiJQkAG6Ef2HDKksNOjWPJFfXiO22RuCnWuyzl6IMqPYO6QTa55EYfoN5N87enh5MOhTXjo2JTTnEL1eZhEI1Sw1vBO8"
+      GF_AUTH_GENERIC_OAUTH_SCOPES: "openid profile email"
+      GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://auth.sectorq.eu/application/o/authorize/"
+      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://auth.sectorq.eu/application/o/token/"
+      GF_AUTH_GENERIC_OAUTH_API_URL: "https://auth.sectorq.eu/application/o/userinfo/"
+      GF_AUTH_SIGNOUT_REDIRECT_URL: "https://auth.sectorq.eu/application/o/grafana/end-session/"
+      # Optionally enable auto-login (bypasses Grafana login screen)
+      GF_AUTH_OAUTH_AUTO_LOGIN: "true"
+      # Optionally map user groups to Grafana roles
+      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
   influxdb:
     ports:
       - 8086:8086