diff --git a/README.md b/README.md index daa822a..e705bae 100644 --- a/README.md +++ b/README.md @@ -7,4 +7,4 @@ L'idée est de pouvoir redonder les services « légers » entre les résidences En cours de test par erdnaxe. Pour lancer un service, aller dans le dossier puis -`sudo docker-compose up --build`. +`sudo docker-compose up --build -d`. diff --git a/grafana/docker-compose.yml b/grafana/docker-compose.yml new file mode 100644 index 0000000..72b376a --- /dev/null +++ b/grafana/docker-compose.yml @@ -0,0 +1,25 @@ +version: "3.7" + +services: + grafana: + image: grafana/grafana + environnment: + - GF_SERVER_ROOT_URL=https://grafana.auro.re + - GF_SESSION_COOKIE_SECURE=true + - GF_ANALYTICS_REPORTING_ENABLE=false + - GF_SNAPSHOTS_EXTERNAL_ENABLED=false + - GF_USERS_ALLOW_SIGN_UP=false + - GF_USERS_ALLOW_ORG_CREATE=false + - GF_AUTH_BASIC_ENABLED=false + - GF_AUTH_LDAP_ENABLED=true + - GF_AUTH_LDAP_CONFIG_FILE=/etc/grafana/ldap.toml + + # Install Grafana plugins at startup + - GF_INSTALL_PLUGINS=grafana-worldmap-panel + volumes: + - ./data_grafana:/var/lib/grafana + - ./ldap.toml:/etc/grafana/ldap.toml:ro + ports: + - 8082:3000 + restart: always + diff --git a/grafana/ldap.toml b/grafana/ldap.toml new file mode 100644 index 0000000..6f60911 --- /dev/null +++ b/grafana/ldap.toml @@ -0,0 +1,65 @@ +# To troubleshoot and get more log info enable ldap debug logging in grafana.ini +# [log] +# filters = ldap:debug + +[[servers]] +# Ldap server host (specify multiple hosts space separated) +host = "10.128.0.11" +# Default port is 389 or 636 if use_ssl = true +port = 389 +# Set to true if ldap server supports TLS +use_ssl = false +# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS) +start_tls = false +# set to true if you want to skip ssl cert validation +ssl_skip_verify = false +# set to the path to your root CA certificate or leave unset to use system defaults +# root_ca_cert = "/path/to/certificate.crt" +# Authentication against LDAP servers requiring client certificates +# client_cert = "/path/to/client.crt" +# client_key = "/path/to/client.key" + +# Search user bind dn +bind_dn = "cn=grafana,ou=service-users,dc=auro,dc=re" +# Search user bind password +# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" +bind_password = 'CHANGE ME IN PRODUCTION, I WILL DIFFER !' + +# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" +search_filter = "(cn=%s)" + +# An array of base dns to search through +search_base_dns = ["cn=Utilisateurs,dc=auro,dc=re"] + +## For Posix or LDAP setups that does not support member_of attribute you can define the below settings +## Please check grafana LDAP docs for examples +group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))" +group_search_base_dns = ["ou=posix,ou=groups,dc=auro,dc=re"] +group_search_filter_user_attribute = "cn" + +# Specify names of the ldap attributes your ldap uses +[servers.attributes] +name = "sn" +surname = "" +username = "cn" +member_of = "dn" +email = "mail" + +# Map ldap groups to grafana org roles +[[servers.group_mappings]] +group_dn = "cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re" +org_role = "Admin" +# To make user an instance admin (Grafana Admin) uncomment line below +grafana_admin = true +# The Grafana organization database id, optional, if left out the default org (id 1) will be used +# org_id = 1 + +[[servers.group_mappings]] +group_dn = "cn=technicien,ou=posix,ou=groups,dc=auro,dc=re" +org_role = "Editor" + +[[servers.group_mappings]] +# If you want to match all (or no ldap groups) then you can use wildcard +group_dn = "*" +org_role = "Viewer" +