homelab-optimized/hosts/synology/atlantis/grafana.yml

# Grafana - Dashboards
# Port: 3000
# Metrics visualization and dashboards

version: "3.9"
services:
  grafana:
    image: grafana/grafana:latest
    container_name: Grafana
    hostname: grafana
    networks:
      - grafana-net
    mem_limit: 512m
    cpu_shares: 512
    security_opt:
      - no-new-privileges:true
    user: 1026:100
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:3000/api/health
    ports:
      - 3340:3000
    volumes:
      - /volume1/docker/grafana/data:/var/lib/grafana:rw
    environment:
      TZ: America/Los_Angeles
      GF_INSTALL_PLUGINS: grafana-clock-panel,grafana-simple-json-datasource,natel-discrete-panel,grafana-piechart-panel
      # Authentik SSO Configuration
      GF_SERVER_ROOT_URL: https://gf.vish.gg
      GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
      GF_AUTH_GENERIC_OAUTH_NAME: Authentik
      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "REDACTED_CLIENT_ID"  # pragma: allowlist secret
      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "REDACTED_CLIENT_SECRET"  # pragma: allowlist secret
      GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
      GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://sso.vish.gg/application/o/authorize/
      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://sso.vish.gg/application/o/token/
      GF_AUTH_GENERIC_OAUTH_API_URL: https://sso.vish.gg/application/o/userinfo/
      GF_AUTH_SIGNOUT_REDIRECT_URL: https://sso.vish.gg/application/o/grafana/end-session/
      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
      # Keep local admin auth working
      GF_AUTH_DISABLE_LOGIN_FORM: "false"
    restart: on-failure:5

  prometheus:
    image: prom/prometheus
    command:
      - '--storage.tsdb.retention.time=60d'
      - --config.file=/etc/prometheus/prometheus.yml
    container_name: Prometheus
    hostname: prometheus-server
    networks:
      - grafana-net
      - prometheus-net
    mem_limit: 1g
    cpu_shares: 768
    security_opt:
      - no-new-privileges=true
    user: 1026:100
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:9090/ || exit 1
    volumes:
      - /volume1/docker/grafana/prometheus:/prometheus:rw
      - /volume1/docker/grafana/prometheus.yml:/etc/prometheus/prometheus.yml:ro
    restart: on-failure:5

  node-exporter:
    image: prom/node-exporter:latest
    command:
      - --collector.disable-defaults
      - --collector.stat
      - --collector.time
      - --collector.cpu
      - --collector.loadavg
      - --collector.hwmon
      - --collector.meminfo
      - --collector.diskstats
    container_name: Prometheus-Node
    hostname: prometheus-node
    networks:
      - prometheus-net
    mem_limit: 256m
    mem_reservation: 64m
    cpu_shares: 512
    security_opt:
      - no-new-privileges=true
    read_only: true
    user: 1026:100
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:9100/
    restart: on-failure:5

  snmp-exporter:
    image: prom/snmp-exporter:latest
    command:
      - --config.file=/etc/snmp_exporter/snmp.yml
    container_name: Prometheus-SNMP
    hostname: prometheus-snmp
    networks:
      - prometheus-net
    mem_limit: 256m
    mem_reservation: 64m
    cpu_shares: 512
    security_opt:
      - no-new-privileges:true
    read_only: true
    user: 1026:100
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:9116/ || exit 1
    volumes:
      - /volume1/docker/grafana/snmp:/etc/snmp_exporter/:ro
    restart: on-failure:5

  cadvisor:
    image: gcr.io/cadvisor/cadvisor:latest
    command:
      - '--docker_only=true'
    container_name: Prometheus-cAdvisor
    hostname: prometheus-cadvisor
    networks:
      - prometheus-net
    mem_limit: 256m
    mem_reservation: 64m
    cpu_shares: 512
    security_opt:
      - no-new-privileges=true
    read_only: true
    volumes:
      - /:/rootfs:ro
      - /var/run:/var/run:ro
      - /sys:/sys:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: on-failure:5

networks:
  grafana-net:
    name: grafana-net
    ipam:
      config:
        - subnet: 192.168.50.0/24
  prometheus-net:
    name: prometheus-net
    ipam:
      config:
        - subnet: 192.168.51.0/24