docker-compose.yml

services:
  grafana:
    image: grafana/grafana-enterprise
    container_name: grafana_demo
    ports:
      - '3000:3000'
    volumes:
      - grafana-storage:/var/lib/grafana
      - ./grafana-enterprise-license/license.jwt:/var/lib/grafana/license.jwt
    environment:
      - GF_AUTH_GENERIC_OAUTH_ENABLED=true
      - GF_AUTH_GENERIC_OAUTH_NAME=Keycloak
      - GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true
      - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
      - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=nPKqEkwX4M673De5sv1y1fAbH9tCb5Hj
      - GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile roles offline_access
      - GF_AUTH_GENERIC_USE_REFRESH_TOKENS=true
      - GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email
      - GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=username
      - GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=full_name
      - GF_AUTH_GENERIC_OAUTH_AUTH_URL=http://localhost:3002/realms/testrealm/protocol/openid-connect/auth
      - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=http://keycloak:8080/realms/testrealm/protocol/openid-connect/token
      - GF_AUTH_GENERIC_OAUTH_API_URL=http://keycloak:8080/realms/testrealm/protocol/openid-connect/userinfo
      - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'grafana_grafana_admin') && 'GrafanaAdmin' || contains(roles[*], 'grafana_admin') && 'Admin' || contains(roles[*], 'grafana_editor') && 'Editor' || 'Viewer'
      - GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=groups
      - GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE=true
      - GF_AUTH_SIGNOUT_REDIRECT_URL=http://localhost:3002/realms/testrealm/protocol/openid-connect/logout?id_token_hint=%{id_token}&post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Flogin
      - GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_NAME=email
      - GF_LOG_FILTERS=oauth.generic_oauth:debug
    networks:
      - keycloak_grafana_network

  postgres:
    image: postgres:16
    container_name: postgres_demo
    volumes:
      - grafana-keycloak-postgres-data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    networks:
      - keycloak_grafana_network


  keycloak:
    image: quay.io/keycloak/keycloak:25.0.1
    container_name: 'keycloak_demo'
    command: start-dev --import-realm 
    environment:
      # https://www.keycloak.org/server/all-config
      - KC_HOSTNAME=http://localhost:3002/
      - KC_HOSTNAME_STRICT=false
      - KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true
      - KC_HTTP_ENABLED=true
      - KC_DB=postgres
      - KC_DB_USERNAME=keycloak
      - KC_DB_PASSWORD=password
      - KC_DB_URL_HOST=postgres
      - KC_DB_URL_PORT=5432
      - KC_DB_URL_DATABASE=keycloak
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
    depends_on:
      - postgres
    ports:
      - '3002:8080'
    networks:
      - keycloak_grafana_network
    volumes:
      - ./realm-import:/opt/keycloak/data/import
    

volumes:
  grafana-storage: {}
  grafana-keycloak-postgres-data: {}
  
networks:
  keycloak_grafana_network: {}