services:
  otel-collector:
    image: otel/opentelemetry-collector-contrib:0.104.0
    command: "--config=/etc/otel-collector-config.yaml"
    volumes:
      - ./otel-collector/config.yaml:/etc/otel-collector-config.yaml
    expose:
      - 4317 # OTLP gRPC receiver
      - 4318 # OTLP http receiver
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.otel.rule=Host(`otel.kmsign.ru`)"
      - "traefik.http.services.otel-http.loadbalancer.server.port=4318"
    links:
      - loki
      - mimir
      - tempo
    networks:
      - www
      - default

  pyroscope:
    image: grafana/pyroscope:1.7.1
    expose:
      - 4040
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pyroscope.rule=Host(`pyroscope.kmsign.ru`)"
      - "traefik.http.services.pyroscope.loadbalancer.server.port=4040"
    volumes:
      - ./pyroscope/config.yaml:/etc/pyroscope.yml
      - pyroscope_data:/data
    networks:
      - www
      - default

  loki:
    image: grafana/loki:3.1.0
    links:
      - mimir
    expose:
      - "3100"
    command: -config.file=/etc/loki/config.yaml
    volumes:
      - ./loki/config.yaml:/etc/loki/config.yaml
      - loki_data:/loki

  mimir:
    image: grafana/mimir:2.12.0
    expose:
      - "9009"
    command: [-config.file=/etc/mimir/config.yaml]
    volumes:
      - ./mimir/config.yaml:/etc/mimir/config.yaml
      - mimir_data:/mimir

  tempo:
    image: grafana/tempo:2.5.0
    command: ["-config.file=/etc/tempo/config.yaml"]
    links:
      - mimir
    volumes:
      - ./tempo/config.yaml:/etc/tempo/config.yaml
      - tempo_data:/tempo-data
    expose:
      - "3200" # tempo
      - "4317" # otlp grpc
      - "4318" # otlp http

  grafana:
    image: grafana/grafana:11.1.0
    environment:
      GF_SERVER_ROOT_URL: ${GRAFANA_URL}
      GF_SERVER_SERVE_FROM_SUB_PATH: "false"
      GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD}
      GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
      GF_AUTH_GENERIC_OAUTH_NAME: KonfachSSO
      GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: "true"
      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: oraMLSBuIaSPqZElSNRZ6gntM2xizjXL
      GF_AUTH_GENERIC_OAUTH_SCOPES: openid email profile offline_access roles
      GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH: email
      GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH: username
      GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH: full_name
      GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://sso.konfach.ru/realms/konfach/protocol/openid-connect/auth
      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://sso.konfach.ru/realms/konfach/protocol/openid-connect/token
      GF_AUTH_GENERIC_OAUTH_API_URL: https://sso.konfach.ru/realms/konfach/protocol/openid-connect/userinfo
      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(realm_access.roles[*], 'developer') && 'Editor'"
      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT: "true"
    volumes:
      - grafana_data:/var/lib/grafana
      - ./grafana/datasources.yaml:/etc/grafana/provisioning/datasources/ds.yaml
    networks:
      - default
      - www

networks:
  www:
    external: true

volumes:
  loki_data:
  mimir_data:
  tempo_data:
  grafana_data:
  pyroscope_data: