version: "3"

services:
  otel-collector:
    image: otel/opentelemetry-collector-contrib:0.95.0
    restart: always
    command: "--config=/etc/otel-collector-config.yaml"
    volumes:
      - ./otel-collector/config.yaml:/etc/otel-collector-config.yaml
    ports:
      - 4317:4317   # OTLP gRPC receiver
      - 4318:4318 # OTLP http receiver
    expose:
      - 13133:13133 # health_check extension
      - 8889:8889   # Prometheus exporter metrics
      - 8888:8888 # Prometheus metrics exposed by the Collector
    depends_on:
      - loki
      - prometheus
      - tempo

  loki:
    image: grafana/loki:2.9.2
    expose:
      - "3100"
    command: -config.file=/etc/loki/config.yaml
    volumes:
      - ./loki/config.yaml:/etc/loki/config.yaml
      - loki_data:/loki

  prometheus:
    image: prom/prometheus:v2.36.2
    restart: always
    expose:
      - "9090"
    volumes:
      - ./prometheus/config.yaml:/etc/prometheus/config.yaml
      - prometheus_data:/prometheus
    command:
      - "--config.file=/etc/prometheus/config.yaml"
      - "--storage.tsdb.path=/prometheus"
      - "--web.enable-remote-write-receiver"
  
  tempo:
    image: grafana/tempo:2.3.1
    command: [ "-config.file=/etc/tempo/config.yaml" ]
    depends_on:
      - prometheus
    volumes:
      - ./tempo/config.yaml:/etc/tempo/config.yaml
      - tempo_data:/tempo-data
    expose:
      - "3200"  # tempo
      - "4317"  # otlp grpc
      - "4318"  # otlp http

  grafana:
    image: grafana/grafana:10.0.10
    depends_on:
      - loki
      - prometheus
      - tempo
    environment:
      GF_SERVER_ROOT_URL: ${GRAFANA_URL}
      GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD}
      GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
      GF_AUTH_GENERIC_OAUTH_NAME: KonfachSSO
      GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: "true"
      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: oraMLSBuIaSPqZElSNRZ6gntM2xizjXL
      GF_AUTH_GENERIC_OAUTH_SCOPES: openid email profile offline_access roles
      GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH: email
      GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH: username
      GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH: full_name
      GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://sso.konfach.ru/realms/myavo/protocol/openid-connect/auth
      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://sso.konfach.ru/realms/myavo/protocol/openid-connect/token
      GF_AUTH_GENERIC_OAUTH_API_URL: https://sso.konfach.ru/realms/myavo/protocol/openid-connect/userinfo
      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(realm_access.roles[*], 'developer') && 'Editor'"
      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT: "true"
    volumes:
      - grafana_data:/var/lib/grafana
    ports:
      - ${GRAFANA_PORT}:3000
    entrypoint:
      - sh
      - -euc
      - |
        mkdir -p /etc/grafana/provisioning/datasources
        cat <<EOF > /etc/grafana/provisioning/datasources/ds.yaml
        apiVersion: 1
        datasources:
        - name: Loki
          type: loki
          access: proxy 
          orgId: 1
          url: http://loki:3100
          basicAuth: false
          isDefault: false
          version: 1
          editable: false
        - name: Prometheus
          type: prometheus
          access: proxy
          orgId: 1
          url: http://prometheus:9090
          basicAuth: false
          isDefault: false
          version: 1
          editable: false
        - name: Tempo
          type: tempo
          access: proxy
          orgId: 1
          url: http://tempo:3200
          basicAuth: false
          isDefault: false
          version: 1
          editable: false
          jsonData:
            httpMethod: GET
        EOF
        /run.sh

volumes:
  loki_data:
  prometheus_data:
  tempo_data:
  grafana_data: