Grafana — Authentik auth proxy (single login)¶

Grafana keeps Traefik forward-auth (authentik@file) at the edge. Auth proxy tells Grafana to trust X-authentik-* headers from the outpost (via Traefik) so users land in the UI without a second login form.

Grafana URL: https://grafana.infra.realemail.app Reference: Grafana auth proxy, Authentik proxy headers

What changes¶

Layer	Role
Traefik + `authentik@file`	Authentik login at the edge (unchanged)
Authentik outpost	Sets `X-authentik-username`, `X-authentik-email`, … on upstream requests
Grafana auth proxy	Creates/syncs Grafana user from those headers; login form disabled

No new Authentik application — the domain-level infra proxy provider already covers Grafana.

Repo configuration¶

services/monitoring/compose.yml sets Grafana GF_AUTH_PROXY_* environment variables. Key settings:

Variable	Value	Why
`GF_AUTH_PROXY_ENABLED`	`true`	Enable auth proxy
`GF_AUTH_PROXY_HEADER_NAME`	`X-authentik-username`	Matches outpost header
`GF_AUTH_PROXY_AUTO_SIGN_UP`	`true`	Create Grafana user on first visit
`GF_AUTH_PROXY_WHITELIST`	`172.18.0.0/16`	Traefik `traefik` network subnet only
`GF_AUTH_DISABLE_LOGIN_FORM`	`true`	No second login wall
`GF_USERS_AUTO_ASSIGN_ORG_ROLE`	`Admin`	Homelab infra UI is ops-only

If the traefik Docker network subnet changes, update GF_AUTH_PROXY_WHITELIST to match:

docker network inspect traefik --format '{{range .IPAM.Config}}{{.Subnet}}{{end}}'

Deploy¶

After merge to main:

cd /opt/homelab/services/monitoring
docker compose up -d --no-deps grafana

Verify¶

Incognito → https://grafana.infra.realemail.app
Authentik login once → Grafana home/dashboards (no Grafana login form)
User menu shows your Authentik username (not admin)

Troubleshooting¶

Symptom	Fix
Grafana login form still shown	Auth proxy off or headers not trusted — check `GF_AUTH_PROXY_*`; recreate grafana
401 / empty user	`GF_AUTH_PROXY_WHITELIST` wrong — Traefik IP must be in range
Logged in as unexpected user	Header spoofing if whitelist too broad — keep whitelist to `traefik` subnet only
Need break-glass admin	Temporarily set `GF_AUTH_DISABLE_LOGIN_FORM=false`, recreate grafana; use `admin` + password from SOPS `.env`
Sign-out only clears Grafana	Full SSO logout: `https://homepage.infra.realemail.app/outpost.goauthentik.io/sign_out`

Authentik infra admin setup — domain forward-auth
services/monitoring/README.md