grafana.ini.j2 37.5 KB
Newer Older
Florian Pritz's avatar
Florian Pritz committed
1
2
3
4
5
6
##################### Grafana Configuration Example #####################
#
# Everything has defaults so you only need to uncomment things you want to
# change

# possible values : production, development
7
;app_mode = production
Florian Pritz's avatar
Florian Pritz committed
8
9

# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
10
;instance_name = ${HOSTNAME}
Florian Pritz's avatar
Florian Pritz committed
11
12
13
14
15

#################################### Paths ####################################
[paths]
# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
;data = /var/lib/grafana
16
17
18
19

# Temporary files in `data` directory older than given duration will be removed
;temp_data_lifetime = 24h

Florian Pritz's avatar
Florian Pritz committed
20
21
# Directory where grafana can store logs
;logs = /var/log/grafana
22

Florian Pritz's avatar
Florian Pritz committed
23
24
25
# Directory where grafana will automatically scan and look for plugins
;plugins = /var/lib/grafana/plugins

26
# folder that contains provisioning config files that grafana will apply on startup and while running.
27
provisioning = /etc/grafana/provisioning
28

Florian Pritz's avatar
Florian Pritz committed
29
30
#################################### Server ####################################
[server]
31
# Protocol (http, https, h2, socket)
Florian Pritz's avatar
Florian Pritz committed
32
33
34
;protocol = http

# The ip address to bind to, empty will bind to all interfaces
35
http_addr = 127.0.0.1
Florian Pritz's avatar
Florian Pritz committed
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

# The http port  to use
;http_port = 3000

# The public facing domain name used to access grafana from a browser
domain = {{grafana_domain}}

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false

# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://{{grafana_domain}}

51
52
53
# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
;serve_from_sub_path = false

Florian Pritz's avatar
Florian Pritz committed
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Log web requests
;router_logging = false

# the path relative working path
;static_root_path = public

# enable gzip
enable_gzip = true

# https certs & key file
;cert_file =
;cert_key =

# Unix socket path
;socket =

#################################### Database ####################################
[database]
# You can configure the database connection by specifying type, host, name, user and password
73
# as separate properties or as on string using the url properties.
Florian Pritz's avatar
Florian Pritz committed
74
75
76
77
78
79

# Either "mysql", "postgres" or "sqlite3", it's your choice
;type = sqlite3
;host = 127.0.0.1:3306
;name = grafana
;user = root
80
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
Florian Pritz's avatar
Florian Pritz committed
81
82
83
84
85
86
87
88
89
;password =

# Use either URL or the previous fields to configure the database
# Example: mysql://user:secret@host:port/database
;url =

# For "postgres" only, either "disable", "require" or "verify-full"
;ssl_mode = disable

90
91
92
93
94
;ca_cert_path =
;client_key_path =
;client_cert_path =
;server_cert_name =

Florian Pritz's avatar
Florian Pritz committed
95
96
97
# For "sqlite3" only, path relative to data_path setting
;path = grafana.db

98
99
100
# Max idle conn setting default is 2
;max_idle_conn = 2

Florian Pritz's avatar
Florian Pritz committed
101
102
103
# Max conn setting default is 0 (mean not set)
;max_open_conn =

104
105
106
107
# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
;conn_max_lifetime = 14400

# Set to true to log the sql calls and execution times.
108
;log_queries =
Florian Pritz's avatar
Florian Pritz committed
109

110
111
112
# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
;cache_mode = private

Jelle van der Waa's avatar
Jelle van der Waa committed
113
114
115
116
117
################################### Data sources #########################
[datasources]
# Upper limit of data sources that Grafana will return. This limit is a temporary configuration and it will be deprecated when pagination will be introduced on the list data sources API.
;datasource_limit = 5000

118
119
120
121
#################################### Cache server #############################
[remote_cache]
# Either "redis", "memcached" or "database" default is "database"
;type = database
Florian Pritz's avatar
Florian Pritz committed
122

123
124
125
126
127
# cache connectionstring options
# database: will use Grafana primary database.
# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false`. Only addr is required. ssl may be 'true', 'false', or 'insecure'.
# memcache: 127.0.0.1:11211
;connstr =
Florian Pritz's avatar
Florian Pritz committed
128
129
130
131
132
133
134

#################################### Data proxy ###########################
[dataproxy]

# This enables data proxy logging, default is false
;logging = false

Jelle van der Waa's avatar
Jelle van der Waa committed
135
136
# How long the data proxy waits to read the headers of the response before timing out, default is 30 seconds.
# This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set.
137
138
;timeout = 30

Jelle van der Waa's avatar
Jelle van der Waa committed
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# How long the data proxy waits to establish a TCP connection before timing out, default is 10 seconds.
;dialTimeout = 10

# How many seconds the data proxy waits before sending a keepalive probe request.
;keep_alive_seconds = 30

# How many seconds the data proxy waits for a successful TLS Handshake before timing out.
;tls_handshake_timeout_seconds = 10

# How many seconds the data proxy will wait for a server's first response headers after
# fully writing the request headers if the request has an "Expect: 100-continue"
# header. A value of 0 will result in the body being sent immediately, without
# waiting for the server to approve.
;expect_continue_timeout_seconds = 1

# The maximum number of idle connections that Grafana will keep alive.
;max_idle_connections = 100

# The maximum number of idle connections per host that Grafana will keep alive.
;max_idle_connections_per_host = 2

# How many seconds the data proxy keeps an idle connection open before timing out.
;idle_conn_timeout_seconds = 90

163
164
165
# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.
;send_user_header = false

Florian Pritz's avatar
Florian Pritz committed
166
167
168
169
170
171
#################################### Analytics ####################################
[analytics]
# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
# No ip addresses are being tracked, only simple counters to track
# running instances, dashboard and error counts. It is very helpful to us.
# Change this option to false to disable reporting.
Jelle van der Waa's avatar
Jelle van der Waa committed
172
reporting_enabled = false
Florian Pritz's avatar
Florian Pritz committed
173

Jelle van der Waa's avatar
Jelle van der Waa committed
174
175
176
# The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs
;reporting_distributor = grafana-labs

Florian Pritz's avatar
Florian Pritz committed
177
# Set to false to disable all checks to https://grafana.net
Jelle van der Waa's avatar
Jelle van der Waa committed
178
# for new versions (grafana itself and plugins), check is used
Florian Pritz's avatar
Florian Pritz committed
179
180
181
# in some UI views to notify that grafana or plugin update exists
# This option does not cause any auto updates, nor send any information
# only a GET request to http://grafana.com to get latest versions
Jelle van der Waa's avatar
Jelle van der Waa committed
182
check_for_updates = false
Florian Pritz's avatar
Florian Pritz committed
183
184
185
186

# Google Analytics universal tracking code, only enabled if you specify an id here
;google_analytics_ua_id =

187
188
189
# Google Tag Manager ID, only enabled if you specify an id here
;google_tag_manager_id =

Florian Pritz's avatar
Florian Pritz committed
190
191
#################################### Security ####################################
[security]
192
# disable creation of admin user on first start of grafana
Jelle van der Waa's avatar
Jelle van der Waa committed
193
disable_initial_admin_creation = true
194

Florian Pritz's avatar
Florian Pritz committed
195
196
197
198
199
200
201
# default admin user, created on startup
admin_user = admin

# default admin password, can be changed before first start of grafana,  or in profile settings
;admin_password = admin

# used for signing
Jelle van der Waa's avatar
Jelle van der Waa committed
202
secret_key = {{ vault_grafana_secret_key }}
Florian Pritz's avatar
Florian Pritz committed
203
204
205
206
207
208
209

# disable gravatar profile images
;disable_gravatar = false

# data source proxy whitelist (ip_or_domain:port separated by spaces)
;data_source_proxy_whitelist =

210
211
212
# disable protection against brute force login attempts
;disable_brute_force_login_protection = false

213
# set to true if you host Grafana behind HTTPS. default is false.
214
cookie_secure = true
215

216
# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
217
cookie_samesite = strict
218

219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
# set to true if you want to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>. default is false.
;allow_embedding = false

# Set to true if you want to enable http strict transport security (HSTS) response header.
# This is only sent when HTTPS is enabled in this configuration.
# HSTS tells browsers that the site should only be accessed using HTTPS.
# The default version will change to true in the next minor release, 6.3.
strict_transport_security = true

# Sets how long a browser should cache HSTS. Only applied if strict_transport_security is enabled.
strict_transport_security_max_age_seconds = 86400

# Set to true if to enable HSTS preloading option. Only applied if strict_transport_security is enabled.
;strict_transport_security_preload = false

# Set to true if to enable the HSTS includeSubDomains option. Only applied if strict_transport_security is enabled.
;strict_transport_security_subdomains = false

# Set to true to enable the X-Content-Type-Options response header.
# The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
# in the Content-Type headers should not be changed and be followed. The default will change to true in the next minor release, 6.3.
x_content_type_options = true

# Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
# when they detect reflected cross-site scripting (XSS) attacks. The default will change to true in the next minor release, 6.3.
x_xss_protection = true

Jelle van der Waa's avatar
Jelle van der Waa committed
246
247
248
249
250
251
252
253
254
# Enable adding the Content-Security-Policy header to your requests.
# CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
;content_security_policy = false

# Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
# $NONCE in the template includes a random nonce.
# $ROOT_PATH is server.root_url without the protocol.
;content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""

255
#################################### Snapshots ###########################
Florian Pritz's avatar
Florian Pritz committed
256
257
258
259
260
261
[snapshots]
# snapshot sharing options
;external_enabled = true
;external_snapshot_url = https://snapshots-origin.raintank.io
;external_snapshot_name = Publish to snapshot.raintank.io

Jelle van der Waa's avatar
Jelle van der Waa committed
262
# Set to true to enable this Grafana instance act as an external snapshot server and allow unauthenticated requests for
263
264
265
# creating and deleting snapshots.
;public_mode = false

Florian Pritz's avatar
Florian Pritz committed
266
267
268
# remove expired snapshot
;snapshot_remove_expired = true

269
270
271
272
#################################### Dashboards History ##################
[dashboards]
# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
;versions_to_keep = 20
Florian Pritz's avatar
Florian Pritz committed
273

Jelle van der Waa's avatar
Jelle van der Waa committed
274
# Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval. Per default this is 5 seconds.
275
# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
Jelle van der Waa's avatar
Jelle van der Waa committed
276
;min_refresh_interval = 5s
277

278
279
280
281
282
{% if grafana_anonymous_access %}
# Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
default_home_dashboard_path = /var/lib/grafana/public-dashboards/home.json
{% endif %}

283
#################################### Users ###############################
Florian Pritz's avatar
Florian Pritz committed
284
285
286
287
288
289
290
291
292
293
[users]
# disable user signup / registration
allow_sign_up = false

# Allow non admin users to create organizations
;allow_org_create = true

# Set to true to automatically assign new users to the default organization (id 1)
;auto_assign_org = true

294
295
296
# Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
;auto_assign_org_id = 1

Florian Pritz's avatar
Florian Pritz committed
297
298
299
# Default role new users will be automatically assigned (if disabled above is set to true)
;auto_assign_org_role = Viewer

300
301
302
# Require email validation before sign up completes
;verify_email_enabled = false

Florian Pritz's avatar
Florian Pritz committed
303
304
# Background text for the user field on the login page
;login_hint = email or username
305
;password_hint = password
Florian Pritz's avatar
Florian Pritz committed
306
307
308
309

# Default UI theme ("dark" or "light")
;default_theme = dark

Jelle van der Waa's avatar
Jelle van der Waa committed
310
311
312
# Path to a custom home page. Users are only redirected to this if the default home dashboard is used. It should match a frontend route and contain a leading slash.
; home_page =

313
314
315
316
317
318
319
320
# External user management, these options affect the organization users view
;external_manage_link_url =
;external_manage_link_name =
;external_manage_info =

# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
;viewers_can_edit = false

321
322
323
# Editors can administrate dashboard, folders and teams they create
;editors_can_admin = false

Jelle van der Waa's avatar
Jelle van der Waa committed
324
325
326
327
328
329
# The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). Default is 24h (24 hours). The minimum supported duration is 15m (15 minutes).
;user_invite_max_lifetime_duration = 24h

# Enter a comma-separated list of users login to hide them in the Grafana UI. These users are shown to Grafana admins and themselves.
; hidden_users =

Florian Pritz's avatar
Florian Pritz committed
330
[auth]
331
332
333
# Login cookie name
;login_cookie_name = grafana_session

Jelle van der Waa's avatar
Jelle van der Waa committed
334
335
# The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation.
;login_maximum_inactive_lifetime_duration =
336

Jelle van der Waa's avatar
Jelle van der Waa committed
337
338
# The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month).
;login_maximum_lifetime_duration =
339
340
341
342

# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
;token_rotation_interval_minutes = 10

Florian Pritz's avatar
Florian Pritz committed
343
# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
Jelle van der Waa's avatar
Jelle van der Waa committed
344
disable_login_form = true
Florian Pritz's avatar
Florian Pritz committed
345

Jelle van der Waa's avatar
Jelle van der Waa committed
346
# Set to true to disable the sign out link in the side menu. Useful if you use auth.proxy or auth.jwt, defaults to false
Florian Pritz's avatar
Florian Pritz committed
347
348
;disable_signout_menu = false

349
# URL to redirect the user to after sign out
Jelle van der Waa's avatar
Jelle van der Waa committed
350
signout_redirect_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
351

352
353
# Set to true to attempt login with OAuth automatically, skipping the login screen.
# This setting is ignored if multiple OAuth providers are configured.
Jelle van der Waa's avatar
Jelle van der Waa committed
354
oauth_auto_login = true
355

Jelle van der Waa's avatar
Jelle van der Waa committed
356
357
358
# OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
;oauth_state_cookie_max_age = 600

359
360
361
# limit of api_key seconds to live before expiration
;api_key_max_seconds_to_live = -1

Jelle van der Waa's avatar
Jelle van der Waa committed
362
363
364
# Set to true to enable SigV4 authentication option for HTTP-based datasources.
;sigv4_auth_enabled = false

365
#################################### Anonymous Auth ######################
Florian Pritz's avatar
Florian Pritz committed
366
367
[auth.anonymous]
# enable anonymous access
368
369
370
{% if grafana_anonymous_access %}
enabled = true
{% endif %}
Florian Pritz's avatar
Florian Pritz committed
371
372
373
374
375

# specify organization name that should be used for unauthenticated users
;org_name = Main Org.

# specify role for unauthenticated users
376
org_role = Viewer
Florian Pritz's avatar
Florian Pritz committed
377

Jelle van der Waa's avatar
Jelle van der Waa committed
378
379
380
# mask the Grafana version number for unauthenticated users
;hide_version = false

Florian Pritz's avatar
Florian Pritz committed
381
382
383
384
385
386
387
388
389
390
#################################### Github Auth ##########################
[auth.github]
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email,read:org
;auth_url = https://github.com/login/oauth/authorize
;token_url = https://github.com/login/oauth/access_token
;api_url = https://api.github.com/user
391
;allowed_domains =
Florian Pritz's avatar
Florian Pritz committed
392
393
394
;team_ids =
;allowed_organizations =

395
396
397
398
399
400
401
402
403
404
405
406
407
#################################### GitLab Auth #########################
[auth.gitlab]
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = api
;auth_url = https://gitlab.com/oauth/authorize
;token_url = https://gitlab.com/oauth/token
;api_url = https://gitlab.com/api/v4
;allowed_domains =
;allowed_groups =

Florian Pritz's avatar
Florian Pritz committed
408
409
410
411
412
413
414
415
416
417
418
#################################### Google Auth ##########################
[auth.google]
;enabled = false
;allow_sign_up = true
;client_id = some_client_id
;client_secret = some_client_secret
;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
;auth_url = https://accounts.google.com/o/oauth2/auth
;token_url = https://accounts.google.com/o/oauth2/token
;api_url = https://www.googleapis.com/oauth2/v1/userinfo
;allowed_domains =
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
;hosted_domain =

#################################### Grafana.com Auth ####################
[auth.grafana_com]
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email
;allowed_organizations =

#################################### Azure AD OAuth #######################
[auth.azuread]
;name = Azure AD
;enabled = false
;allow_sign_up = true
;client_id = some_client_id
;client_secret = some_client_secret
;scopes = openid email profile
;auth_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
;token_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
;allowed_domains =
;allowed_groups =
Florian Pritz's avatar
Florian Pritz committed
442

Jelle van der Waa's avatar
Jelle van der Waa committed
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
#################################### Okta OAuth #######################
[auth.okta]
;name = Okta
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = openid profile email groups
;auth_url = https://<tenant-id>.okta.com/oauth2/v1/authorize
;token_url = https://<tenant-id>.okta.com/oauth2/v1/token
;api_url = https://<tenant-id>.okta.com/oauth2/v1/userinfo
;allowed_domains =
;allowed_groups =
;role_attribute_path =
;role_attribute_strict = false

459
{% if not grafana_anonymous_access %}
Florian Pritz's avatar
Florian Pritz committed
460
461
#################################### Generic OAuth ##########################
[auth.generic_oauth]
Jelle van der Waa's avatar
Jelle van der Waa committed
462
463
464
465
466
467
enabled = true
name = OAuth
allow_sign_up = true
client_id = openid_grafana
client_secret = {{ vault_monitoring_grafana_client_secret }}
scopes = openid profile email
Jelle van der Waa's avatar
Jelle van der Waa committed
468
;empty_scopes = false
Jelle van der Waa's avatar
Jelle van der Waa committed
469
470
email_attribute_name = email:primary
email_attribute_path = email
Jelle van der Waa's avatar
Jelle van der Waa committed
471
472
473
;login_attribute_path =
;name_attribute_path =
;id_token_attribute_name =
Jelle van der Waa's avatar
Jelle van der Waa committed
474
475
476
auth_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
token_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
477
;allowed_domains =
Florian Pritz's avatar
Florian Pritz committed
478
479
;team_ids =
;allowed_organizations =
480
481
role_attribute_path: contains(roles[*], 'DevOps') && 'Admin'
role_attribute_strict = true
482
483
484
485
;tls_skip_verify_insecure = false
;tls_client_cert =
;tls_client_key =
;tls_client_ca =
486
{% endif %}
Florian Pritz's avatar
Florian Pritz committed
487

488
489
490
#################################### SAML Auth ###########################
[auth.saml] # Enterprise only
# Defaults to false. If true, the feature is enabled.
Florian Pritz's avatar
Florian Pritz committed
491
;enabled = false
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531

# Base64-encoded public X.509 certificate. Used to sign requests to the IdP
;certificate =

# Path to the public X.509 certificate. Used to sign requests to the IdP
;certificate_path =

# Base64-encoded private key. Used to decrypt assertions from the IdP
;private_key =

;# Path to the private key. Used to decrypt assertions from the IdP
;private_key_path =

# Base64-encoded IdP SAML metadata XML. Used to verify and obtain binding locations from the IdP
;idp_metadata =

# Path to the SAML metadata XML. Used to verify and obtain binding locations from the IdP
;idp_metadata_path =

# URL to fetch SAML IdP metadata. Used to verify and obtain binding locations from the IdP
;idp_metadata_url =

# Duration, since the IdP issued a response and the SP is allowed to process it. Defaults to 90 seconds.
;max_issue_delay = 90s

# Duration, for how long the SP's metadata should be valid. Defaults to 48 hours.
;metadata_valid_duration = 48h

# Friendly name or name of the attribute within the SAML assertion to use as the user's name
;assertion_attribute_name = displayName

# Friendly name or name of the attribute within the SAML assertion to use as the user's login handle
;assertion_attribute_login = mail

# Friendly name or name of the attribute within the SAML assertion to use as the user's email
;assertion_attribute_email = mail

#################################### Basic Auth ##########################
[auth.basic]
;enabled = true
Florian Pritz's avatar
Florian Pritz committed
532
533
534
535
536
537
538

#################################### Auth Proxy ##########################
[auth.proxy]
;enabled = false
;header_name = X-WEBAUTH-USER
;header_property = username
;auto_sign_up = true
539
;sync_ttl = 60
Florian Pritz's avatar
Florian Pritz committed
540
;whitelist = 192.168.1.1, 192.168.2.1
541
;headers = Email:X-User-Email, Name:X-User-Name
542
543
# Read the auth proxy docs for details on what the setting below enables
;enable_login_token = false
Florian Pritz's avatar
Florian Pritz committed
544

Jelle van der Waa's avatar
Jelle van der Waa committed
545
546
547
548
549
550
551
552
553
554
555
556
#################################### Auth JWT ##########################
[auth.jwt]
;enabled = true
;header_name = X-JWT-Assertion
;email_claim = sub
;username_claim = sub
;jwk_set_url = https://foo.bar/.well-known/jwks.json
;jwk_set_file = /path/to/jwks.json
;cache_ttl = 60m
;expected_claims = {"aud": ["foo", "bar"]}
;key_file = /path/to/key/file

Florian Pritz's avatar
Florian Pritz committed
557
558
559
560
561
562
#################################### Auth LDAP ##########################
[auth.ldap]
;enabled = false
;config_file = /etc/grafana/ldap.toml
;allow_sign_up = true

Jelle van der Waa's avatar
Jelle van der Waa committed
563
# LDAP background sync (Enterprise only)
564
565
566
567
# At 1 am every day
;sync_cron = "0 0 1 * * *"
;active_sync_enabled = true

Jelle van der Waa's avatar
Jelle van der Waa committed
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
#################################### AWS ###########################
[aws]
# Enter a comma-separated list of allowed AWS authentication providers.
# Options are: default (AWS SDK Default), keys (Access && secret key), credentials (Credentials field), ec2_iam_role (EC2 IAM Role)
; allowed_auth_providers = default,keys,credentials

# Allow AWS users to assume a role using temporary security credentials.
# If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers
; assume_role_enabled = true

#################################### Azure ###############################
[azure]
# Azure cloud environment where Grafana is hosted
# Possible values are AzureCloud, AzureChinaCloud, AzureUSGovernment and AzureGermanCloud
# Default value is AzureCloud (i.e. public cloud)
;cloud = AzureCloud

# Specifies whether Grafana hosted in Azure service with Managed Identity configured (e.g. Azure Virtual Machines instance)
# If enabled, the managed identity can be used for authentication of Grafana in Azure services
# Disabled by default, needs to be explicitly enabled
;managed_identity_enabled = false

# Client ID to use for user-assigned managed identity
# Should be set for user-assigned identity and should be empty for system-assigned identity
;managed_identity_client_id =

Florian Pritz's avatar
Florian Pritz committed
594
595
596
597
598
#################################### SMTP / Emailing ##########################
[smtp]
;enabled = false
;host = localhost:25
;user =
599
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
Florian Pritz's avatar
Florian Pritz committed
600
601
602
603
604
605
;password =
;cert_file =
;key_file =
;skip_verify = false
;from_address = admin@grafana.localhost
;from_name = Grafana
606
607
# EHLO identity in SMTP dialog (defaults to instance_name)
;ehlo_identity = dashboard.example.com
Jelle van der Waa's avatar
Jelle van der Waa committed
608
609
# SMTP startTLS policy (defaults to 'OpportunisticStartTLS')
;startTLS_policy = NoStartTLS
Florian Pritz's avatar
Florian Pritz committed
610
611
612

[emails]
;welcome_email_on_sign_up = false
613
;templates_pattern = emails/*.html
Florian Pritz's avatar
Florian Pritz committed
614
615
616
617
618
619
620

#################################### Logging ##########################
[log]
# Either "console", "file", "syslog". Default is console and  file
# Use space to separate multiple modes, e.g. "console file"
mode = syslog

621
# Either "debug", "info", "warn", "error", "critical", default is "info"
Florian Pritz's avatar
Florian Pritz committed
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
;level = info

# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
;filters =

# For "console" mode only
[log.console]
;level =

# log line format, valid options are text, console and json
;format = console

# For "file" mode only
[log.file]
;level =

# log line format, valid options are text, console and json
;format = text

# This enables automated log rotate(switch of following options), default is true
;log_rotate = true

# Max line number of single file, default is 1000000
;max_lines = 1000000

# Max size shift of single file, default is 28 means 1 << 28, 256MB
;max_size_shift = 28

# Segment log daily, default is true
;daily_rotate = true

# Expired days of log file(delete after max days), default is 7
;max_days = 7

[log.syslog]
;level =

# log line format, valid options are text, console and json
;format = text

# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
;network =
;address =

# Syslog facility. user, daemon and local0 through local7 are valid.
;facility =

# Syslog tag. By default, the process' argv[0] is used.
;tag =

Jelle van der Waa's avatar
Jelle van der Waa committed
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
[log.frontend]
# Should Sentry javascript agent be initialized
;enabled = false

# Sentry DSN if you want to send events to Sentry.
;sentry_dsn =

# Custom HTTP endpoint to send events captured by the Sentry agent to. Default will log the events to stdout.
;custom_endpoint = /log

# Rate of events to be reported between 0 (none) and 1 (all), float
;sample_rate = 1.0

# Requests per second limit enforced an extended period, for Grafana backend log ingestion endpoint (/log).
;log_endpoint_requests_per_second_limit = 3

# Max requests accepted per short interval of time for Grafana backend log ingestion endpoint (/log).
;log_endpoint_burst_limit = 15

691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
#################################### Usage Quotas ########################
[quota]
; enabled = false

#### set quotas to -1 to make unlimited. ####
# limit number of users per Org.
; org_user = 10

# limit number of dashboards per Org.
; org_dashboard = 100

# limit number of data_sources per Org.
; org_data_source = 10

# limit number of api_keys per Org.
; org_api_key = 10

Jelle van der Waa's avatar
Jelle van der Waa committed
708
709
710
# limit number of alerts per Org.
;org_alert_rule = 100

711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
# limit number of orgs a user can create.
; user_org = 10

# Global limit of users.
; global_user = -1

# global limit of orgs.
; global_org = -1

# global limit of dashboards
; global_dashboard = -1

# global limit of api_keys
; global_api_key = -1

# global limit on number of logged in users.
; global_session = -1

Jelle van der Waa's avatar
Jelle van der Waa committed
729
730
731
# global limit of alerts
;global_alert_rule = -1

Florian Pritz's avatar
Florian Pritz committed
732
733
734
735
736
737
738
#################################### Alerting ############################
[alerting]
# Disable alerting engine & UI features
enabled = false
# Makes it possible to turn off alert rule execution but alerting UI is visible
;execute_alerts = true

739
740
741
742
743
744
745
746
747
748
# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
;error_or_timeout = alerting

# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
;nodata_or_nullvalues = no_data

# Alert notifications can include images, but rendering many images at the same time can overload the server
# This limit will protect the server from render overloading and make sure notifications are sent out quickly
;concurrent_render_limit = 5

749
750
751
752
753
754
755
756
757
758
759
760

# Default setting for alert calculation timeout. Default value is 30
;evaluation_timeout_seconds = 30

# Default setting for alert notification timeout. Default value is 30
;notification_timeout_seconds = 30

# Default setting for max attempts to sending alert notifications. Default value is 3
;max_attempts = 3

# Makes it possible to enforce a minimal interval between evaluations, to reduce load on the backend
;min_interval_seconds = 1
Jelle van der Waa's avatar
Jelle van der Waa committed
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
# Configures for how long alert annotations are stored. Default is 0, which keeps them forever.
# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
;max_annotation_age =

# Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.
;max_annotations_to_keep =

#################################### Annotations #########################
[annotations]
# Configures the batch size for the annotation clean-up job. This setting is used for dashboard, API, and alert annotations.
;cleanupjob_batchsize = 100

[annotations.dashboard]
# Dashboard annotations means that annotations are associated with the dashboard they are created on.

# Configures how long dashboard annotations are stored. Default is 0, which keeps them forever.
# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
;max_age =

# Configures max number of dashboard annotations that Grafana stores. Default value is 0, which keeps all dashboard annotations.
;max_annotations_to_keep =

[annotations.api]
# API annotations means that the annotations have been created using the API without any
# association with a dashboard.

# Configures how long Grafana stores API annotations. Default is 0, which keeps them forever.
# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
;max_age =

# Configures max number of API annotations that Grafana keeps. Default value is 0, which keeps all API annotations.
;max_annotations_to_keep =
793

794
795
796
797
798
#################################### Explore #############################
[explore]
# Enable the Explore section
;enabled = false

Florian Pritz's avatar
Florian Pritz committed
799
#################################### Internal Grafana Metrics ##########################
800
# Metrics available at HTTP API Url /metrics
Florian Pritz's avatar
Florian Pritz committed
801
802
803
[metrics]
# Disable / Enable internal metrics
;enabled           = true
804
# Graphite Publish interval
Florian Pritz's avatar
Florian Pritz committed
805
;interval_seconds  = 10
806
807
808
809
810
811
# Disable total stats (stat_totals_*) metrics to be generated
;disable_total_stats = false

#If both are set, basic auth will be required for the metrics endpoint.
; basic_auth_username =
; basic_auth_password =
Florian Pritz's avatar
Florian Pritz committed
812

Jelle van der Waa's avatar
Jelle van der Waa committed
813
814
815
816
817
818
# Metrics environment info adds dimensions to the `grafana_environment_info` metric, which
# can expose more information about the Grafana instance.
[metrics.environment_info]
#exampleLabel1 = exampleValue1
#exampleLabel2 = exampleValue2

Florian Pritz's avatar
Florian Pritz committed
819
820
821
822
823
824
# Send internal metrics to Graphite
[metrics.graphite]
# Enable by setting the address setting (ex localhost:2003)
;address =
;prefix = prod.grafana.%(instance_name)s.

825
826
827
828
829
#################################### Grafana.com integration  ##########################
# Url used to import dashboards directly from Grafana.com
[grafana_com]
;url = https://grafana.com

830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
#################################### Distributed tracing ############
[tracing.jaeger]
# Enable by setting the address sending traces to jaeger (ex localhost:6831)
;address = localhost:6831
# Tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
;always_included_tag = tag1:value1
# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
;sampler_type = const
# jaeger samplerconfig param
# for "const" sampler, 0 or 1 for always false/true respectively
# for "probabilistic" sampler, a probability between 0 and 1
# for "rateLimiting" sampler, the number of spans per second
# for "remote" sampler, param is the same as for "probabilistic"
# and indicates the initial sampling rate before the actual one
# is received from the mothership
;sampler_param = 1
Jelle van der Waa's avatar
Jelle van der Waa committed
846
847
# sampling_server_url is the URL of a sampling manager providing a sampling strategy.
;sampling_server_url =
848
849
850
851
852
# Whether or not to use Zipkin propagation (x-b3- HTTP headers).
;zipkin_propagation = false
# Setting this to true disables shared RPC spans.
# Not disabling is the most common setting when using Zipkin elsewhere in your infrastructure.
;disable_shared_zipkin_spans = false
Florian Pritz's avatar
Florian Pritz committed
853
854
855
856

#################################### External image storage ##########################
[external_image_storage]
# Used for uploading images to public servers so they can be included in slack/email messages.
857
# you can choose between (s3, webdav, gcs, azure_blob, local)
Florian Pritz's avatar
Florian Pritz committed
858
859
860
;provider =

[external_image_storage.s3]
861
862
;endpoint =
;path_style_access =
863
864
865
;bucket =
;region =
;path =
Florian Pritz's avatar
Florian Pritz committed
866
867
868
869
870
871
872
873
;access_key =
;secret_key =

[external_image_storage.webdav]
;url =
;public_url =
;username =
;password =
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888

[external_image_storage.gcs]
;key_file =
;bucket =
;path =

[external_image_storage.azure_blob]
;account_name =
;account_key =
;container_name =

[external_image_storage.local]
# does not require any configuration

[rendering]
889
890
# Options to configure a remote HTTP image rendering service, e.g. using https://github.com/grafana/grafana-image-renderer.
# URL to a remote HTTP image renderer service, e.g. http://localhost:8081/render, will enable Grafana to render panels and dashboards to PNG-images using HTTP requests to an external service.
891
;server_url =
892
# If the remote HTTP image renderer service runs on a different server than the Grafana server you may have to configure this to a URL where Grafana is reachable, e.g. http://grafana.domain/.
893
;callback_url =
Jelle van der Waa's avatar
Jelle van der Waa committed
894
895
896
# Concurrent render request limit affects when the /render HTTP endpoint is used. Rendering many images at the same time can overload the server,
# which this setting can help protect against by only allowing a certain amount of concurrent requests.
;concurrent_render_request_limit = 30
897

898
899
900
901
902
903
904
[panels]
# If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities.
;disable_sanitize_html = false

[plugins]
;enable_alpha = false
;app_tls_skip_verify_insecure = false
Jelle van der Waa's avatar
Jelle van der Waa committed
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
# Enter a comma-separated list of plugin identifiers to identify plugins that are allowed to be loaded even if they lack a valid signature.
;allow_loading_unsigned_plugins =
# Enable or disable installing plugins directly from within Grafana.
;plugin_admin_enabled = false
;plugin_admin_external_manage_enabled = false
;plugin_catalog_url = https://grafana.com/grafana/plugins/

#################################### Grafana Image Renderer Plugin ##########################
[plugin.grafana-image-renderer]
# Instruct headless browser instance to use a default timezone when not provided by Grafana, e.g. when rendering panel image of alert.
# See ICU’s metaZones.txt (https://cs.chromium.org/chromium/src/third_party/icu/source/data/misc/metaZones.txt) for a list of supported
# timezone IDs. Fallbacks to TZ environment variable if not set.
;rendering_timezone =

# Instruct headless browser instance to use a default language when not provided by Grafana, e.g. when rendering panel image of alert.
# Please refer to the HTTP header Accept-Language to understand how to format this value, e.g. 'fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5'.
;rendering_language =

# Instruct headless browser instance to use a default device scale factor when not provided by Grafana, e.g. when rendering panel image of alert.
# Default is 1. Using a higher value will produce more detailed images (higher DPI), but will require more disk space to store an image.
;rendering_viewport_device_scale_factor =

# Instruct headless browser instance whether to ignore HTTPS errors during navigation. Per default HTTPS errors are not ignored. Due to
# the security risk it's not recommended to ignore HTTPS errors.
;rendering_ignore_https_errors =

# Instruct headless browser instance whether to capture and log verbose information when rendering an image. Default is false and will
# only capture and log error messages. When enabled, debug messages are captured and logged as well.
# For the verbose information to be included in the Grafana server log you have to adjust the rendering log level to debug, configure
# [log].filter = rendering:debug.
;rendering_verbose_logging =

# Instruct headless browser instance whether to output its debug and error messages into running process of remote rendering service.
# Default is false. This can be useful to enable (true) when troubleshooting.
;rendering_dumpio =

# Additional arguments to pass to the headless browser instance. Default is --no-sandbox. The list of Chromium flags can be found
# here (https://peter.sh/experiments/chromium-command-line-switches/). Multiple arguments is separated with comma-character.
;rendering_args =

# You can configure the plugin to use a different browser binary instead of the pre-packaged version of Chromium.
# Please note that this is not recommended, since you may encounter problems if the installed version of Chrome/Chromium is not
# compatible with the plugin.
;rendering_chrome_bin =

# Instruct how headless browser instances are created. Default is 'default' and will create a new browser instance on each request.
# Mode 'clustered' will make sure that only a maximum of browsers/incognito pages can execute concurrently.
# Mode 'reusable' will have one browser instance and will create a new incognito page on each request.
;rendering_mode =

# When rendering_mode = clustered you can instruct how many browsers or incognito pages can execute concurrently. Default is 'browser'
# and will cluster using browser instances.
# Mode 'context' will cluster using incognito pages.
;rendering_clustering_mode =
# When rendering_mode = clustered you can define maximum number of browser instances/incognito pages that can execute concurrently..
;rendering_clustering_max_concurrency =

# Limit the maximum viewport width, height and device scale factor that can be requested.
;rendering_viewport_max_width =
;rendering_viewport_max_height =
;rendering_viewport_max_device_scale_factor =

# Change the listening host and port of the gRPC server. Default host is 127.0.0.1 and default port is 0 and will automatically assign
# a port not in use.
;grpc_host =
;grpc_port =
971

972
973
974
975
[enterprise]
# Path to a valid Grafana Enterprise license.jwt file
;license_path =

976
977
978
[feature_toggles]
# enable features, separated by spaces
;enable =
Jelle van der Waa's avatar
Jelle van der Waa committed
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000

[date_formats]
# For information on what formatting patterns that are supported https://momentjs.com/docs/#/displaying/

# Default system date format used in time range picker and other places where full time is displayed
;full_date = YYYY-MM-DD HH:mm:ss

# Used by graph and other places where we only show small intervals
;interval_second = HH:mm:ss
;interval_minute = HH:mm
;interval_hour = MM/DD HH:mm
;interval_day = MM/DD
;interval_month = YYYY-MM
;interval_year = YYYY

# Experimental feature
;use_browser_locale = false

# Default timezone for user preferences. Options are 'browser' for the browser local timezone or a timezone name from IANA Time Zone database, e.g. 'UTC' or 'Europe/Amsterdam' etc.
;default_timezone = browser

[expressions]
For faster browsing, not all history is shown. View entire blame