From dbe6ceed770dc816b89d169124ef999db05cc789 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutras.com>
Date: Sun, 3 Sep 2023 01:23:11 +0300
Subject: [PATCH] grafana: rebase grafana.ini to grafana 10.1.0-1

---
 roles/grafana/templates/grafana.ini.j2 | 107 +++++++++++++++++++------
 1 file changed, 82 insertions(+), 25 deletions(-)

diff --git a/roles/grafana/templates/grafana.ini.j2 b/roles/grafana/templates/grafana.ini.j2
index ab910b087..20dc04465 100644
--- a/roles/grafana/templates/grafana.ini.j2
+++ b/roles/grafana/templates/grafana.ini.j2
@@ -34,6 +34,9 @@ provisioning = /etc/grafana/provisioning
 # Protocol (http, https, h2, socket)
 ;protocol = http
 
+# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.2, TLS1.3. If nothing is set TLS1.2 would be taken
+;min_tls_version = ""
+
 # The ip address to bind to, empty will bind to all interfaces
 http_addr = 127.0.0.1
 
@@ -165,7 +168,7 @@ path = ":memory"
 # For "sqlite" only. How many times to retry transaction in case of database is locked failures. Default is 5.
 ;transaction_retries = 5
 
-# Set to true to add metrics and tracing for database queries. 
+# Set to true to add metrics and tracing for database queries.
 ;instrument_queries = false
 
 ################################### Data sources #########################
@@ -385,6 +388,9 @@ cookie_samesite = strict
 # The CSRF check will be executed even if the request has no login cookie.
 ;csrf_always_check = false
 
+# Comma-separated list of plugins ids that won't be loaded inside the frontend sandbox
+;disable_frontend_sandbox_for_plugins =
+
 [security.encryption]
 # Defines the time-to-live (TTL) for decrypted data encryption keys stored in memory (cache).
 # Please note that small values may cause performance issues due to a high frequency decryption operations.
@@ -441,7 +447,7 @@ allow_sign_up = false
 # Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
 ;auto_assign_org_id = 1
 
-# Default role new users will be automatically assigned (if auto_assign_org above is set to true)
+# Default role new users will be automatically assigned
 ;auto_assign_org_role = Viewer
 
 # Require email validation before sign up completes
@@ -597,7 +603,7 @@ hide_version = true
 ;auto_login = false
 ;client_id = some_id
 ;client_secret = some_secret
-;scopes = api
+;scopes = openid email profile
 ;auth_url = https://gitlab.com/oauth/authorize
 ;token_url = https://gitlab.com/oauth/token
 ;api_url = https://gitlab.com/api/v4
@@ -607,6 +613,11 @@ hide_version = true
 ;role_attribute_strict = false
 ;allow_assign_grafana_admin = false
 ;skip_org_role_sync = false
+;tls_skip_verify_insecure = false
+;tls_client_cert =
+;tls_client_key =
+;tls_client_ca =
+;use_pkce = true
 
 #################################### Google Auth ##########################
 [auth.google]
@@ -617,13 +628,14 @@ hide_version = true
 ;auto_login = false
 ;client_id = some_client_id
 ;client_secret = some_client_secret
-;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
-;auth_url = https://accounts.google.com/o/oauth2/auth
-;token_url = https://accounts.google.com/o/oauth2/token
-;api_url = https://www.googleapis.com/oauth2/v1/userinfo
+;scopes = openid email profile
+;auth_url = https://accounts.google.com/o/oauth2/v2/auth
+;token_url = https://oauth2.googleapis.com/token
+;api_url = https://openidconnect.googleapis.com/v1/userinfo
 ;allowed_domains =
 ;hosted_domain =
 ;skip_org_role_sync = false
+;use_pkce = true
 
 #################################### Grafana.com Auth ####################
 [auth.grafana_com]
@@ -655,6 +667,7 @@ hide_version = true
 ;allowed_organizations =
 ;role_attribute_strict = false
 ;allow_assign_grafana_admin = false
+;use_pkce = true
 # prevent synchronizing users organization roles
 ;skip_org_role_sync = false
 
@@ -676,6 +689,7 @@ hide_version = true
 ;role_attribute_strict = false
 ;allow_assign_grafana_admin = false
 ;skip_org_role_sync = false
+;use_pkce = true
 
 {% if not grafana_anonymous_access %}
 #################################### Generic OAuth ##########################
@@ -771,6 +785,12 @@ role_attribute_strict = true
 # If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers
 ; assume_role_enabled = true
 
+# Specify max no of pages to be returned by the ListMetricPages API
+; list_metrics_page_limit = 500
+
+# Experimental, for use in Grafana Cloud only. Please do not set.
+; external_id = 
+
 #################################### Azure ###############################
 [azure]
 # Azure cloud environment where Grafana is hosted
@@ -787,6 +807,23 @@ role_attribute_strict = true
 # Should be set for user-assigned identity and should be empty for system-assigned identity
 ;managed_identity_client_id =
 
+# Specifies whether user identity authentication (on behalf of currently signed-in user) should be enabled in datasources
+# that support it (requires AAD authentication)
+# Disabled by default, needs to be explicitly enabled
+;user_identity_enabled = false
+
+# Override token URL for Azure Active Directory
+# By default is the same as token URL configured for AAD authentication settings
+;user_identity_token_url =
+
+# Override ADD application ID which would be used to exchange users token to an access token for the datasource
+# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
+;user_identity_client_id =
+
+# Override the AAD application client secret
+# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
+;user_identity_client_secret =
+
 #################################### Role-based Access Control ###########
 [rbac]
 ;permission_cache = true
@@ -829,6 +866,9 @@ mode = syslog
 # optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
 ;filters =
 
+# Set the default error message shown to users. This message is displayed instead of sensitive backend errors which should be obfuscated. Default is the same as the sample value.
+;user_facing_default_error = "please inspect Grafana server log for details"
+
 # For "console" mode only
 [log.console]
 ;level =
@@ -875,20 +915,11 @@ mode = syslog
 ;tag =
 
 [log.frontend]
-# Should Sentry javascript agent be initialized
+# Should Faro javascript agent be initialized
 ;enabled = false
 
-# Defines which provider to use, default is Sentry
-;provider = sentry
-
-# Sentry DSN if you want to send events to Sentry.
-;sentry_dsn =
-
-# Custom HTTP endpoint to send events captured by the Sentry agent to. Default will log the events to stdout.
-;custom_endpoint = /log
-
-# Rate of events to be reported between 0 (none) and 1 (all), float
-;sample_rate = 1.0
+# Custom HTTP endpoint to send events to. Default will log the events to stdout.
+;custom_endpoint = /log-grafana-javascript-agent
 
 # Requests per second limit enforced an extended period, for Grafana backend log ingestion endpoint (/log).
 ;log_endpoint_requests_per_second_limit = 3
@@ -1003,6 +1034,11 @@ mode = syslog
 # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
 ;ha_peer_timeout = "15s"
 
+# The label is an optional string to include on each packet and stream.
+# It uniquely identifies the cluster and prevents cross-communication
+# issues when sending gossip messages in an enviromenet with multiple clusters.
+;ha_label =
+
 # The interval between sending gossip messages. By lowering this value (more frequent) gossip messages are propagated
 # across cluster more quickly at the expense of increased bandwidth usage.
 # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
@@ -1164,6 +1200,16 @@ mode = syslog
 # Enable the Profile section
 ;enabled = true
 
+#################################### News #############################
+[news]
+# Enable the news feed section
+; news_feed_enabled = true
+
+#################################### Query #############################
+[query]
+# Set the number of data source queries that can be executed concurrently in mixed queries. Default is the number of CPUs.
+;concurrent_query_limit =
+
 #################################### Query History #############################
 [query_history]
 # Enable the Query history
@@ -1178,6 +1224,8 @@ mode = syslog
 ;interval_seconds  = 10
 # Disable total stats (stat_totals_*) metrics to be generated
 ;disable_total_stats = false
+# The interval at which the total stats collector will update the stats. Default is 1800 seconds.
+;total_stats_collector_interval_seconds = 1800
 
 #If both are set, basic auth will be required for the metrics endpoints.
 ; basic_auth_username =
@@ -1312,8 +1360,11 @@ mode = syslog
 ;plugin_catalog_hidden_plugins =
 # Log all backend requests for core and external plugins.
 ;log_backend_requests = false
-# Force download of public key for verifying plugin signature on startup.
-;enforce_public_key_download = false
+# Disable download of the public key for verifying plugin signature.
+; public_key_retrieval_disabled = false
+# Force download of the public key for verifying plugin signature on startup. If disabled, the public key will be retrieved every 10 days.
+# Requires public_key_retrieval_disabled to be false to have any effect.
+; public_key_retrieval_on_startup = false
 
 #################################### Grafana Live ##########################################
 [live]
@@ -1460,13 +1511,13 @@ mode = syslog
 
 # Move an app plugin referenced by its id (including all its pages) to a specific navigation section
 [navigation.app_sections]
-# The following will move an app plugin with the id of `my-app-id` under the `starred` section
-# my-app-id = admin
+# The following will move an app plugin with the id of `my-app-id` under the `cfg` section
+# my-app-id = cfg
 
 # Move a specific app plugin page (referenced by its `path` field) to a specific navigation section
 [navigation.app_standalone_pages]
-# The following will move the page with the path "/a/my-app-id/starred-content" from `my-app-id` to the `starred` section
-# /a/my-app-id/starred-content = starred
+# The following will move the page with the path "/a/my-app-id/my-page" from `my-app-id` to the `cfg` section
+# /a/my-app-id/my-page = cfg
 
 #################################### Secure Socks5 Datasource Proxy #####################################
 [secure_socks_datasource_proxy]
@@ -1477,3 +1528,9 @@ mode = syslog
 ; server_name =
 # The address of the socks5 proxy datasources should connect to
 ; proxy_address =
+; show_ui = true
+
+################################## Feature Management ##############################################
+[feature_management]
+hidden_toggles =
+read_only_toggles =
-- 
GitLab