Also stop using oauth_auto_login and switch to provider specific
auto_login option.

From [1]: "By default, the new Quarkus distribution removes /auth from
           the context-path."

[1] https://www.keycloak.org/migration/migrating-to-quarkus

Using an inline statement eats the blank line after it; to overcome this
switch to an inline expression, which also happens to be easier to read.

- enable_gzip: grafana listens on localhost, nginx handles compression
- admin_user: initial admin creation is disabled in our config
- strict_transport_security: the same header is set by nginx
- strict_transport_security_max_age_seconds: unused without the above

Symlinking home.json to archive.json causes a duplicate, as both
dashboards have the same uid, and Grafana won't keep the dashboards
updated when there are duplicates[1]. Instead just change
default_home_dashboard_path to point to the archive.json dashboard.

[1] "dashboards provisioning provider has no database write permissions
     because of duplicates"

We don't have any state for dashboards.archlinux.org we want to persist,
so to avoid any stale data in the database, start with a new empty
in-memory database every time Grafana starts.

Without this fix all the Prometheus dashboards failed loading data with:
"Error updating options: origin not allowed".

[1] https://github.com/grafana/grafana/issues/45117#issuecomment-1033842787

Grafana v8.2.0 added support for Prometheus's Alertmanager[1] which can
be used with the Unified Alerting added in v8.0.0[2].

[1] https://github.com/grafana/grafana/releases/tag/v8.2.0
[2] https://grafana.com/blog/2021/06/08/grafana-8.0-unified-grafana-and-prometheus-alerts-live-streaming-new-visualizations-and-more/

Mostly changes from Grafana v8.0[1].

[1] https://grafana.com/docs/grafana/latest/whatsnew/whats-new-in-v8-0/

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

This reverts commit 649568e7 ("Restrict Grafana access to Arch Linux
Staff group on Keycloak (fixes #151)").

Kristian Klausen authored 3 years ago and Jelle van der Waa committed 3 years ago

X-Forwarded-For is defined as X-Forwarded-For: <client>, <proxy1>,
<proxy2>, and it was set to $proxy_add_x_forwarded_for which is
basically $http_x_forwarded_for,$remote_addr and headers from the client
can't be trusted!

Fix #292

Kristian Klausen authored 4 years ago and Jelle van der Waa committed 3 years ago

A extra access_log entry was added with the following commands:
$ cd roles
$ grep -lr access_log | xargs -P 1 -n 1 sed -i '/access_log/ s/\(.*\)\( \)\(\(reduced\|main\);$\)/\1 \3\n\1.json json_\3/'

Kristian Klausen authored 4 years ago and Jelle van der Waa committed 3 years ago

Fix #263

Jelle van der Waa authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Configure Grafana to use Keycloak OpenID Connect for authentication. For
now only DevOps is configured as admin and Arch Staff as general Viewer
roles.

Jelle van der Waa authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

To show the session IP address in /profile in Grafana the
X-Forwarded-For header has to be set.

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#taxing-rewrites