From 7767510045694d97a49c162f4bb17f0a5fc1f1ef Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Sat, 18 Mar 2023 19:30:17 +0200
Subject: [PATCH] grafana: rebase grafana.ini to grafana 9.4.3-1

Also stop using oauth_auto_login and switch to provider specific
auto_login option.
---
 roles/grafana/templates/grafana.ini.j2 | 61 ++++++++++++++++++++++++--
 1 file changed, 57 insertions(+), 4 deletions(-)

diff --git a/roles/grafana/templates/grafana.ini.j2 b/roles/grafana/templates/grafana.ini.j2
index 485c6726a..e24944a83 100644
--- a/roles/grafana/templates/grafana.ini.j2
+++ b/roles/grafana/templates/grafana.ini.j2
@@ -86,6 +86,11 @@ root_url = https://{{grafana_domain}}
 # `0` means there is no timeout for reading the request.
 ;read_timeout = 0
 
+# This setting enables you to specify additional headers that the server adds to HTTP(S) responses.
+[server.custom_response_headers]
+#exampleHeader1 = exampleValue1
+#exampleHeader2 = exampleValue2
+
 #################################### Database ####################################
 [database]
 # You can configure the database connection by specifying type, host, name, user and password
@@ -140,6 +145,9 @@ path = ":memory"
 # For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
 ;cache_mode = private
 
+# For "sqlite3" only. Enable/disable Write-Ahead Logging, https://sqlite.org/wal.html. Default is false.
+;wal = false
+
 # For "mysql" only if migrationLocking feature toggle is set. How many seconds to wait before failing to lock the database for the migrations, default is 0.
 ;locking_attempt_timeout_sec = 0
 
@@ -165,6 +173,12 @@ path = ":memory"
 # memcache: 127.0.0.1:11211
 ;connstr =
 
+# prefix prepended to all the keys in the remote cache
+; prefix =
+
+# This enables encryption of values stored in the remote cache
+;encryption =
+
 #################################### Data proxy ###########################
 [dataproxy]
 
@@ -334,6 +348,14 @@ cookie_samesite = strict
 # $ROOT_PATH is server.root_url without the protocol.
 ;content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""
 
+# Enable adding the Content-Security-Policy-Report-Only header to your requests.
+# Allows you to monitor the effects of a policy without enforcing it.
+;content_security_policy_report_only = false
+
+# Set Content Security Policy Report Only template used when adding the Content-Security-Policy-Report-Only header to your requests.
+# $NONCE in the template includes a random nonce.
+# $ROOT_PATH is server.root_url without the protocol.
+;content_security_policy_report_only_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""
 # Controls if old angular plugins are supported or not. This will be disabled by default in future release
 ;angular_support_enabled = true
 
@@ -354,6 +376,9 @@ cookie_samesite = strict
 
 #################################### Snapshots ###########################
 [snapshots]
+# set to false to remove snapshot functionality
+;enabled = true
+
 # snapshot sharing options
 ;external_enabled = true
 ;external_snapshot_url = https://snapshots.raintank.io
@@ -409,8 +434,8 @@ allow_sign_up = false
 # Default UI theme ("dark" or "light")
 ;default_theme = dark
 
-# Default locale (supported IETF language tag, such as en-US)
-;default_locale = en-US
+# Default UI language (supported IETF language tag, such as en-US)
+;default_language = en-US
 
 # Path to a custom home page. Users are only redirected to this if the default home dashboard is used. It should match a frontend route and contain a leading slash.
 ;home_page =
@@ -432,6 +457,11 @@ allow_sign_up = false
 # Enter a comma-separated list of users login to hide them in the Grafana UI. These users are shown to Grafana admins and themselves.
 ; hidden_users =
 
+[service_accounts]
+# Service account maximum expiration date in days.
+# When set, Grafana will not allow the creation of tokens with expiry greater than this setting.
+; token_expiration_day_limit =
+
 [auth]
 # Login cookie name
 ;login_cookie_name = grafana_session
@@ -459,7 +489,8 @@ signout_redirect_url = https://accounts.archlinux.org/realms/archlinux/protocol/
 
 # Set to true to attempt login with OAuth automatically, skipping the login screen.
 # This setting is ignored if multiple OAuth providers are configured.
-oauth_auto_login = true
+# Deprecated, use auto_login option for specific provider instead.
+;oauth_auto_login = false
 
 # OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
 ;oauth_state_cookie_max_age = 600
@@ -479,6 +510,9 @@ oauth_auto_login = true
 # Set to true to enable Azure authentication option for HTTP-based datasources.
 ;azure_auth_enabled = false
 
+# Set to skip the organization role from JWT login and use system's role assignment instead.
+; skip_org_role_sync = false
+
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access
@@ -497,6 +531,7 @@ hide_version = true
 [auth.github]
 ;enabled = false
 ;allow_sign_up = true
+;auto_login = false
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = user:email,read:org
@@ -514,6 +549,7 @@ hide_version = true
 [auth.gitlab]
 ;enabled = false
 ;allow_sign_up = true
+;auto_login = false
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = api
@@ -525,11 +561,13 @@ hide_version = true
 ;role_attribute_path =
 ;role_attribute_strict = false
 ;allow_assign_grafana_admin = false
+;skip_org_role_sync = false
 
 #################################### Google Auth ##########################
 [auth.google]
 ;enabled = false
 ;allow_sign_up = true
+;auto_login = false
 ;client_id = some_client_id
 ;client_secret = some_client_secret
 ;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
@@ -538,21 +576,25 @@ hide_version = true
 ;api_url = https://www.googleapis.com/oauth2/v1/userinfo
 ;allowed_domains =
 ;hosted_domain =
+;skip_org_role_sync = false
 
 #################################### Grafana.com Auth ####################
 [auth.grafana_com]
 ;enabled = false
 ;allow_sign_up = true
+;auto_login = false
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = user:email
 ;allowed_organizations =
+;skip_org_role_sync = false
 
 #################################### Azure AD OAuth #######################
 [auth.azuread]
 ;name = Azure AD
 ;enabled = false
 ;allow_sign_up = true
+;auto_login = false
 ;client_id = some_client_id
 ;client_secret = some_client_secret
 ;scopes = openid email profile
@@ -562,12 +604,15 @@ hide_version = true
 ;allowed_groups =
 ;role_attribute_strict = false
 ;allow_assign_grafana_admin = false
+# prevent synchronizing users organization roles
+;skip_org_role_sync = false
 
 #################################### Okta OAuth #######################
 [auth.okta]
 ;name = Okta
 ;enabled = false
 ;allow_sign_up = true
+;auto_login = false
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = openid profile email groups
@@ -579,6 +624,7 @@ hide_version = true
 ;role_attribute_path =
 ;role_attribute_strict = false
 ;allow_assign_grafana_admin = false
+;skip_org_role_sync = false
 
 {% if not grafana_anonymous_access %}
 #################################### Generic OAuth ##########################
@@ -586,6 +632,7 @@ hide_version = true
 enabled = true
 name = OAuth
 allow_sign_up = true
+auto_login = true
 client_id = openid_grafana
 client_secret = {{ vault_monitoring_grafana_client_secret }}
 scopes = openid profile email
@@ -692,6 +739,11 @@ role_attribute_strict = true
 #################################### Role-based Access Control ###########
 [rbac]
 ;permission_cache = true
+
+# Reset basic roles permissions on boot
+# Warning left to true, basic roles permissions will be reset on every boot
+#reset_basic_roles = false
+
 #################################### SMTP / Emailing ##########################
 [smtp]
 ;enabled = false
@@ -1023,6 +1075,7 @@ mode = syslog
 # Url used to import dashboards directly from Grafana.com
 [grafana_com]
 ;url = https://grafana.com
+;api_url = https://grafana.com/api
 
 #################################### Distributed tracing ############
 # Opentracing is deprecated use opentelemetry instead
@@ -1285,7 +1338,7 @@ mode = syslog
 ; enabled = false
 ; root_ca_cert =
 ; client_key =
-; client_cert = 
+; client_cert =
 ; server_name =
 # The address of the socks5 proxy datasources should connect to
 ; proxy_address =
-- 
GitLab