diff --git a/roles/grafana/scripts/rebase-grafana-ini.sh b/roles/grafana/scripts/rebase-grafana-ini.sh
new file mode 100755
index 0000000000000000000000000000000000000000..dff528b79937a19049e0abd3e718d0fb29a06810
--- /dev/null
+++ b/roles/grafana/scripts/rebase-grafana-ini.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+mon_grafana_ver=$(ssh root@monitoring.archlinux.org pacman -Q grafana | awk '{print $2}')
+git_grafana_ver=$(git log --oneline | grep -Pom1 'rebase grafana.ini to grafana \K\S+')
+
+if [[ -z $mon_grafana_ver ]]; then
+  echo >&2 'failed to detect current version on monitoring'
+  exit 1
+fi
+
+if [[ $(vercmp $git_grafana_ver $mon_grafana_ver) -ge 0 ]]; then
+  echo >&2 "already rebased to $git_grafana_ver (>= $mon_grafana_ver on monitoring)"
+  exit 1
+fi
+
+old_pkg=https://archive.archlinux.org/packages/g/grafana/grafana-$git_grafana_ver-x86_64.pkg.tar.zst
+new_pkg=https://archive.archlinux.org/packages/g/grafana/grafana-$mon_grafana_ver-x86_64.pkg.tar.zst
+
+diff -up \
+  <(curl -s "$old_pkg" | bsdtar -xOq etc/grafana.ini) \
+  <(curl -s "$new_pkg" | bsdtar -xOq etc/grafana.ini) \
+  | patch "$(dirname $0)/../templates/grafana.ini.j2"
+
+echo
+echo ':: fix any conflicts above, "git add" the changes and commit with:'
+echo ":: git commit -m 'grafana: rebase grafana.ini to grafana $mon_grafana_ver'"
diff --git a/roles/grafana/templates/grafana.ini.j2 b/roles/grafana/templates/grafana.ini.j2
index 20dc04465224e8c8041b9845b78f9678fa91c8f0..dbb58403d3aab53357f2f9ee047230bae3c031dd 100644
--- a/roles/grafana/templates/grafana.ini.j2
+++ b/roles/grafana/templates/grafana.ini.j2
@@ -634,6 +634,10 @@ hide_version = true
 ;api_url = https://openidconnect.googleapis.com/v1/userinfo
 ;allowed_domains =
 ;hosted_domain =
+;allowed_groups =
+;role_attribute_path =
+;role_attribute_strict = false
+;allow_assign_grafana_admin = false
 ;skip_org_role_sync = false
 ;use_pkce = true
 
@@ -756,6 +760,8 @@ role_attribute_strict = true
 ;cache_ttl = 60m
 ;expect_claims = {"aud": ["foo", "bar"]}
 ;key_file = /path/to/key/file
+# Use in conjunction with key_file in case the JWT token's header specifies a key ID in "kid" field
+;key_id = some-key-id
 ;role_attribute_path =
 ;role_attribute_strict = false
 ;auto_sign_up = false
@@ -789,7 +795,7 @@ role_attribute_strict = true
 ; list_metrics_page_limit = 500
 
 # Experimental, for use in Grafana Cloud only. Please do not set.
-; external_id = 
+; external_id =
 
 #################################### Azure ###############################
 [azure]
@@ -807,6 +813,24 @@ role_attribute_strict = true
 # Should be set for user-assigned identity and should be empty for system-assigned identity
 ;managed_identity_client_id =
 
+# Specifies whether Azure AD Workload Identity authentication should be enabled in datasources that support it
+# For more documentation on Azure AD Workload Identity, review this documentation:
+# https://azure.github.io/azure-workload-identity/docs/
+# Disabled by default, needs to be explicitly enabled
+;workload_identity_enabled = false
+
+# Tenant ID of the Azure AD Workload Identity
+# Allows to override default tenant ID of the Azure AD identity associated with the Kubernetes service account
+;workload_identity_tenant_id =
+
+# Client ID of the Azure AD Workload Identity
+# Allows to override default client ID of the Azure AD identity associated with the Kubernetes service account
+;workload_identity_client_id =
+
+# Custom path to token file for the Azure AD Workload Identity
+# Allows to set a custom path to the projected service account token file
+;workload_identity_token_file =
+
 # Specifies whether user identity authentication (on behalf of currently signed-in user) should be enabled in datasources
 # that support it (requires AAD authentication)
 # Disabled by default, needs to be explicitly enabled
@@ -832,6 +856,9 @@ role_attribute_strict = true
 # Warning left to true, basic roles permissions will be reset on every boot
 #reset_basic_roles = false
 
+# Validate permissions' action and scope on role creation and update
+; permission_validation_enabled = true
+
 #################################### SMTP / Emailing ##########################
 [smtp]
 ;enabled = false
@@ -1277,6 +1304,18 @@ mode = syslog
 [tracing.opentelemetry]
 # attributes that will always be included in when creating new spans. ex (key1:value1,key2:value2)
 ;custom_attributes = key1:value1,key2:value2
+# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
+; sampler_type = remote
+# Sampler configuration parameter
+# for "const" sampler, 0 or 1 for always false/true respectively
+# for "probabilistic" sampler, a probability between 0.0 and 1.0
+# for "rateLimiting" sampler, the number of spans per second
+# for "remote" sampler, param is the same as for "probabilistic"
+#   and indicates the initial sampling rate before the actual one
+#   is received from the sampling server (set at sampling_server_url)
+; sampler_param = 0.5
+# specifies the URL of the sampling server when sampler_type is remote
+; sampling_server_url = http://localhost:5778/sampling
 
 [tracing.opentelemetry.jaeger]
 # jaeger destination (ex http://localhost:14268/api/traces)
@@ -1365,6 +1404,8 @@ mode = syslog
 # Force download of the public key for verifying plugin signature on startup. If disabled, the public key will be retrieved every 10 days.
 # Requires public_key_retrieval_disabled to be false to have any effect.
 ; public_key_retrieval_on_startup = false
+# Enter a comma-separated list of plugin identifiers to avoid loading (including core plugins). These plugins will be hidden in the catalog.
+; disable_plugins =
 
 #################################### Grafana Live ##########################################
 [live]
@@ -1387,6 +1428,9 @@ mode = syslog
 # This option is EXPERIMENTAL.
 ;ha_engine_address = "127.0.0.1:6379"
 
+# ha_engine_password allows setting an optional password to authenticate with the engine
+;ha_engine_password = ""
+
 #################################### Grafana Image Renderer Plugin ##########################
 [plugin.grafana-image-renderer]
 # Instruct headless browser instance to use a default timezone when not provided by Grafana, e.g. when rendering panel image of alert.
@@ -1532,5 +1576,14 @@ mode = syslog
 
 ################################## Feature Management ##############################################
 [feature_management]
-hidden_toggles =
-read_only_toggles =
+# Options to configure the experimental Feature Toggle Admin Page feature, which is behind the `featureToggleAdminPage` feature toggle. Use at your own risk.
++# Allow editing of feature toggles in the feature management page
++;allow_editing = false
++# Allow customization of URL for the controller that manages feature toggles
++;update_webhook =
++# Allow configuring an auth token for feature management update requests
++;update_webhook_token =
++# Hide specific feature toggles from the feature management page
++;hidden_toggles =
++# Disable updating specific feature toggles in the feature management page
++;read_only_toggles =