~xenrox/ansible: grafana: Update config

1 files changed, 98 insertions(+), 1 deletions(-)

M roles/grafana/templates/grafana.ini.j2

M roles/grafana/templates/grafana.ini.j2 => roles/grafana/templates/grafana.ini.j2 +98 -1

@@ 161,6 161,9 @@ enable_gzip = true
 # For "sqlite" only. How many times to retry transaction in case of database is locked failures. Default is 5.
 ;transaction_retries = 5
 
+# Set to true to add metrics and tracing for database queries.
+;instrument_queries = false
+
 ################################### Data sources #########################
 [datasources]
 # Upper limit of data sources that Grafana will return. This limit is a temporary configuration and it will be deprecated when pagination will be introduced on the list data sources API.


@@ 375,6 378,9 @@ strict_transport_security = true
 # List of allowed headers to be set by the user, separated by spaces. Suggested to use for if authentication lives behind reverse proxies.
 ;csrf_additional_headers =
 
+# The CSRF check will be executed even if the request has no login cookie.
+;csrf_always_check = false
+
 [security.encryption]
 # Defines the time-to-live (TTL) for decrypted data encryption keys stored in memory (cache).
 # Please note that small values may cause performance issues due to a high frequency decryption operations.


@@ 463,6 469,22 @@ allow_sign_up = false
 # Enter a comma-separated list of users login to hide them in the Grafana UI. These users are shown to Grafana admins and themselves.
 ; hidden_users =
 
+[secretscan]
+# Enable secretscan feature
+;enabled = false
+
+# Interval to check for token leaks
+;interval = 5m
+
+# base URL of the grafana token leak check service
+;base_url = https://secret-scanning.grafana.net
+
+# URL to send outgoing webhooks to in case of detection
+;oncall_url =
+
+# Whether to revoke the token if a leak is detected or just send a notification
+;revoke = true
+
 [service_accounts]
 # Service account maximum expiration date in days.
 # When set, Grafana will not allow the creation of tokens with expiry greater than this setting.


@@ 520,6 542,9 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid
 # Set to skip the organization role from JWT login and use system's role assignment instead.
 ; skip_org_role_sync = false
 
+# Use email lookup in addition to the unique ID provided by the IdP
+;oauth_allow_insecure_email_lookup = false
+
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access


@@ 618,6 643,7 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid
 ;token_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
 ;allowed_domains =
 ;allowed_groups =
+;allowed_organizations =
 ;role_attribute_strict = false
 ;allow_assign_grafana_admin = false
 # prevent synchronizing users organization roles


@@ 931,6 957,26 @@ role_attribute_strict = true
 # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
 ;alertmanager_config_poll_interval = 60s
 
+# The redis server address that should be connected to.
+;ha_redis_address =
+
+# The username that should be used to authenticate with the redis server.
+;ha_redis_username =
+
+# The password that should be used to authenticate with the redis server.
+;ha_redis_password =
+
+# The redis database, by default it's 0.
+;ha_redis_db =
+
+# A prefix that is used for every key or channel that is created on the redis server
+# as part of HA for alerting.
+;ha_redis_prefix =
+
+# The name of the cluster peer that will be used as identifier. If none is
+# provided, a random one will be generated.
+;ha_redis_peer_name =
+
 # Listen address/hostname and port to receive unified alerting messages for other Grafana instances. The port is used for both TCP and UDP. It is assumed other Grafana instances are also running on the same port. The default value is `0.0.0.0:9094`.
 ;ha_listen_address = "0.0.0.0:9094"
 


@@ 975,6 1021,56 @@ role_attribute_strict = true
 # For example: `disabled_labels=grafana_folder`
 ;disabled_labels =
 
+[unified_alerting.state_history]
+# Enable the state history functionality in Unified Alerting. The previous states of alert rules will be visible in panels and in the UI.
+; enabled = true
+
+# Select which pluggable state history backend to use. Either "annotations", "loki", or "multiple"
+# "loki" writes state history to an external Loki instance. "multiple" allows history to be written to multiple backends at once.
+# Defaults to "annotations".
+; backend = "multiple"
+
+# For "multiple" only.
+# Indicates the main backend used to serve state history queries.
+# Either "annotations" or "loki"
+; primary = "loki"
+
+# For "multiple" only.
+# Comma-separated list of additional backends to write state history data to.
+; secondaries = "annotations"
+
+# For "loki" only.
+# URL of the external Loki instance.
+# Either "loki_remote_url", or both of "loki_remote_read_url" and "loki_remote_write_url" is required for the "loki" backend.
+; loki_remote_url = "http://loki:3100"
+
+# For "loki" only.
+# URL of the external Loki's read path. To be used in configurations where Loki has separated read and write URLs.
+# Either "loki_remote_url", or both of "loki_remote_read_url" and "loki_remote_write_url" is required for the "loki" backend.
+; loki_remote_read_url = "http://loki-querier:3100"
+
+# For "loki" only.
+# URL of the external Loki's write path. To be used in configurations where Loki has separated read and write URLs.
+# Either "loki_remote_url", or both of "loki_remote_read_url" and "loki_remote_write_url" is required for the "loki" backend.
+; loki_remote_write_url = "http://loki-distributor:3100"
+
+# For "loki" only.
+# Optional tenant ID to attach to requests sent to Loki.
+; loki_tenant_id = 123
+
+# For "loki" only.
+# Optional username for basic authentication on requests sent to Loki. Can be left blank to disable basic auth.
+; loki_basic_auth_username = "myuser"
+
+# For "loki" only.
+# Optional password for basic authentication on requests sent to Loki. Can be left blank.
+; loki_basic_auth_password = "mypass"
+
+[unified_alerting.state_history.external_labels]
+# Optional extra labels to attach to outbound state history records or log streams.
+# Any number of label key-value-pairs can be provided.
+; mylabelkey = mylabelvalue
+
 #################################### Alerting ############################
 [alerting]
 # Disable legacy alerting engine & UI features


@@ 1205,6 1301,8 @@ role_attribute_strict = true
 ;plugin_catalog_hidden_plugins =
 # Log all backend requests for core and external plugins.
 ;log_backend_requests = false
+# Force download of public key for verifying plugin signature on startup.
+;enforce_public_key_download = false
 
 #################################### Grafana Live ##########################################
 [live]


@@ 1350,7 1448,6 @@ role_attribute_strict = true
 ;enable_custom_baselayers = true
 
 # Move an app plugin referenced by its id (including all its pages) to a specific navigation section
-# Dependencies: needs the `topnav` feature to be enabled
 [navigation.app_sections]
 # The following will move an app plugin with the id of `my-app-id` under the `starred` section
 # my-app-id = admin