OAuth state cookie is set on the domain users visit (grafana.ops.eblu.me)
but Grafana was constructing callbacks from root_url (grafana.tail8d86e.ts.net),
causing "Missing saved oauth state" errors.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Kubernetes CRD storage backend crashes on k3s due to a Go URL
parsing bug with the in-cluster API address. sqlite3 with emptyDir
avoids the k8s API entirely and is sufficient for single-replica Dex.
Also removes now-unnecessary RBAC resources (ServiceAccount, ClusterRole,
ClusterRoleBinding).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Users authenticate via Forgejo at forge.ops.eblu.me instead of a
hardcoded password list. This makes user management scale through
Forgejo's existing account system and enables future collaborator
onboarding via Forgejo accounts.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds Dex as a central OIDC identity provider running on ringtail's k3s
cluster. Grafana is integrated as the first SSO client via generic_oauth.
Dex uses Kubernetes CRD storage and ExternalSecrets for all sensitive
config (bcrypt hash, client secrets from 1Password).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
