Erich Blume
71cb256527
## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - **Goal:** `deploy-authentik` (active) - **Leaf prerequisites:** - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227
1.9 KiB
1.9 KiB
| title | modified | tags | ||
|---|---|---|---|---|
| Grafana | 2026-02-08 |
|
Grafana
Dashboards and visualization for BlumeOps observability.
Quick Reference
| Property | Value |
|---|---|
| URL | https://grafana.ops.eblu.me |
| Tailscale URL | https://grafana.tail8d86e.ts.net |
| Namespace | monitoring |
| Helm Chart | grafana (mirrored to forge) |
| Values | argocd/manifests/grafana/values.yaml |
Authentication
Grafana supports two login methods:
- SSO via authentik — OIDC login through Authentik (
auth.generic_oauth). Users click "Sign in with Authentik", authenticate at Authentik, and are redirected back as Admin. - Local admin — break-glass login using the password from 1Password ("Grafana (blumeops)"). Always available if Authentik is down.
The OIDC client secret is injected via external-secrets (grafana-authentik-oauth secret in monitoring namespace).
Datasources
| Name | Type | Target |
|---|---|---|
| Prometheus | prometheus | prometheus.monitoring.svc.cluster.local:9090 |
| Loki | loki | loki.monitoring.svc.cluster.local:3100 |
| TeslaMate | postgres | blumeops-pg-rw.databases.svc.cluster.local:5432 |
Dashboard Provisioning
Dashboards are ConfigMaps with label grafana_dashboard: "1".
Location: argocd/manifests/grafana-config/dashboards/
Optional annotation: grafana_folder: "FolderName"
Key Dashboards
- macOS System - Host metrics for indri
- Minikube - Kubernetes cluster overview
- Borgmatic Backups - Backup status and trends
- Services Health - HTTP probe results
- Docs APM - Request rate, latency, cache for docs.eblu.me
- Fly.io Proxy Health - Aggregate proxy health across all upstream services
- TeslaMate (18 dashboards) - Vehicle data
Related
- authentik - OIDC identity provider for SSO
- prometheus - Metrics datasource
- loki - Logs datasource
- alloy - Data collector