Erich Blume
2a2ba0bcb7
Reviewed (verified against live state) and stamped last-reviewed on: - reference/services/argocd.md: SSO via Authentik (public PKCE client), dual-cluster management (minikube + ringtail k3s), corrected sync policy (everything is manual sync, including the apps root) - reference/services/authentik.md: blueprint list grown to 8 OIDC clients, postgresql-* secret fields, client-type table - reference/services/grafana.md: TeslaMate datasource now pg.ops.eblu.me:5434 (ringtail), dashboard inventory refreshed, TeslaMate dashboards via pinned-tag init container - reference/infrastructure/unifi.md: UnPoller now a locally-built image - how-to/mealie/plan-a-meal.md: procedure verified; stored API token currently returns 401 (operational fix tracked separately) AGENTS.md: replace the mandatory full ai-docs read with a find-relevant- docs-first rule (bulk ai-docs/ai-sources now opt-in), and document the heph CLI surface for reading and manipulating Blumeops tasks. agent-change-process.md updated to match. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2.6 KiB
| title | modified | last-reviewed | tags | ||
|---|---|---|---|---|---|
| Grafana | 2026-06-09 | 2026-06-09 |
|
Grafana
Dashboards and visualization for BlumeOps observability.
Quick Reference
| Property | Value |
|---|---|
| URL | https://grafana.ops.eblu.me |
| Tailscale URL | https://grafana.tail8d86e.ts.net |
| Namespace | monitoring |
| Deployment | Kustomize (argocd/manifests/grafana/) |
| Image | registry.ops.eblu.me/blumeops/grafana |
| Sidecar Image | registry.ops.eblu.me/blumeops/grafana-sidecar |
Authentication
Grafana supports two login methods:
- SSO via authentik — OIDC login through Authentik (
auth.generic_oauth). Members of the Authentikadminsgroup get the Admin role; everyone else gets Viewer (role_attribute_pathingrafana.ini). - Local admin — break-glass login using the password from 1Password ("Grafana (blumeops)"). Always available if Authentik is down.
The OIDC client secret is injected via external-secrets (grafana-authentik-oauth secret in monitoring namespace).
Datasources
| Name | Type | Target |
|---|---|---|
| Prometheus | prometheus | prometheus.monitoring.svc.cluster.local:9090 |
| Loki | loki | loki.monitoring.svc.cluster.local:3100 |
| Tempo | tempo | tempo.monitoring.svc.cluster.local:3200 |
| TeslaMate | postgres | pg.ops.eblu.me:5434 (TeslaMate's database on ringtail, via Caddy L4) |
Dashboard Provisioning
Dashboards are ConfigMaps with label grafana_dashboard: "1".
Location: argocd/manifests/grafana-config/dashboards/
Optional annotation: grafana_folder: "FolderName"
Key Dashboards
Provisioned dashboards live in argocd/manifests/grafana-config/dashboards/ (one ConfigMap per dashboard). Coverage as of 2026-06: alerts, borgmatic, CV APM, devpi, docs APM, fly.io proxy, forgejo, frigate, jellyfin, kubernetes, loki, macOS (indri host), postgresql, ringtail, shower APM, sifaka disks, snowflake proxy, tempo, transmission, zot.
TeslaMate's dashboards are not in the repo — an init container fetches them from the forge mirror at a pinned tag (TESLAMATE_VERSION in argocd/manifests/grafana/deployment.yaml).
Related
- build-grafana-images - Home-built container images (Grafana + sidecar)
- kustomize-grafana-deployment - Kustomize manifest structure
- authentik - OIDC identity provider for SSO
- migrate-grafana-to-authentik - How SSO was migrated from Dex to Authentik
- prometheus - Metrics datasource
- loki - Logs datasource
- tempo - Traces datasource
- alloy - Data collector