eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/services/grafana.md
Erich Blume d21798b1f3 Document Dex OIDC and add services-check integration (#223) 
## Summary
- Create Dex reference card (`docs/reference/services/dex.md`) with quick reference, architecture, identity source, storage, OIDC clients, secrets, and endpoints
- Write federated login explanation article (`docs/explanation/federated-login.md`) covering the Dex + Forgejo two-layer auth model, login flow, and break-glass access
- Add Dex to `services-check` (HTTP health endpoint + k3s pod check)
- Update Grafana docs with new Authentication section documenting SSO via Dex
- Update Forgejo docs with OAuth2 Provider section documenting its role as upstream identity source
- Add Dex to ringtail workloads table and reference service index
- Move `adopt-oidc-provider` plan to `completed/` with final design reflecting actual implementation

## Test plan
- [ ] `mise run services-check` passes (includes new Dex checks)
- [ ] `docs-check-links` passes (all wiki-links resolve)
- [ ] `docs-check-index` passes (new docs are indexed)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/223
2026-02-19 20:44:23 -08:00

1.9 KiB
Raw Blame History

title modified tags
Grafana 2026-02-08
service
observability

Grafana

Dashboards and visualization for BlumeOps observability.

Quick Reference

Property Value
URL https://grafana.ops.eblu.me
Tailscale URL https://grafana.tail8d86e.ts.net
Namespace monitoring
Helm Chart grafana (mirrored to forge)
Values argocd/manifests/grafana/values.yaml

Authentication

Grafana supports two login methods:

  • SSO via dex — federated login through forgejo (auth.generic_oauth). Users click "Sign in with Dex", authenticate at Forgejo, and are redirected back as Admin.
  • Local admin — break-glass login using the password from 1Password ("Grafana (blumeops)"). Always available if Dex is down.

The OIDC client secret is injected via external-secrets (grafana-dex-oauth secret in monitoring namespace).

Datasources

Name Type Target
Prometheus prometheus prometheus.monitoring.svc.cluster.local:9090
Loki loki loki.monitoring.svc.cluster.local:3100
TeslaMate postgres blumeops-pg-rw.databases.svc.cluster.local:5432

Dashboard Provisioning

Dashboards are ConfigMaps with label grafana_dashboard: "1".

Location: argocd/manifests/grafana-config/dashboards/

Optional annotation: grafana_folder: "FolderName"

Key Dashboards

  • macOS System - Host metrics for indri
  • Minikube - Kubernetes cluster overview
  • Borgmatic Backups - Backup status and trends
  • Services Health - HTTP probe results
  • Docs APM - Request rate, latency, cache for docs.eblu.me
  • Fly.io Proxy Health - Aggregate proxy health across all upstream services
  • TeslaMate (18 dashboards) - Vehicle data

Related

  • dex - OIDC identity provider for SSO
  • prometheus - Metrics datasource
  • loki - Logs datasource
  • alloy - Data collector