From 2fa1ce3eb87b7a0457ff24b83e9acc788fc47c63 Mon Sep 17 00:00:00 2001 From: Marcel Date: Thu, 21 May 2026 19:26:34 +0200 Subject: [PATCH] docs(deployment): document GRAFANA_DB_PASSWORD across env tables Adds GRAFANA_DB_PASSWORD to the observability-stack env-var table, the Gitea secrets table, and the obs-secrets.env reference, so operators see the variable wherever they look for related secrets. Refs #651. Co-Authored-By: Claude Opus 4.7 --- docs/DEPLOYMENT.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md index 945346ae..28169825 100644 --- a/docs/DEPLOYMENT.md +++ b/docs/DEPLOYMENT.md @@ -152,6 +152,7 @@ All vars are set in `.env` at the repo root (copy from `.env.example`). The back | `PORT_GRAFANA` | Host port for the Grafana UI (bound to `127.0.0.1` only) | `3003` | — | — | | `POSTGRES_HOST` | PostgreSQL hostname for GlitchTip's db-init job and workers. Override when only the staging stack is running and `archive-db` is not resolvable by that name. | `archive-db` | — | — | | `GRAFANA_ADMIN_PASSWORD` | Grafana `admin` user password | `changeme` | YES (prod) | YES | +| `GRAFANA_DB_PASSWORD` | Password for the read-only `grafana_reader` PostgreSQL role used by the PO Overview dashboard (issue #651). Consumed by Flyway V68 and the Grafana PostgreSQL datasource. Generate with `openssl rand -hex 32`. | — | YES (prod) | YES | | `PORT_GLITCHTIP` | Host port for the GlitchTip UI (bound to `127.0.0.1` only) | `3002` | — | — | | `GLITCHTIP_DOMAIN` | Public-facing base URL for GlitchTip (used in email links and CORS) | `http://localhost:3002` | YES (prod) | — | | `GLITCHTIP_SECRET_KEY` | Django secret key for GlitchTip — generate with `python3 -c "import secrets; print(secrets.token_hex(32))"` | — | YES | YES | @@ -256,6 +257,7 @@ git.raddatz.cloud A | `MAIL_USERNAME` | release.yml | SMTP user | | `MAIL_PASSWORD` | release.yml | SMTP password | | `GRAFANA_ADMIN_PASSWORD` | both | Grafana `admin` login — generate a strong password | +| `GRAFANA_DB_PASSWORD` | both | Read-only `grafana_reader` role password — `openssl rand -hex 32` | | `GLITCHTIP_SECRET_KEY` | both | Django secret key — `openssl rand -hex 32` | | `SENTRY_DSN` | both | GlitchTip project DSN — set after first-run (§4); leave empty to keep Sentry disabled | | `VITE_SENTRY_DSN` | both | GlitchTip frontend project DSN — set after first-run (§4); leave empty to keep Sentry disabled | @@ -357,6 +359,7 @@ Both files are passed explicitly via `--env-file` to the compose command, so the | Gitea secret | Notes | |---|---| | `GRAFANA_ADMIN_PASSWORD` | Strong unique password; shared by nightly and release | +| `GRAFANA_DB_PASSWORD` | `openssl rand -hex 32`; shared by nightly and release — read-only DB role for the PO Overview dashboard | | `GLITCHTIP_SECRET_KEY` | `openssl rand -hex 32`; shared by nightly and release | | `STAGING_POSTGRES_PASSWORD` / `PROD_POSTGRES_PASSWORD` | Must match the running PostgreSQL container |