From 336ef20bd98dba2063560c7dd841b501729cc0d5 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Thu, 21 May 2026 19:22:35 +0200
Subject: [PATCH] feat(observability): provision Grafana PostgreSQL datasource

Adds a read-only datasource pointing at archive-db using the grafana_reader
role (provisioned by Flyway V68). The password is interpolated from the
GRAFANA_DB_PASSWORD env var passed to obs-grafana, and the connection is
locked to editable: false so the credential cannot be inspected via the UI.

sslmode=disable is intentional: traffic stays inside archiv-net.

Refs #651.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../provisioning/datasources/datasources.yml     | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/infra/observability/grafana/provisioning/datasources/datasources.yml b/infra/observability/grafana/provisioning/datasources/datasources.yml
index d61759e1..39797aa7 100644
--- a/infra/observability/grafana/provisioning/datasources/datasources.yml
+++ b/infra/observability/grafana/provisioning/datasources/datasources.yml
@@ -36,3 +36,19 @@ datasources:
         datasourceUid: prometheus
       nodeGraph:
         enabled: true
+
+  # Read-only PostgreSQL datasource for the PO Overview dashboard (issue #651).
+  # Uses the grafana_reader role provisioned by Flyway V68. Traffic stays inside
+  # archiv-net, so sslmode=disable is the deliberate, accepted setting.
+  - name: PostgreSQL
+    type: postgres
+    uid: postgres
+    url: archive-db:5432
+    user: grafana_reader
+    editable: false
+    secureJsonData:
+      password: ${GRAFANA_DB_PASSWORD}
+    jsonData:
+      database: ${POSTGRES_DB}
+      sslmode: disable
+      postgresVersion: 1600