chore(observability): document GRAFANA_DB_PASSWORD in env files

.env.example: declare GRAFANA_DB_PASSWORD with an openssl rand -hex 32 hint so a missing value fails loudly (NFR-OPS-02). obs.env: add a comment explaining that the real value comes from CI's obs-secrets.env, matching the pattern used for other secrets in that file. Refs #651. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-21 19:23:09 +02:00
parent ab2708e63b
commit 4e636b3253
2 changed files with 11 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@@ -39,6 +39,12 @@ PORT_PROMETHEUS=9090
 # Grafana admin password — change this before exposing Grafana beyond localhost
 GRAFANA_ADMIN_PASSWORD=changeme

+# Password for the read-only grafana_reader PostgreSQL role used by the PO
+# Overview dashboard. Consumed by Flyway V68 (to set the role's password) and
+# by Grafana's PostgreSQL datasource (to connect). REQUIRED in production —
+# generate with: openssl rand -hex 32
+GRAFANA_DB_PASSWORD=changeme-generate-with-openssl-rand-hex-32
+
 # GlitchTip domain — production: use https://glitchtip.archiv.raddatz.cloud (must match Caddy vhost)
 GLITCHTIP_DOMAIN=http://localhost:3002

--- a/infra/observability/obs.env
+++ b/infra/observability/obs.env
@@ -16,6 +16,11 @@ GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud

 POSTGRES_USER=archiv

+# Note: GRAFANA_DB_PASSWORD is a secret and is injected by CI from
+# obs-secrets.env (see .env.example for the local-dev declaration).
+# It is consumed by both archive-backend (Flyway V68 placeholder) and
+# obs-grafana (PostgreSQL datasource).
+
 # PostgreSQL hostname for GlitchTip db-init and workers.
 # The actual value depends on the Compose project name — it is not a fixed string.
 # CI sets POSTGRES_HOST in obs-secrets.env per environment: