From 4e636b32532f59cf79dc3ec0ba65409d33911351 Mon Sep 17 00:00:00 2001 From: Marcel Date: Thu, 21 May 2026 19:23:09 +0200 Subject: [PATCH] chore(observability): document GRAFANA_DB_PASSWORD in env files .env.example: declare GRAFANA_DB_PASSWORD with an openssl rand -hex 32 hint so a missing value fails loudly (NFR-OPS-02). obs.env: add a comment explaining that the real value comes from CI's obs-secrets.env, matching the pattern used for other secrets in that file. Refs #651. Co-Authored-By: Claude Opus 4.7 --- .env.example | 6 ++++++ infra/observability/obs.env | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/.env.example b/.env.example index 7593d997..08d9154a 100644 --- a/.env.example +++ b/.env.example @@ -39,6 +39,12 @@ PORT_PROMETHEUS=9090 # Grafana admin password — change this before exposing Grafana beyond localhost GRAFANA_ADMIN_PASSWORD=changeme +# Password for the read-only grafana_reader PostgreSQL role used by the PO +# Overview dashboard. Consumed by Flyway V68 (to set the role's password) and +# by Grafana's PostgreSQL datasource (to connect). REQUIRED in production — +# generate with: openssl rand -hex 32 +GRAFANA_DB_PASSWORD=changeme-generate-with-openssl-rand-hex-32 + # GlitchTip domain — production: use https://glitchtip.archiv.raddatz.cloud (must match Caddy vhost) GLITCHTIP_DOMAIN=http://localhost:3002 diff --git a/infra/observability/obs.env b/infra/observability/obs.env index 1c46a8fe..a0632f5b 100644 --- a/infra/observability/obs.env +++ b/infra/observability/obs.env @@ -16,6 +16,11 @@ GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud POSTGRES_USER=archiv +# Note: GRAFANA_DB_PASSWORD is a secret and is injected by CI from +# obs-secrets.env (see .env.example for the local-dev declaration). +# It is consumed by both archive-backend (Flyway V68 placeholder) and +# obs-grafana (PostgreSQL datasource). + # PostgreSQL hostname for GlitchTip db-init and workers. # The actual value depends on the Compose project name — it is not a fixed string. # CI sets POSTGRES_HOST in obs-secrets.env per environment: