# Grafana Configuration - Managed by Ansible
# Do not edit manually - changes will be overwritten

[server]
root_url = {{ grafana_root_url }}

[auth]
# Disable login form for OAuth users (admins can still use local auth)
disable_login_form = false

[auth.generic_oauth]
enabled = {{ grafana_oauth_enabled | default(false) | lower }}
name = {{ grafana_oauth_name | default('Casdoor') }}
allow_sign_up = {{ grafana_oauth_allow_sign_up | default(true) | lower }}
client_id = {{ grafana_oauth_client_id }}
client_secret = {{ grafana_oauth_client_secret }}
scopes = {{ grafana_oauth_scopes | default('openid profile email') }}
auth_url = {{ grafana_oauth_auth_url }}
token_url = {{ grafana_oauth_token_url }}
api_url = {{ grafana_oauth_api_url }}
# Map Casdoor user attributes to Grafana
email_attribute_path = email
login_attribute_path = preferred_username
name_attribute_path = name
# Default role for new OAuth users
role_attribute_path = contains(groups[*], 'grafana-admin') && 'Admin' || contains(groups[*], 'grafana-editor') && 'Editor' || 'Viewer'
# TLS settings for internal communication
tls_skip_verify_insecure = {{ grafana_oauth_skip_tls_verify | default(true) | lower }}

[log]
# Console-only logging — systemd journal captures output, Alloy ships to Loki
mode = console
level = {{ grafana_log_level | default('info') }}

[log.console]
format = text