[server]
root_url = https://grafana.hamburg.ccc.de

[auth]
disable_login_form = true

# https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/keycloak/
[auth.generic_oauth]
enabled = true
auto_login = true
name = id.hamburg.ccc.de
allow_sign_up = true
client_id = grafana
client_secret = {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/grafana/KEYCLOAK_SECRET", create=false, missing="error") }}
scopes = openid email profile offline_access roles
email_attribute_path = email
login_attribute_path = username
name_attribute_path = full_name
auth_url = https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth
token_url = https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token
api_url = https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/userinfo
signout_redirect_url = https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/logout
role_attribute_path = "contains(roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
allow_assign_grafana_admin = true
use_refresh_token = true