From 0818554bae6701c1855fa2bece9d860f661bbbb0 Mon Sep 17 00:00:00 2001 From: cato447 Date: Thu, 9 Jul 2026 19:55:01 +0200 Subject: [PATCH] ro changes --- CLAUDE.md | 2 +- grafana/provisioning/datasources/sqlite.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 85e1370..5b939e5 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -9,7 +9,7 @@ Three Docker containers sharing a named volume (`speed-logger_sqlite-data`) that - **speedtest** (`measurement/`) — Python + cron inside a Debian slim container. Runs measurements and writes results to SQLite. - **ping** — Same image, runs `run_ping.py` as a long-lived loop (not cron) with `network_mode: host` so it can reach the LAN gateway. Pings the gateway plus a rotating pool of external DNS-resolver IPs every `PING_INTERVAL` (5s) and writes to `ping_checks`. - **control** — Same image, runs `control.py`: a stdlib `http.server` page on port 80 (host port `CONTROL_PORT`) where household members toggle speedtests on/off from a phone. Writes the flag to the `settings` table; talks to humans only, never to other containers. -- **grafana** — Stock Grafana image with the `frser-sqlite-datasource` plugin. Reads from the shared SQLite volume. Dashboard and datasource are provisioned automatically from `grafana/provisioning/`. Anonymous read-only access is enabled (`GF_AUTH_ANONYMOUS_*`); because any viewer can POST arbitrary SQL to Grafana's datasource query API, the volume is mounted `:ro` and the datasource path uses `?mode=ro`. Do not remove either when touching the compose file. This also means the DB must stay in the default rollback journal mode — WAL would require write access to the directory even for readers. +- **grafana** — Stock Grafana image with the `frser-sqlite-datasource` plugin. Reads from the shared SQLite volume. Dashboard and datasource are provisioned automatically from `grafana/provisioning/`. Anonymous read-only access is enabled (`GF_AUTH_ANONYMOUS_*`); because any viewer can POST arbitrary SQL to Grafana's datasource query API, the volume is mounted `:ro` and the datasource sets `pathOptions: mode=ro`. Do not remove either when touching the compose file. This also means the DB must stay in the default rollback journal mode — WAL would require write access to the directory even for readers. No message queues, no ORM, no external services. Everything is plain Python stdlib + subprocess calls. diff --git a/grafana/provisioning/datasources/sqlite.yml b/grafana/provisioning/datasources/sqlite.yml index e0f2ddf..6371566 100644 --- a/grafana/provisioning/datasources/sqlite.yml +++ b/grafana/provisioning/datasources/sqlite.yml @@ -7,8 +7,9 @@ datasources: access: proxy isDefault: true jsonData: + path: /data/speedtest.db # mode=ro because any Grafana viewer (incl. anonymous) can send arbitrary # SQL to the datasource API; together with the :ro volume mount this # keeps the database safe from writes through Grafana. - path: /data/speedtest.db?mode=ro + pathOptions: mode=ro editable: true