From a5b80fd9cd79ee206729f4d46daed8354f892195 Mon Sep 17 00:00:00 2001
From: Erik <erik.nihlen@gmail.com>
Date: Wed, 10 Jun 2026 16:25:20 +0200
Subject: [PATCH] security(nginx): remove dead Grafana service-account token
 from committed config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The glsa_ token on the /grafana/ location was committed to a public repo.
Verified dead: Grafana's service-account and api_key tables are empty (the
data dir is ephemeral container storage, so the SA was wiped on a past
recreate) and an arbitrary invalid bearer gets identical 200 responses —
panel embeds are actually served by anonymous Viewer auth
(GF_AUTH_ANONYMOUS_ENABLED=true). The header was a no-op; removing it
changes no behavior and removes the credential from the config.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 nginx/overlord.conf | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/nginx/overlord.conf b/nginx/overlord.conf
index f61aad78..f8b33162 100644
--- a/nginx/overlord.conf
+++ b/nginx/overlord.conf
@@ -14,8 +14,12 @@
 #     WebSockets are long-lived; nginx's default 60s timeout drops idle clients.
 #     Removing these timeouts caused all plugin connections to drop every
 #     ~60s when no data flowed from backend to client (April 2026 incident).
-#   - Bearer token in /grafana/ proxy_set_header is a Grafana service account
-#     token used for anonymous panel embeds. Rotate when credentials leak.
+#   - /grafana/ panel embeds rely on Grafana's anonymous Viewer auth
+#     (GF_AUTH_ANONYMOUS_ENABLED=true in docker-compose.yml) — no credentials
+#     in this file. Do NOT hardcode tokens here: this file is committed to a
+#     public repo, and Grafana's state DB is ephemeral container storage, so
+#     service-account tokens get orphaned on every container recreate. A
+#     previously committed (long-dead) token was removed in June 2026.
 
 server {
     listen 443 ssl;
@@ -108,7 +112,6 @@ server {
         proxy_set_header       X-Real-IP         $remote_addr;
         proxy_set_header       X-Forwarded-For   $proxy_add_x_forwarded_for;
         proxy_set_header       X-Forwarded-Proto $scheme;
-        proxy_set_header       Authorization     "Bearer glsa_AcDTcN5CUX9h5Bi2ipmVAs6g1FRTSIWk_8b81cf99";
         proxy_set_header       Upgrade           $http_upgrade;
         proxy_set_header       Connection        "upgrade";
         proxy_cache_bypass     $http_upgrade;