refactor: simplify stack templates, move vars into group_vars/alpina

this vault setup for injective sensitive variables uses the approach described in https://docs.ansible.com/ansible/10/tips_tricks/ansible_tips_tricks.html#keep-vaulted-variables-safely-visible

roles/alpina/templates/services/monitoring/grafana_config/grafana.ini.j2

@@ -0,0 +1,34 @@
+[server]
+domain = grafana.{{ domain }}
+root_url = https://%(domain)s/
+
+;[security]
+;admin_user =
+;admin_email =
+;admin_password =
+
+; https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/
+[auth]
+disable_login_form = true
+signout_redirect_url = https://auth.{{ domain }}/application/o/grafana/end-session/
+
+[auth.generic_oauth]
+name = Authentik
+enabled = true
+allow_sign_up = true
+
+client_id = grafana
+client_secret = {{ auth_grafana_client_secret }}
+
+scopes = openid profile email
+auth_url = https://auth.{{ domain }}/application/o/authorize/
+token_url = https://auth.{{ domain }}/application/o/token/
+api_url = https://auth.{{ domain }}/application/o/userinfo/
+
+email_attribute_path = email
+login_attribute_path = preferred_username
+name_attribute_path = name
+
+# Optionally map user groups to Grafana roles
+allow_assign_grafana_admin = true
+role_attribute_path = contains(groups[*], 'Grafana Admins') && 'GrafanaAdmin' || 'Viewer'