feat: add Cloudflare tunnel hosting

scripts/share-grafana-public-dashboard

@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+target=${1:-jet@noisebell-do}
+public_url=${GRAFANA_PUBLIC_URL:-https://grafana-noisebell.extremist.software}
+ssh_opts=(
+  -o StrictHostKeyChecking=accept-new
+)
+printf -v remote_command 'GRAFANA_PUBLIC_URL=%q bash -s' "$public_url"
+
+ssh "${ssh_opts[@]}" "$target" "$remote_command" <<'REMOTE'
+set -euo pipefail
+
+base_url=http://127.0.0.1:3030
+dashboard_uid=noisebell-public
+public_uid=noisebell-public
+access_token=6e6f69736562656c6c7075626c696330
+password=$(sudo tr -d '\r\n' < /var/lib/grafana/admin_password)
+ready=0
+
+for _ in $(seq 1 60); do
+  if curl -fsS -u "admin:$password" "$base_url/api/health" >/dev/null; then
+    ready=1
+    break
+  fi
+  sleep 1
+done
+if [ "$ready" -ne 1 ]; then
+  echo "Grafana did not become ready at $base_url" >&2
+  exit 1
+fi
+
+dashboard_ready=0
+for _ in $(seq 1 60); do
+  if curl -fsS -u "admin:$password" "$base_url/api/dashboards/uid/$dashboard_uid" >/dev/null; then
+    dashboard_ready=1
+    break
+  fi
+  sleep 1
+done
+if [ "$dashboard_ready" -ne 1 ]; then
+  echo "Grafana dashboard '$dashboard_uid' was not provisioned" >&2
+  exit 1
+fi
+
+existing=$(curl -fsS -u "admin:$password" \
+  "$base_url/api/dashboards/uid/$dashboard_uid/public-dashboards/" 2>/dev/null || true)
+existing_uid=""
+existing_token=""
+if [ -n "$existing" ]; then
+  existing_uid=$(jq -r '.uid // empty' <<<"$existing")
+  existing_token=$(jq -r '.accessToken // empty' <<<"$existing")
+fi
+
+if [ -n "$existing_uid" ] && { [ "$existing_uid" != "$public_uid" ] || [ "$existing_token" != "$access_token" ]; }; then
+  curl -fsS -u "admin:$password" \
+    -X DELETE \
+    "$base_url/api/dashboards/uid/$dashboard_uid/public-dashboards/$existing_uid" >/dev/null
+  existing_uid=""
+fi
+
+if [ -n "$existing_uid" ]; then
+  body=$(jq -cn '{timeSelectionEnabled:true,isEnabled:true,annotationsEnabled:false,share:"public"}')
+  response=$(curl -fsS -u "admin:$password" \
+    -H 'Content-Type: application/json' \
+    -X PATCH \
+    --data "$body" \
+    "$base_url/api/dashboards/uid/$dashboard_uid/public-dashboards/$existing_uid")
+else
+  body=$(jq -cn \
+    --arg uid "$public_uid" \
+    --arg accessToken "$access_token" \
+    '{uid:$uid,accessToken:$accessToken,timeSelectionEnabled:true,isEnabled:true,annotationsEnabled:false,share:"public"}')
+  response=$(curl -fsS -u "admin:$password" \
+    -H 'Content-Type: application/json' \
+    -X POST \
+    --data "$body" \
+    "$base_url/api/dashboards/uid/$dashboard_uid/public-dashboards/")
+fi
+
+returned_token=$(jq -r '.accessToken // empty' <<<"$response")
+if [ "$returned_token" != "$access_token" ]; then
+  echo "Grafana did not return a public dashboard access token" >&2
+  exit 1
+fi
+printf '%s/public-dashboards/%s\n' "${GRAFANA_PUBLIC_URL%/}" "$returned_token"
+REMOTE