add grafana

5 files changed, 184 insertions, 0 deletions

diff --git a/roles/grafana/defaults/main.yml b/roles/grafana/defaults/main.yml
new file mode 100644
index 0000000..2681335
--- /dev/null
+++ b/roles/grafana/defaults/main.yml
@@ -0,0 +1,35 @@
+---
+grafana:
+  port: 8443
+  fqdn: 'grafana.example.com'
+  certificate: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+  key: '/etc/ssl/private/ssl-cert-snakeoil.key'
+  db:
+    host: 'db.example.com'
+    name: 'grafana'
+    user: 'grafana'
+    password: 'p4ssword'
+    ssl: true
+    ca: '/etc/ssl/certs/ca-certificates.crt'
+  ldap:
+    enabled: false
+    host: ldap.example.com
+    port: 636
+    use_ssl: true
+    start_tls: false
+    ssl_skip_verify: false
+    bind_dn: ''
+    bind_pw: ''
+    search_filter: '(&(uid=%s))'
+    base_dns: '["ou=users,dc=example,dc=com"]'
+    attributes:
+      name: 'givenName'
+      surname: 'sn'
+      username: 'uid'
+      member_of: 'memberOf'
+      email: 'mail'
+    group_mappings:
+      - group_dn: ''
+        org_role: ''
+        grafana_admin: false
+        org_id: 1
diff --git a/roles/grafana/handlers/main.yml b/roles/grafana/handlers/main.yml
new file mode 100644
index 0000000..f5ae831
--- /dev/null
+++ b/roles/grafana/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Restart Grafana
+  systemd:
+    name: grafana-server
+    state: restarted
+    enabled: yes
+  become: yes
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
new file mode 100644
index 0000000..745f0af
--- /dev/null
+++ b/roles/grafana/tasks/main.yml
@@ -0,0 +1,48 @@
+---
+- name: Install GnuPG
+  apt:
+    name: gnupg2
+  become: yes
+
+- name: Install Grafana STABLE Repository
+  copy:
+    dest: /etc/apt/sources.list.d/grafana.list
+    content: deb https://packages.grafana.com/oss/deb stable main
+  become: yes
+  register: install_repo
+
+- name: Install Grafana Repo Key
+  apt_key:
+    url: https://packages.grafana.com/gpg.key
+    state: present
+  become: yes
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+  become: yes
+  when: install_repo.changed
+
+- name: Install Grafana
+  apt:
+    name: grafana
+  become: yes
+  notify: Restart Grafana
+
+- name: Check for changed cert
+  command: /bin/true
+  when: cert_changed
+  notify: Restart Grafana
+
+- name: Install configuration
+  template:
+    src: '{{ item }}.j2'
+    dest: '/etc/grafana/{{ item }}'
+    owner: root
+    group: grafana
+    mode: '640'
+  become: yes
+  loop:
+    - grafana.ini
+    - ldap.toml
+  notify: Restart Grafana
diff --git a/roles/grafana/templates/grafana.ini.j2 b/roles/grafana/templates/grafana.ini.j2
new file mode 100644
index 0000000..910d453
--- /dev/null
+++ b/roles/grafana/templates/grafana.ini.j2
@@ -0,0 +1,61 @@
+; vi: ft=dosini
+
+[server]
+# Protocol (http, https, h2, socket)
+protocol = https
+http_port = {{ grafana.port }}
+
+cert_file = {{ grafana.certificate }}
+cert_key = {{ grafana.key }}
+
+[database]
+type = mysql
+
+host = {{ grafana.db.host }}
+name = {{ grafana.db.name }}
+user = {{ grafana.db.user }}
+password = """{{ grafana.db.password }}"""
+
+ssl_mode = {{ grafana.db.ssl }}
+
+{% if grafana.db.ssl %}
+ca_cert_path = {{ grafana.db.ca }}
+server_cert_name = {{ grafana.db.host }}
+{% endif %}
+
+[security]
+# disable creation of admin user on first start of grafana
+disable_initial_admin_creation = true
+
+[users]
+allow_sign_up = false
+allow_org_create = false
+
+[auth.ldap]
+enabled = {{ grafana.ldap.enabled }}
+
+{% if grafana.ldap.enabled %}
+config_file = /etc/grafana/ldap.toml
+allow_sign_up = true
+{% endif %}
+
+#################################### SMTP / Emailing ##########################
+[smtp]
+;enabled = false
+;host = localhost:25
+;user =
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+;password =
+;cert_file =
+;key_file =
+;skip_verify = false
+;from_address = admin@grafana.localhost
+;from_name = Grafana
+# EHLO identity in SMTP dialog (defaults to instance_name)
+;ehlo_identity = dashboard.example.com
+# SMTP startTLS policy (defaults to 'OpportunisticStartTLS')
+;startTLS_policy = NoStartTLS
+
+[emails]
+;welcome_email_on_sign_up = false
+;templates_pattern = emails/*.html
diff --git a/roles/grafana/templates/ldap.toml.j2 b/roles/grafana/templates/ldap.toml.j2
new file mode 100644
index 0000000..11411ed
--- /dev/null
+++ b/roles/grafana/templates/ldap.toml.j2
@@ -0,0 +1,33 @@
+# vi: ft=dosini
+[[servers]]
+host = "{{ grafana.ldap.host }}"
+port = {{ grafana.ldap.port }}
+use_ssl = {{ grafana.ldap.use_ssl | string | lower }}
+start_tls = {{ grafana.ldap.start_tls | string | lower }}
+ssl_skip_verify = {{ grafana.ldap.ssl_skip_verify | string | lower }}
+
+bind_dn = "{{ grafana.ldap.bind_dn }}"
+bind_password = """{{ grafana.ldap.bind_pw }}"""
+
+search_filter = "{{ grafana.ldap.search_filter }}"
+search_base_dns = {{ grafana.ldap.base_dns }}
+
+[servers.attributes]
+{% for attr, value in grafana.ldap.attributes.items() %}
+{{ attr }} = "{{ value }}"
+{% endfor %}
+
+# Map ldap groups to grafana org roles
+{% for i in grafana.ldap.group_mappings %}
+[[servers.group_mappings]]
+{% for key, value in i.items() %}
+{% if value is string %}
+{{ key }} = "{{ value }}"
+{% elif value is sameas true or value is sameas false %}
+{{ key }} = {{ value | string | lower }}
+{% else %}
+{{ key }} = {{ value }}
+{% endif %}
+{% endfor %}
+
+{% endfor %}