Commit 9e8288f6 authored by HgO's avatar HgO
Browse files

Merge branch '66-playbook-pour-grafana' into 'main'

Resolve "Playbook pour Grafana"

Closes #66

See merge request Neutrinet/infra!74
parents d9f5d0ca ea681728
Pipeline #414 passed with stage
in 1 minute and 30 seconds
mail_notification: hub-infra@neutrinet.be
acme_enabled: true
acme_account_email: "{{ mail_notification }}"
acme_directory_url: https://acme-v02.api.letsencrypt.org/directory
users:
- name: tharyrok
shell: /bin/zsh
......@@ -43,8 +49,6 @@ users:
keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjigU9KeN4e973Lhbp39RvifzkC0uVZjTefD8wXtNDE celo@smeagol"
mail_notification: "hub-infra@neutrinet.be"
telegraf_username: telegraf
telegraf_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
......
grafana_domain: grafana.neutrinet.be
grafana_org_name: Neutrinet
......@@ -137,3 +137,6 @@ man.patata.louise.neutri.net
[alertmanager]
monitoring.htz.neutri.net
[grafana]
monitoring.htz.neutri.net
- hosts: grafana
become: true
pre_tasks:
- name: Update cache
apt:
update_cache: true
cache_valid_time: 3600
roles:
- grafana
......@@ -3,5 +3,6 @@ caddy_vhosts_dir: "{{ caddy_config_dir }}/conf.d"
caddy_log_dir: /var/log/caddy
caddy_healthcheck_log: "{{ caddy_log_dir }}/healthcheck.log"
acme_enabled: false
acme_account_email: contact@example.com
acme_directory_url: https://acme-v02.api.letsencrypt.org/directory
acme_directory_url: https://acme-staging-v02.api.letsencrypt.org/directory
grafana_domain: grafana.example.com
grafana_org_name: Example
# Grab metrics about grafana
- targets:
- localhost:3000
labels:
job: grafana
- name: restart grafana
service:
name: grafana-server
state: restarted
- name: reload prometheus
service:
name: prometheus
state: reloaded
*********************************
Vagrant driver installation guide
*********************************
Requirements
============
* Vagrant
* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop
Install
=======
Please refer to the `Virtual environment`_ documentation for installation best
practices. If not using a virtual environment, please consider passing the
widely recommended `'--user' flag`_ when invoking ``pip``.
.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
.. code-block:: bash
$ pip install 'molecule_vagrant'
---
- name: Converge
hosts: all
become: true
roles:
- grafana
dependency:
name: galaxy
driver:
name: vagrant
provider:
name: virtualbox
platforms:
- name: buster-grafana-molecule
box: debian/buster64
cpu: 2
memory: 1024
interfaces:
- network_name: private_network
type: dhcp
auto_config: true
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: /usr/bin/python3
ssh_connection:
pipelining: true
verifier:
name: ansible
---
- name: Prepare
hosts: all
become: true
pre_tasks:
- name: Mise à jour du cache APT
apt:
update_cache: true
cache_valid_time: 3600
roles:
- telegraf
- prometheus
- name: Installation de Caddy2
import_role:
name: caddy_server
vars:
caddy_template: caddy/grafana.j2
tags: ['caddy']
- name: Copie de la configuration Caddy2
template:
src: caddy/grafana.j2
dest: "{{ caddy_vhosts_dir }}/{{ grafana_domain | replace('.', '-') }}.conf"
owner: root
group: root
mode: "u=rw,go=r"
validate: caddy validate --adapter caddyfile --config %s
notify: reload caddy
- name: Ajout de la clé GPG de Grafana dans APT
apt_key:
url: https://packages.grafana.com/gpg.key
state: present
- name: Ajout du dépôt APT Grafana
apt_repository:
repo: deb https://packages.grafana.com/oss/deb stable main
filename: grafana
state: present
- name: Installation de Grafana
package:
name: grafana
state: present
- name: Configuration de Grafana
template:
src: grafana/grafana.ini.j2
dest: /etc/grafana/grafana.ini
owner: grafana
group: grafana
mode: "u=rw,g=r,o="
notify: restart grafana
- name: Activation de Grafana au démarrage
service:
name: grafana-server
state: started
enabled: yes
- name: Ajout du job grafana dans Prometheus
copy:
src: prometheus/grafana.yml
dest: /etc/prometheus/conf.d/grafana.yml
owner: prometheus
group: prometheus
mode: "u=rw,go=r"
notify: reload prometheus
- name: Vérification du mot de passe admin
uri:
url: http://localhost:3000/api/login/ping
user: admin
# on utilise le mot de passe par défaut
# permet de vérifier si c'est une nouvelle install
password: admin
force_basic_auth: true
status_code: [200, 401]
no_log: true
register: _grafana_admin_login_checked
retries: 10
delay: 3
until: _grafana_admin_login_checked is success
- import_tasks: grafana/postinstall.yml
when: _grafana_admin_login_checked.status == 200
tags: ['grafana_postinstall']
- name: Récupération des infos de l'organisation par défaut
uri:
url: http://localhost:3000/api/org
user: admin
password: admin
force_basic_auth: true
register: _grafana_org
no_log: true
- name: Modification du nom de l'organisation
# Nécessaire pour permettre un accès anonyme aux dashboards de l'organisation
uri:
url: http://localhost:3000/api/org
method: PUT
body_format: form-multipart
body:
name: "{{ grafana_org_name }}"
user: admin
password: admin
force_basic_auth: true
changed_when: _grafana_org.json.name != grafana_org_name
no_log: true
- import_tasks: grafana/main.yml
tags: ['grafana']
- import_tasks: caddy.yml
tags: ['caddy']
{{ grafana_domain }} {
{% if not acme_enabled %}
tls internal
{% endif %}
reverse_proxy {
to http://127.0.0.1:3000
flush_interval -1
transport http {
keepalive 310s
compression off
}
}
log {
output file /var/log/caddy/{{ grafana_domain | replace('.', '-') }}.log
}
}
{{ ansible_managed | comment }}
##################### Grafana Configuration Example #####################
#
# Everything has defaults so you only need to uncomment things you want to
# change
# possible values : production, development
;app_mode = production
# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
;instance_name = ${HOSTNAME}
#################################### Paths ####################################
[paths]
# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
;data = /var/lib/grafana
# Temporary files in `data` directory older than given duration will be removed
;temp_data_lifetime = 24h
# Directory where grafana can store logs
;logs = /var/log/grafana
# Directory where grafana will automatically scan and look for plugins
;plugins = /var/lib/grafana/plugins
# folder that contains provisioning config files that grafana will apply on startup and while running.
;provisioning = conf/provisioning
#################################### Server ####################################
[server]
# Protocol (http, https, h2, socket)
;protocol = http
# The ip address to bind to, empty will bind to all interfaces
http_addr = localhost
# The http port to use
;http_port = 3000
# The public facing domain name used to access grafana from a browser
domain = {{ grafana_domain }}
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://{{ grafana_domain }}/
# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
;serve_from_sub_path = false
# Log web requests
;router_logging = false
# the path relative working path
;static_root_path = public
# enable gzip
;enable_gzip = false
# https certs & key file
;cert_file =
;cert_key =
# Unix socket path
;socket =
# CDN Url
;cdn_url =
# Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections.
# `0` means there is no timeout for reading the request.
;read_timeout = 0
#################################### Database ####################################
[database]
# You can configure the database connection by specifying type, host, name, user and password
# as separate properties or as on string using the url properties.
# Either "mysql", "postgres" or "sqlite3", it's your choice
;type = sqlite3
;host = 127.0.0.1:3306
;name = grafana
;user = root
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
;password =
# Use either URL or the previous fields to configure the database
# Example: mysql://user:secret@host:port/database
;url =
# For "postgres" only, either "disable", "require" or "verify-full"
;ssl_mode = disable
# Database drivers may support different transaction isolation levels.
# Currently, only "mysql" driver supports isolation levels.
# If the value is empty - driver's default isolation level is applied.
# For "mysql" use "READ-UNCOMMITTED", "READ-COMMITTED", "REPEATABLE-READ" or "SERIALIZABLE".
;isolation_level =
;ca_cert_path =
;client_key_path =
;client_cert_path =
;server_cert_name =
# For "sqlite3" only, path relative to data_path setting
;path = grafana.db
# Max idle conn setting default is 2
;max_idle_conn = 2
# Max conn setting default is 0 (mean not set)
;max_open_conn =
# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
;conn_max_lifetime = 14400
# Set to true to log the sql calls and execution times.
;log_queries =
# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
;cache_mode = private
################################### Data sources #########################
[datasources]
# Upper limit of data sources that Grafana will return. This limit is a temporary configuration and it will be deprecated when pagination will be introduced on the list data sources API.
;datasource_limit = 5000
#################################### Cache server #############################
[remote_cache]
# Either "redis", "memcached" or "database" default is "database"
;type = database
# cache connectionstring options
# database: will use Grafana primary database.
# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false`. Only addr is required. ssl may be 'true', 'false', or 'insecure'.
# memcache: 127.0.0.1:11211
;connstr =
#################################### Data proxy ###########################
[dataproxy]
# This enables data proxy logging, default is false
;logging = false
# How long the data proxy waits to read the headers of the response before timing out, default is 30 seconds.
# This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set.
;timeout = 30
# How long the data proxy waits to establish a TCP connection before timing out, default is 10 seconds.
;dialTimeout = 10
# How many seconds the data proxy waits before sending a keepalive probe request.
;keep_alive_seconds = 30
# How many seconds the data proxy waits for a successful TLS Handshake before timing out.
;tls_handshake_timeout_seconds = 10
# How many seconds the data proxy will wait for a server's first response headers after
# fully writing the request headers if the request has an "Expect: 100-continue"
# header. A value of 0 will result in the body being sent immediately, without
# waiting for the server to approve.
;expect_continue_timeout_seconds = 1
# Optionally limits the total number of connections per host, including connections in the dialing,
# active, and idle states. On limit violation, dials will block.
# A value of zero (0) means no limit.
;max_conns_per_host = 0
# The maximum number of idle connections that Grafana will keep alive.
;max_idle_connections = 100
# How many seconds the data proxy keeps an idle connection open before timing out.
;idle_conn_timeout_seconds = 90
# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.
;send_user_header = false
#################################### Analytics ####################################
[analytics]
# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
# No ip addresses are being tracked, only simple counters to track
# running instances, dashboard and error counts. It is very helpful to us.
# Change this option to false to disable reporting.
reporting_enabled = false
# The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs
;reporting_distributor = grafana-labs
# Set to false to disable all checks to https://grafana.net
# for new versions (grafana itself and plugins), check is used
# in some UI views to notify that grafana or plugin update exists
# This option does not cause any auto updates, nor send any information
# only a GET request to http://grafana.com to get latest versions
;check_for_updates = true
# Google Analytics universal tracking code, only enabled if you specify an id here
;google_analytics_ua_id =
# Google Tag Manager ID, only enabled if you specify an id here
;google_tag_manager_id =
#################################### Security ####################################
[security]
# disable creation of admin user on first start of grafana
;disable_initial_admin_creation = false
# default admin user, created on startup
;admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
;admin_password = admin
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm
# disable gravatar profile images
disable_gravatar = true
# data source proxy whitelist (ip_or_domain:port separated by spaces)
;data_source_proxy_whitelist =
# disable protection against brute force login attempts
;disable_brute_force_login_protection = false
# set to true if you host Grafana behind HTTPS. default is false.
;cookie_secure = false
# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
;cookie_samesite = lax
# set to true if you want to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>. default is false.
;allow_embedding = false
# Set to true if you want to enable http strict transport security (HSTS) response header.
# This is only sent when HTTPS is enabled in this configuration.
# HSTS tells browsers that the site should only be accessed using HTTPS.
;strict_transport_security = false
# Sets how long a browser should cache HSTS. Only applied if strict_transport_security is enabled.
;strict_transport_security_max_age_seconds = 86400
# Set to true if to enable HSTS preloading option. Only applied if strict_transport_security is enabled.
;strict_transport_security_preload = false
# Set to true if to enable the HSTS includeSubDomains option. Only applied if strict_transport_security is enabled.
;strict_transport_security_subdomains = false
# Set to true to enable the X-Content-Type-Options response header.
# The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
# in the Content-Type headers should not be changed and be followed.
;x_content_type_options = true
# Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
# when they detect reflected cross-site scripting (XSS) attacks.
;x_xss_protection = true
# Enable adding the Content-Security-Policy header to your requests.
# CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
;content_security_policy = false
# Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
# $NONCE in the template includes a random nonce.
# $ROOT_PATH is server.root_url without the protocol.
;content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""
#################################### Snapshots ###########################
[snapshots]
# snapshot sharing options
;external_enabled = true
;external_snapshot_url = https://snapshots-origin.raintank.io
;external_snapshot_name = Publish to snapshot.raintank.io
# Set to true to enable this Grafana instance act as an external snapshot server and allow unauthenticated requests for
# creating and deleting snapshots.
;public_mode = false
# remove expired snapshot
;snapshot_remove_expired = true
#################################### Dashboards History ##################
[dashboards]
# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
;versions_to_keep = 20
# Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval. Per default this is 5 seconds.
# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
;min_refresh_interval = 5s
# Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
;default_home_dashboard_path =
#################################### Users ###############################
[users]
# disable user signup / registration
allow_sign_up = false
# Allow non admin users to create organizations
allow_org_create = false
# Set to true to automatically assign new users to the default organization (id 1)
;auto_assign_org = true
# Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
;auto_assign_org_id = 1
# Default role new users will be automatically assigned (if disabled above is set to true)
;auto_assign_org_role = Viewer
# Require email validation before sign up completes
;verify_email_enabled = false
# Background text for the user field on the login page
;login_hint = email or username
;password_hint = password
# Default UI theme ("dark" or "light")
;default_theme = dark
# Path to a custom home page. Users are only redirected to this if the default home dashboard is used. It should match a frontend route and contain a leading slash.
; home_page =
# External user management, these options affect the organization users view
;external_manage_link_url =
;external_manage_link_name =
;external_manage_info =
# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
;viewers_can_edit = false
# Editors can administrate dashboard, folders and teams they create
;editors_can_admin = false
# The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). Default is 24h (24 hours). The minimum supported duration is 15m (15 minutes).
;user_invite_max_lifetime_duration = 24h
# Enter a comma-separated list of users login to hide them in the Grafana UI. These users are shown to Grafana admins and themselves.
; hidden_users =
[auth]
# Login cookie name
;login_cookie_name = grafana_session
# The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation.
;login_maximum_inactive_lifetime_duration =
# The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month).