Update to 2021-12-01 19:13

roles/grafana/defaults/main.yml

@@ -0,0 +1,89 @@
+---
+
+# On which ip we should bind.
+grafana_listen_ip: 0.0.0.0
+
+# Port on which we should bind
+grafana_port: 3000
+
+# If defined, will be the public URL of Grafana
+# granafa_root_url: https://graph.example.com
+
+# IP allowed to access grafana port. Only relevant if listen ip is not 127.0.0.1
+grafana_src_ip: []
+
+# Database settings
+# Can be sqlite3, mysql or postgres
+grafana_db_type: mysql
+
+# If mysql or postgres is used, all the following settings have to be set
+# For MySQL you can also set the path to a UNIX socket
+grafana_db_server: "{{ mysql_server | default('/var/lib/mysql/mysql.sock') }}"
+# If using TCP for MySQL or PostgreSQL, you must provide the port
+grafana_db_port: 3306
+grafana_db_name: grafana
+grafana_db_user: grafana
+# grafana_db_pass: secret
+
+# Is grafana_reporting_enabled is true. Send reports to stats.grafana.org
+grafana_reporting: False
+
+# Automatic check for updates
+grafana_check_for_updates: True
+
+# Log level. Can be "debug", "info", "warn", "error", "critical"
+grafana_log_level: info
+
+# Allow user to sign up
+grafana_allow_sign_up: False
+
+grafana_auth_base:
+  anonymous:
+    org_role: Viewer
+    enabled: False
+  proxy:
+    header_name: Auth-User
+    enabled: False
+    #    whitelist:
+    #  - 10.10.1.20
+    #  - 192.168.7.12
+  ldap:
+    enabled: "{{ (ad_auth | default(False) or ldap_auth | default(False)) | ternary(True,False) }}"
+    servers: "{{ (ad_ldap_servers is defined) | ternary(ad_ldap_servers,[ldap.example.org]) }}"
+    port: 389
+    use_ssl: True
+    start_tls: True
+    ssl_skip_verify: False
+    # root_ca_cert: /etc/pki/tls/certs/cert.pem
+    # bind_dn:
+    # bind_password:
+    search_filter: "({{ ad_auth | default(False) | ternary('samaccountname','uid') }}=%s)"
+    search_base_dns:
+      - "{{ ad_auth | default(False) | ternary('DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), ldap_base | default('dc=example,dc=org')) }}"
+    # group_search_filter: "(&(objectClass=posixGroup)(memberUid=%s))"
+    # group_search_base_dns:
+    #   - ou=groups,dc=example,dc=org
+    # group_search_filter_user_attribute: uid
+    attributes:
+      name: givenName
+      surname: sn
+      username: "{{ ad_auth | default(False) | ternary('sAMAccountName','uid') }}"
+      member_of: "{{ ad_auth | default(False) | ternary('memberOf','cn') }}"
+      email: mail
+    group_mappings:
+      - ldap_group: "{{ ad_auth | default(False) | ternary('CN=Domain Admins,CN=Users,' + 'DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='),'admins') }}"
+        role: Admin
+      - ldap_group: "{{ ad_auth | default(False) | ternary('CN=Domain Admins,OU=Groups,' + 'DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='),'admins') }}"
+        role: Admin
+      - ldap_group: "{{ ad_auth | default(False) | ternary('CN=Domain Users,CN=Users,' + 'DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='),'shared') }}"
+        role: Editor
+      - ldap_group: "{{ ad_auth | default(False) | ternary('CN=Domain Users,OU=Groups,' + 'DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='),'shared') }}"
+        role: Editor
+      - ldap_group: '*'
+        role: Viewer
+grafana_auth_extra: {}
+grafana_auth: "{{ grafana_auth_base | combine(grafana_auth_extra, recursive=True) }}"
+
+# Plugins to install
+grafana_plugins:
+  - alexanderzobnin-zabbix-app

roles/grafana/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- include: ../common/handlers/main.yml
+
+- name: restart grafana
+  service: name=grafana-server state=restarted

roles/grafana/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: repo_grafana }

roles/grafana/tasks/main.yml

@@ -0,0 +1,141 @@
+---
+- name: Install grafana
+  yum: name=grafana state=present
+  register: grafana_install
+  tags: grafana
+
+- name: Create unit snippet dir
+  file: path=/etc/systemd/system/grafana-server.service.d state=directory
+  tags: grafana
+
+- name: Tune to restart indefinitely
+  copy:
+    content: |
+      [Service]
+      StartLimitInterval=0
+      RestartSec=20
+    dest: /etc/systemd/system/grafana-server.service.d/restart.conf
+  register: grafana_unit
+  tags: grafana
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: grafana_unit.changed
+  tags: grafana
+
+- name: Handle grafana port
+  iptables_raw:
+    name: grafana_port
+    state: "{{ (grafana_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ grafana_port }} -s {{ grafana_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: grafana,firewall
+
+- when: grafana_db_pass is not defined
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: /etc/grafana/ansible_db_pass
+        - complex: False
+    - set_fact: grafana_db_pass={{ rand_pass }}
+  tags: grafana
+
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ grafana_db_name }}"
+    - db_user: "{{ grafana_db_user }}"
+    - db_server: "{{ grafana_db_server }}"
+    - db_pass: "{{ grafana_db_pass }}"
+  when: grafana_db_type == 'mysql'
+  tags: grafana
+
+- when: grafana_db_type == 'postgres'
+  block:
+    - name: Create the PostgreSQL role
+      postgresql_user:
+        name: "{{ grafana_db_user }}"
+        password: "{{ grafana_db_pass }}"
+        login_host: "{{ grafana_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ pg_admin_pass }}"
+    
+    - name: Create the PostgreSQL database
+      postgresql_db:
+        name: "{{ grafana_db_name }}"
+        encoding: UTF-8
+        lc_collate: C
+        lc_ctype: C
+        template: template0
+        owner: "{{ grafana_db_user }}"
+        login_host: "{{ grafana_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ pg_admin_pass }}"
+  tags: grafana
+
+- block:
+  - import_tasks: ../includes/get_rand_pass.yml
+    vars:
+      - pass_file: /etc/grafana/ansible_secret_key
+  - set_fact: grafana_secret_key={{ rand_pass }}
+  tags: grafana
+
+- name: Deploy grafana configuration
+  template: src={{ item }}.j2 dest=/etc/grafana/{{ item }} owner=root group=grafana mode=640
+  with_items:
+    - grafana.ini
+    - ldap.toml
+  notify: restart grafana
+  tags: grafana
+
+  # Since Grafana 7.5.7, grafana-cli even when invoked as root takes action under the grafana user
+  # so we need to be sure permissions are OK, or plugin update/installation/removal will fail
+- name: Ensure correct permissions on data dir
+  file: path=/var/lib/grafana owner=grafana group=grafana mode=770 recurse=True
+  tags: grafana
+
+- name: Build a list of installed plugins
+  shell: grafana-cli plugins ls | perl -ne '/^(\w[\-\w]+)\s\@\s\d+\./ && print "$1\n"'
+  register: grafana_installed_plugins
+  changed_when: False
+  tags: grafana
+
+- name: Remove unmanaged plugins
+  command: grafana-cli plugins uninstall {{ item }}
+  with_items: "{{ grafana_installed_plugins.stdout_lines }}"
+  when: item not in grafana_plugins
+  notify: restart grafana
+  tags: grafana
+
+- name: Install plugins
+  command: grafana-cli plugins install {{ item }}
+  with_items: "{{ grafana_plugins }}"
+  when: item not in grafana_installed_plugins.stdout_lines
+  notify: restart grafana
+  tags: grafana
+
+- name: Check installed plugins versions
+  shell: grafana-cli plugins ls | perl -ne '/^(\w[\-\w]+)\s\@\s(\d+[^\s]*)/ && print "$1 $2\n"'
+  register: grafana_installed_plugins_versions
+  changed_when: False
+  tags: grafana
+
+- name: Check available plugins versions
+  shell: grafana-cli plugins list-remote | perl -ne '/^id:\s+(\w[\-\w]+)\sversion:\s+(\d+[^\s]*)/ && print "$1 $2\n"'
+  register: grafana_remote_plugins_versions
+  changed_when: False
+  tags: grafana
+
+- name: Update grafana plugins
+  command: grafana-cli plugins update-all
+  when: grafana_installed_plugins_versions.stdout_lines is not subset(grafana_remote_plugins_versions.stdout_lines)
+  notify: restart grafana
+  tags: grafana
+
+- name: Start and enable the service
+  service: name=grafana-server state=started enabled=True
+  tags: grafana
+
+- name: Change admin password to a random one
+  command: grafana-cli admin reset-admin-password --homepath="/usr/share/grafana" --config /etc/grafana/grafana.ini $(openssl rand -base64 33)
+  when: grafana_install.changed
+  tags: grafana

roles/grafana/templates/grafana.ini.j2

@@ -0,0 +1,75 @@
+[paths]
+
+[server]
+protocol = http
+http_addr = 0.0.0.0
+http_port = {{ grafana_port }}
+{% if grafana_root_url is defined %}
+root_url = {{ grafana_root_url }}
+{% endif %}
+
+[database]
+type = {{ grafana_db_type }}
+{% if grafana_db_type == 'sqlite3' %}
+path = grafana.db
+{% else %}
+host = {{ grafana_db_server }}{% if grafana_db_port is defined and not grafana_db_server is match ('^/') %}:{{ grafana_db_port }}{% endif %}
+
+name = {{ grafana_db_name }}
+user = {{ grafana_db_user }}
+password = {{ grafana_db_pass }}
+{% endif %}
+
+[session]
+
+[dataproxy]
+
+[analytics]
+reporting_enabled = {{ grafana_reporting | ternary('true', 'false') }}
+check_for_updates = {{ grafana_check_for_updates | ternary('true', 'false') }}
+
+[security]
+secret_key = {{ grafana_secret_key }}
+
+[snapshots]
+
+[users]
+allow_sign_up = {{ grafana_allow_sign_up | ternary('true','false') }}
+
+[auth]
+
+[auth.anonymous]
+{% if grafana_auth.anonymous is defined and grafana_auth.anonymous.enabled | default(True) %}
+enabled = true
+{% if grafana_auth.anonymous.org_name is defined %}
+org_name = {{ grafana_auth.anonymous.org_name }}
+{% endif %}
+{% if grafana_auth.anonymous.org_role is defined %}
+org_role = {{ grafana_auth.anonymous.org_role }}
+{% endif %}
+{% endif %}
+
+[auth.proxy]
+{% if grafana_auth.proxy is defined and grafana_auth.proxy.enabled | default(True) %}
+enabled = true
+header_name = {{ grafana_auth.proxy.header_name | default('User-Name') }}
+header_property = username
+auto_sign_up = true
+{% if grafana_auth.proxy.whitelist is defined %}
+whitelist = {{ grafana_auth.proxy.whitelist | join(',') }}
+{% endif %}
+{% endif %}
+
+[auth.basic]
+
+[auth.ldap]
+{% if grafana_auth.ldap is defined and grafana_auth.ldap.enabled | default(True) %}
+enabled = true
+config_file = /etc/grafana/ldap.toml
+{% endif %}
+
+[emails]
+
+[log]
+mode = console
+level = {{ grafana_log_level }}

roles/grafana/templates/ldap.toml.j2

@@ -0,0 +1,37 @@
+[[servers]]
+host = "{{ grafana_auth.ldap.servers | join(' ') }}"
+port = {{ grafana_auth.ldap.port }}
+use_ssl = {{ (grafana_auth.ldap.use_ssl or grafana_auth.ldap.start_tls) | ternary('true','false') }}
+start_tls = {{ grafana_auth.ldap.start_tls | ternary('true','false') }}
+ssl_skip_verify = {{ grafana_auth.ldap.ssl_skip_verify | ternary('true','false') }}
+
+{% if grafana_auth.ldap.root_ca_cert is defined %}
+root_ca_cert = {{ grafana_auth.ldap.root_ca_cert }}
+{% endif %}
+
+{% if grafana_auth.ldap.bind_dn is defined and grafana_auth.ldap.bind_password is defined %}
+bind_dn = "{{ grafana_auth.ldap.bind_dn }}"
+bind_password = '{{ grafana_auth.ldap.bind_password }}'
+{% endif %}
+search_filter = "{{ grafana_auth.ldap.search_filter }}"
+search_base_dns = ["{{ grafana_auth.ldap.search_base_dns | join('","') }}"]
+
+{% if grafana_auth.ldap.group_search_filter is defined %}
+group_search_filter = "{{ grafana_auth.ldap.group_search_filter }}"
+group_search_base_dns = ["{{ grafana_auth.ldap.group_search_base_dns | join('","') }}"]
+{% if grafana_auth.ldap.group_search_filter_user_attribute is defined %}
+group_search_filter_user_attribute = "{{ grafana_auth.ldap.group_search_filter_user_attribute }}"
+{% endif %}
+{% endif %}
+
+[servers.attributes]
+{% for attr in grafana_auth.ldap.attributes %}
+{{ attr }} = "{{ grafana_auth.ldap.attributes[attr] }}"
+{% endfor %}
+
+{% for map in grafana_auth.ldap.group_mappings %}
+[[servers.group_mappings]]
+group_dn = "{{ map['ldap_group'] }}"
+org_role = "{{ map['role'] }}"
+
+{% endfor %}