Ansible-Roles
/
grafana_server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source 
Just add this to a repository
master
Ronald 2 years ago
commit a1b7627948
12 changed files with 741 additions and 0 deletions
Show Stats Download Patch File Download Diff File

36
README.md
Unescape Escape View File

@ -0,0 +1,36 @@
# Role Name: grafana_server
An Ansible role to install and configure Grafana.
## Role Variables
**NOTE** that in the table below if a value has a default value the example value/default value column will contain the default value of the variable.
| Variable name | Type | Description | Required | Has default value | Example value |
|---------------|------|-------------|----------|-------------------|---------------|
| `grafana_server_users` | list of dictionaries | A dictionary containing users to be created | ☐ | ☐ | See [below](####grafana_server_users) |
#### grafana_server_users
```yaml
grafana_server_users:
- amanda: # The user's name
login: amanda # The login, what you type on the login screen
email: amanda@ajordan.com # Email address
password: Password123! # The password, obviously
is_admin: true # Whether the user is an admin
```
## Example Playbook
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
```
- hosts: grafana_servers
roles:
- grafana_server
```
# License
BSD 2 Clause License

68
defaults/main.yml
Unescape Escape View File

@ -0,0 +1,68 @@
---
# defaults file for grafana_server
grafana_server_install_grafana: true
grafana_server_configure_grafana: true
grafana_server_validate_certs: false
grafana_server_app_mode: production
grafana_server_instance_name: ${HOSTNAME}
# Path default settings
grafana_server_paths_data: /var/lib/grafana
grafana_server_paths_temp_data_lifetime: 24h
grafana_server_paths_logs: /var/log/grafana
grafana_server_paths_plugins: /var/lib/grafana/plugins
grafana_server_paths_provisioning: conf/provisioning
# Server default settings
grafana_server_enable_https: false
grafana_server_http_port: 3000
grafana_server_enable_gzip: true
grafana_server_enable_router_logging: false
grafana_server_enforce_domain: false
grafana_server_static_root_path: "public"
# Database default settings
grafana_server_db: sqlite
grafana_server_db_path: grafana.db
# Analytics default settings
grafana_server_analytics_reporting_enabled: false
grafana_server_analytics_feedback_links_enabled: true
# Security default settings
grafana_server_security_disable_initial_admin_account_creation: false
grafana_server_security_initial_admin_user: admin
grafana_server_security_initial_admin_password: grafana
# Dashboard default settings
grafana_server_dashboards_versions_to_keep: 20
# User default settings
grafana_server_users_allow_sign_up: false
grafana_server_users_allow_org_create: false
# Authentication default settings
grafana_server_login_cookie_name: "grafana_session"
grafana_server_inactive_lifetime_duration: 7d
grafana_server_maximum_lifetime_duration: 7d
grafana_server_cookie_max_age: 600
grafana_server_api_key_max_seconds_to_live: -1
## Anonymous authentication
grafana_server_anonymous_authentication_enabled: true
grafana_server_anonymous_authentication_org_name: Main Org.
grafana_server_anonymous_authentication_org_role: Viewer
grafana_server_anonymous_authentication_hide_version: false
## Basic authentication
grafana_server_basic_authentication_enabled: true
# Admin user
grafana_server_admin_user: root
grafana_server_admin_user_name: root
grafana_server_admin_password: "{{ vault_grafana_server_admin_password }}"
...

17
meta/main.yml
Unescape Escape View File

@ -0,0 +1,17 @@
---
galaxy_info:
author: ronald1985
description: An Ansible role to install and configure Grafana
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: BSD-3-Clause
min_ansible_version: "2.17"
...

21
tasks/configure_grafana.yml
Unescape Escape View File

@ -0,0 +1,21 @@
---
- name: Template grafana.ini to /etc/grafana
ansible.builtin.template:
src: grafana.ini.j2
dest: /etc/grafana/grafana.ini
owner: root
group: grafana
mode: "0640"
- name: Start Grafana service
ansible.builtin.service:
name: grafana-server
state: restarted
- name: Enable Grafana service
ansible.builtin.service:
name: grafana-server
enabled: true
...

3
tasks/dashboards.yml
Unescape Escape View File

@ -0,0 +1,3 @@
---
...

36
tasks/datasources.yml
Unescape Escape View File

@ -0,0 +1,36 @@
---
- name: Set fact for Grafana URL when using HTTP
ansible.builtin.set_fact:
grafana_server_grafana_url: "http://localhost:{{ grafana_server_http_port }}"
when:
- not grafana_server_enable_https | bool
- grafana_server_grafana_url is undefined
- name: Set fact for Grafana URL when using HTTPS
ansible.builtin.set_fact:
grafana_server_grafana_url: "https://localhost:{{ grafana_server_http_port }}"
when:
- grafana_server_enable_https | bool
- grafana_server_grafana_url is undefined
- name: Create datasources
community.grafana.grafana_datasource:
grafana_url: "{{ grafana_server_grafana_url }}"
grafana_user: "{{ grafana_server_admin_user }}"
grafana_password: "{{ grafana_server_admin_password }}"
org_id: 1
name: "{{ item.key }}"
ds_type: "{{ item.value.type }}"
ds_url: "{{ item.value.url }}"
database: "{{ item.value.database | default(omit) }}"
user: "{{ item.value.user | default(omit) }}"
sslmode: "{{ item.value.sslmode | default(omit) }}"
additional_json_data: "{{ item.value.additonal_json_data | default(omit) }}"
additional_secure_json_data: "{{ item.value.additional_secure_json_data | default(omit) }}"
enforce_secure_data: "{{ item.value.enforce_secure_data | default(false) }}"
loop: "{{ grafana_server_datasources | dict2items }}"
when:
- grafana_server_datasources is defined
...

42
tasks/debian.yml
Unescape Escape View File

@ -0,0 +1,42 @@
---
- name: Install required packages for Grafana
ansible.builtin.apt:
pkg:
- gpg
state: present
- name: Add Grafana repo apt key
ansible.builtin.apt_key:
url: https://apt.grafana.com/gpg.key
state: present
when:
ansible_distribution == 'Debian'
- name: Add Grafana stable repository
ansible.builtin.apt_repository:
repo: deb https://apt.grafana.com stable main
when:
ansible_distribution == 'Debian'
- name: Install Grafana when running Debian
ansible.builtin.apt:
pkg: grafana
update_cache: true
force_apt_get: true
when:
ansible_distribution == 'Debian'
- name: Template Grafana service file
ansible.builtin.template:
src: grafana-server.service.j2
dest: /lib/systemd/system/grafana-server.service
owner: root
group: root
mode: "0644"
- name: Refresh systemd service files
ansible.builtin.systemd:
daemon_reload: true
...

50
tasks/main.yml
Unescape Escape View File

@ -0,0 +1,50 @@
---
# tasks file for grafana_server
- name: Check that operating system is supported
ansible.builtin.assert:
that:
- ansible_distribution == "Debian"
- name: Check that required variables are defined for configuring Grafana
ansible.builtin.fail:
msg: "{{ item }} is undefined"
when:
- vars[item] is undefined
- grafana_server_configure_grafana | bool
loop: "{{ grafana_server_required_vars_configuration }}"
- name: Check that required variables are defined for HTTPS
ansible.builtin.fail:
msg: "{{ item }} is undefined"
when:
- vars[item] is undefined
- grafana_server_enable_https | bool
loop: "{{ grafana_server_required_vars_https }}"
- name: Include Debian specific tasks
ansible.builtin.include_tasks:
file: debian.yml
when:
- ansible_distribution == "Debian"
- grafana_server_install_grafana | bool
- name: Include tasks to configure Grafana
ansible.builtin.include_tasks:
file: configure_grafana.yml
when:
- grafana_server_configure_grafana | bool
- name: Include tasks to manage users
ansible.builtin.include_tasks:
file: users.yml
when:
- grafana_server_configure_grafana | bool
- name: Include tasks to manage datasources
ansible.builtin.include_tasks:
file: datasources.yml
when:
- grafana_server_configure_grafana | bool
...

69
tasks/users.yml
Unescape Escape View File

@ -0,0 +1,69 @@
---
- name: Set fact for Grafana URL when using HTTP
ansible.builtin.set_fact:
grafana_server_grafana_url: "http://localhost:{{ grafana_server_http_port }}"
when:
- not grafana_server_enable_https | bool
- name: Set fact for Grafana URL when using HTTPS
ansible.builtin.set_fact:
grafana_server_grafana_url: "https://localhost:{{ grafana_server_http_port }}"
when:
- grafana_server_enable_https | bool
- name: Check that Grafana is up and running
ansible.builtin.uri:
url: "{{ grafana_server_grafana_url }}"
method: GET
validate_certs: "{{ grafana_server_validate_certs }}"
status_code:
- 200
register: grafana_server_check_grafana_up
until: grafana_server_check_grafana_up.status == 200
retries: 10
- name: Create new admin account using initial admin credentials
community.grafana.grafana_user:
url: "{{ grafana_server_grafana_url }}"
url_username: "{{ grafana_server_security_initial_admin_user }}"
url_password: "{{ grafana_server_security_initial_admin_password }}"
validate_certs: "{{ grafana_server_validate_certs }}"
is_admin: true
login: "{{ grafana_server_admin_user }}"
name: "{{ grafana_server_admin_user_name }}"
email: "{{ grafana_server_admin_user_email }}"
password: "{{ grafana_server_admin_password }}"
state: present
register: grafana_server_create_admin_user
failed_when:
- grafana_server_create_admin_user.msg is defined
- "'Permission Denied' not in grafana_server_create_admin_user.msg"
- name: Delete initial admin account
community.grafana.grafana_user:
url: "{{ grafana_server_grafana_url }}"
url_username: "{{ grafana_server_admin_user }}"
url_password: "{{ grafana_server_admin_password }}"
validate_certs: "{{ grafana_server_validate_certs }}"
login: "{{ grafana_server_security_initial_admin_user }}"
state: absent
- name: Create any additional users
community.grafana.grafana_user:
url: "{{ grafana_server_grafana_url }}"
url_username: "{{ grafana_server_admin_user }}"
url_password: "{{ grafana_server_admin_password }}"
validate_certs: "{{ grafana_server_validate_certs }}"
name: "{{ item.key }}"
login: "{{ item.value.login }}"
email: "{{ item.value.email }}"
is_admin: "{{ item.value.is_admin }}"
password: "{{ item.value.password }}"
state: present
no_log: true
loop: "{{ grafana_server_users | dict2items }}"
when:
- grafana_server_users is defined
...

54
templates/grafana-server.service.j2
Unescape Escape View File

@ -0,0 +1,54 @@
[Unit]
Description=Grafana instance
Documentation=http://docs.grafana.org
Wants=network-online.target
After=network-online.target
After=postgresql.service mariadb.service mysql.service influxdb.service
[Service]
EnvironmentFile=/etc/default/grafana-server
User=grafana
Group=grafana
Type=simple
Restart=on-failure
WorkingDirectory=/usr/share/grafana
RuntimeDirectory=grafana
RuntimeDirectoryMode=0750
ExecStart=/usr/share/grafana/bin/grafana server \
--config=${CONF_FILE} \
--pidfile=${PID_FILE_DIR}/grafana-server.pid \
--packaging=deb \
cfg:default.paths.logs=${LOG_DIR} \
cfg:default.paths.data=${DATA_DIR} \
cfg:default.paths.plugins=${PLUGINS_DIR} \
cfg:default.paths.provisioning=${PROVISIONING_CFG_DIR}
LimitNOFILE=10000
TimeoutStopSec=20
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
DeviceAllow=
LockPersonality=true
MemoryDenyWriteExecute=false
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=full
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
UMask=0027
[Install]
WantedBy=multi-user.target

330
templates/grafana.ini.j2
Unescape Escape View File

@ -0,0 +1,330 @@
##################### Grafana Configuration #####################
# possible values : production, development
app_mode = {{ grafana_server_app_mode }}
# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
instance_name = {{ grafana_server_instance_name }}
#################################### Paths ####################################
[paths]
# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
data = {{ grafana_server_paths_data }}
# Temporary files in `data` directory older than given duration will be removed
temp_data_lifetime = {{ grafana_server_paths_temp_data_lifetime }}
# Directory where grafana can store logs
logs = {{ grafana_server_paths_logs }}
# Directory where grafana will automatically scan and look for plugins
plugins = {{ grafana_server_paths_plugins }}
# folder that contains provisioning config files that grafana will apply on startup and while running.
provisioning = {{ grafana_server_paths_provisioning }}
#################################### Server ####################################
[server]
# Protocol (http, https, h2, socket)
{% if grafana_server_enable_https %}
protocol = https
# https certs & key file
cert_file = {{ grafana_server_certificate_path }}
cert_key = {{ grafana_server_certificate_key_path }}
{% else %}
protocol = http
{% endif %}
# The public facing domain name used to access grafana from a browser
domain = {{ grafana_server_domain }}
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
;root_url = %(protocol)s://%(domain)s:%(http_port)s/
{% if grafana_server_enable_router_logging %}
# Log web requests
router_logging = true
{% else %}
router_logging = false
{% endif %}
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
{% if grafana_server_enforce_domain %}
enforce_domain = true
{% else %}
enforce_domain = false
{% endif %}
# The http port to use
http_port = {{ grafana_server_http_port }}
# enable gzip
{% if grafana_server_enable_gzip %}
enable_gzip = false
{% else %}
enable_gzip = true
{% endif %}
# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
;serve_from_sub_path = false
# the path relative working path
static_root_path = {{ grafana_server_static_root_path }}
# Unix socket path
;socket =
# CDN Url
;cdn_url =
# Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections.
# `0` means there is no timeout for reading the request.
;read_timeout = 0
#################################### Database ####################################
[database]
{% if grafana_server_db | lower == "sqlite" %}
type = sqlite3
# For "sqlite3" only, path relative to data_path setting
path = {{ grafana_server_db_path }}
# Max idle conn setting default is 2
max_idle_conn = 2
# Max conn setting default is 0 (mean not set)
max_open_conn = 0
# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
conn_max_lifetime = 14400
# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
cache_mode = private
{% elif grafana_server_db | lower == "mysql" %}
type = mysql
host = {{ grafana_server_db_host }}
user = {{ grafana_server_db_user }}
password = {{ grafana_server_db_password }}
{% endif %}
#################################### Analytics ####################################
[analytics]
# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
# No ip addresses are being tracked, only simple counters to track
# running instances, dashboard and error counts. It is very helpful to us.
# Change this option to false to disable reporting.
{% if grafana_server_analytics_reporting_enabled %}
reporting_enabled = true
{% else %}
reporting_enabled = false
{% endif %}
# Controls if the UI contains any links to user feedback forms
{% if grafana_server_analytics_feedback_links_enabled %}
feedback_links_enabled = true
{% else %}
feedback_links_enabled = false
{% endif %}
#################################### Security ####################################
[security]
# disable creation of admin user on first start of grafana
{% if grafana_server_security_disable_initial_admin_account_creation %}
disable_initial_admin_creation = true
{% else %}
disable_initial_admin_creation = false
{% endif %}
# default admin user, created on startup
admin_user = {{ grafana_server_security_initial_admin_user }}
# default admin password, can be changed before first start of grafana, or in profile settings
admin_password = {{ grafana_server_initial_admin_password }}
#################################### Dashboards History ##################
[dashboards]
# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
versions_to_keep = {{ grafana_server_dashboards_versions_to_keep }}
# Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval.
min_refresh_interval = 1s
#################################### Users ###############################
[users]
{% if grafana_server_users_allow_sign_up %}
# enable user signup / registration
allow_sign_up = false
{% else %}
# disable user signup / registration
allow_sign_up = false
{% endif %}
{% if grafana_server_users_allow_org_create %}
# Allow non admin users to create organizations
allow_org_create = true
{% else %}
# Allow non admin users to create organizations
allow_org_create = false
{% endif %}
# Set to true to automatically assign new users to the default organization (id 1)
;auto_assign_org = true
# Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
;auto_assign_org_id = 1
# Default role new users will be automatically assigned (if disabled above is set to true)
;auto_assign_org_role = Viewer
# Require email validation before sign up completes
;verify_email_enabled = false
# Background text for the user field on the login page
login_hint = email or username
# Default UI theme ("dark" or "light")
default_theme = dark
# Default locale (supported IETF language tag, such as en-US)
default_locale = en-GB
# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
viewers_can_edit = false
# Editors can administrate dashboard, folders and teams they create
editors_can_admin = false
# The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). Default is 24h (24 hours). The minimum supported duration is 15m (15 minutes).
user_invite_max_lifetime_duration = 2h
[auth]
# Login cookie name
login_cookie_name = {{ grafana_server_login_cookie_name }}
# The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation.
login_maximum_inactive_lifetime_duration = {{ grafana_server_inactive_lifetime_duration }}
# The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month).
login_maximum_lifetime_duration = {{ grafana_server_maximum_lifetime_duration }}
# OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
oauth_state_cookie_max_age = {{ grafana_server_cookie_max_age }}
# limit of api_key seconds to live before expiration
api_key_max_seconds_to_live = {{ grafana_server_api_key_max_seconds_to_live }}
#################################### Anonymous Auth ######################
[auth.anonymous]
{% if grafana_server_anonymous_authentication_enabled %}
# enable anonymous access
enabled = true
{% else %}
# disable anonymous access
enabled = false
{% endif %}
# specify organization name that should be used for unauthenticated users
org_name = {{ grafana_server_anonymous_authentication_org_name }}
# specify role for unauthenticated users
org_role = {{ grafana_server_anonymous_authentication_org_role }}
{% if grafana_server_anonymous_authentication_hide_version %}
# mask the Grafana version number for unauthenticated users
hide_version = true
{% else %}
# don't mask the Grafana version number for unauthenticated users
hide_version = false
{% endif %}
#################################### Basic Auth ##########################
{% if grafana_server_basic_authentication_enabled %}
[auth.basic]
enabled = true
{% endif %}
#################################### SMTP / Emailing ##########################
[smtp]
;enabled = false
;host = localhost:25
;user =
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
;password =
;cert_file =
;key_file =
;skip_verify = false
;from_address = admin@grafana.localhost
;from_name = Grafana
# EHLO identity in SMTP dialog (defaults to instance_name)
;ehlo_identity = dashboard.example.com
# SMTP startTLS policy (defaults to 'OpportunisticStartTLS')
;startTLS_policy = NoStartTLS
[emails]
;welcome_email_on_sign_up = false
;templates_pattern = emails/*.html, emails/*.txt
;content_types = text/html
#################################### Logging ##########################
[log]
# Either "console", "file", "syslog". Default is console and file
# Use space to separate multiple modes, e.g. "console file"
mode = console file
# Either "debug", "info", "warn", "error", "critical", default is "info"
level = info
#################################### Unified Alerting ####################
[unified_alerting]
#Enable the Unified Alerting sub-system and interface. When enabled we'll migrate all of your alert rules and notification channels to the new system. New alert rules will be created and your notification channels will be converted into an Alertmanager configuration. Previous data is preserved to enable backwards compatibility but new data is removed.```
enabled = true
# Specify the frequency of polling for admin config changes.
# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
admin_config_poll_interval = 60s
# Specify the frequency of polling for Alertmanager config changes.
# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
alertmanager_config_poll_interval = 60s
# Listen address/hostname and port to receive unified alerting messages for other Grafana instances. The port is used for both TCP and UDP. It is assumed other Grafana instances are also running on the same port.
ha_listen_address = ""
# Listen address/hostname and port to receive unified alerting messages for other Grafana instances. The port is used for both TCP and UDP. It is assumed other Grafana instances are also running on the same port.
ha_advertise_address = ""
# Minimum interval to enforce between rule evaluations. Rules will be adjusted if they are less than this value or if they are not multiple of the scheduler interval (10s). Higher values can help with resource management as we'll schedule fewer evaluations over time. This option has a legacy version in the `[alerting]` section that takes precedence.
# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
min_interval = 10s
#################################### External image storage ##########################
[external_image_storage]
# Used for uploading images to public servers so they can be included in slack/email messages.
# you can choose between (s3, webdav, gcs, azure_blob, local)
provider = local
[external_image_storage.local]
# does not require any configuration
[date_formats]
# For information on what formatting patterns that are supported https://momentjs.com/docs/#/displaying/
# Default system date format used in time range picker and other places where full time is displayed
full_date = HH:mm:ss DD-MM-YYYY
# Used by graph and other places where we only show small intervals
interval_second = HH:mm:ss
interval_minute = HH:mm
interval_hour = HH:mm DD/MM
interval_day = DD/MM
interval_month = MM-YYYY
interval_year = YYYY
# Default timezone for user preferences. Options are 'browser' for the browser local timezone or a timezone name from IANA Time Zone database, e.g. 'UTC' or 'Europe/Amsterdam' etc.
default_timezone = browser

15
vars/main.yml
Unescape Escape View File

@ -0,0 +1,15 @@
---
# vars file for grafana_server
grafana_server_required_vars_configuration:
- grafana_server_domain
- grafana_server_admin_user_email
- grafana_server_admin_password
grafana_server_required_vars_https:
- grafana_server_certificate_path
- grafana_server_certificate_key_path
grafana_server_initial_admin_password: grafana
...
Write Preview
Loading…
Cancel
Save