From: Alfredo Deza Date: Mon, 20 Jun 2016 19:24:31 +0000 (-0400) Subject: ansible: create a grafana role X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=a579285bca18b1a4248c650e1b4246b89eb2a850;p=ceph-build.git ansible: create a grafana role Signed-off-by: Alfredo Deza --- diff --git a/ansible/roles/grafana/defaults/main.yml b/ansible/roles/grafana/defaults/main.yml new file mode 100644 index 00000000..3e13a773 --- /dev/null +++ b/ansible/roles/grafana/defaults/main.yml @@ -0,0 +1,4 @@ +--- + +app_name: "grafana" +fqdn: "grafana.local" diff --git a/ansible/roles/grafana/handlers/main.yml b/ansible/roles/grafana/handlers/main.yml new file mode 100644 index 00000000..af49413c --- /dev/null +++ b/ansible/roles/grafana/handlers/main.yml @@ -0,0 +1,19 @@ +--- + +- name: reload systemd + sudo: yes + command: systemctl daemon-reload + +- name: restart app + sudo: true + service: + name: grafana-server + state: restarted + enabled: yes + +- name: restart nginx + sudo: true + service: + name: nginx + state: restarted + enabled: yes diff --git a/ansible/roles/grafana/tasks/main.yml b/ansible/roles/grafana/tasks/main.yml new file mode 100644 index 00000000..3eafb8db --- /dev/null +++ b/ansible/roles/grafana/tasks/main.yml @@ -0,0 +1,61 @@ +--- +- name: update apt cache + apt: + update_cache: yes + sudo: yes + +- name: install ssl system requirements + sudo: yes + apt: + name: "{{ item }}" + state: present + with_items: ssl_requirements + tags: + - packages + +- name: install system packages + sudo: yes + apt: + name: "{{ item }}" + state: present + with_items: system_packages + tags: + - packages + +- name: generate pseudo-random password for admin user + shell: python -c "exec 'import os; print os.urandom(30).encode(\'base64\')[:${length}]'" + register: admin_password + changed_when: false + +- name: generate pseudo-random password for the database connection + shell: python -c "exec 'import os; print os.urandom(30).encode(\'base64\')[:${length}]'" + register: db_password + changed_when: false + +- name: configure grafana + template: + src: ../templates/grafana.ini.j2 + dest: "/etc/grafana/grafana.ini" + notify: + - restart app + sudo: true + +- include: postgresql.yml + tags: + - postgresql + +- include: nginx.yml + +- name: ensure nginx is running + sudo: true + service: + name: nginx + state: started + enabled: yes + +- name: ensure grafana is restarted + sudo: true + service: + name: grafana-server + state: restarted + enabled: yes diff --git a/ansible/roles/grafana/tasks/nginx.yml b/ansible/roles/grafana/tasks/nginx.yml new file mode 100644 index 00000000..0ddba990 --- /dev/null +++ b/ansible/roles/grafana/tasks/nginx.yml @@ -0,0 +1,10 @@ +--- +- name: create nginx site config + action: template src=../templates/nginx_site.conf dest=/etc/nginx/sites-available/{{ app_name }}.conf + sudo: true + notify: + - restart nginx + +- name: link nginx config + action: file src=/etc/nginx/sites-available/{{ app_name }}.conf dest=/etc/nginx/sites-enabled/{{ app_name }}.conf state=link + sudo: true diff --git a/ansible/roles/grafana/tasks/postgresql.yml b/ansible/roles/grafana/tasks/postgresql.yml new file mode 100644 index 00000000..24241b3e --- /dev/null +++ b/ansible/roles/grafana/tasks/postgresql.yml @@ -0,0 +1,48 @@ +--- +- name: ensure database service is up + service: + name: postgresql + state: started + enabled: yes + sudo: yes + +- name: allow users to connect locally + sudo: yes + lineinfile: + # TODO: should not hardcode that version + dest: /etc/postgresql/9.5/main/pg_hba.conf + regexp: '^host\s+all\s+all\s+127.0.0.1/32' + line: 'host all all 127.0.0.1/32 md5' + backrefs: yes + register: pg_hba_conf + +- service: + name: postgresql + state: restarted + sudo: true + when: pg_hba_conf.changed + +- name: make {{ app_name }} user + postgresql_user: + name: "{{ app_name }}" + password: "{{ db_password.stdout }}" + role_attr_flags: SUPERUSER + login_user: postgres + become_user: postgres + become: yes + +- name: Make {{ app_name }} database + postgresql_db: + name: "{{ app_name }}" + owner: "{{ app_name }}" + state: present + login_user: postgres + sudo_user: postgres + sudo: yes + +- name: ensure database service is up + service: + name: postgresql + state: started + enabled: yes + sudo: yes diff --git a/ansible/roles/grafana/templates/grafana.ini.j2 b/ansible/roles/grafana/templates/grafana.ini.j2 new file mode 100644 index 00000000..ea0db85e --- /dev/null +++ b/ansible/roles/grafana/templates/grafana.ini.j2 @@ -0,0 +1,250 @@ +# {{ ansible_managed }} +##################### Grafana Configuration Example ##################### +# +# Everything has defaults so you only need to uncomment things you want to +# change + +# possible values : production, development +; app_mode = production + +#################################### Paths #################################### +[paths] +# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used) +# +;data = /var/lib/grafana +# +# Directory where grafana can store logs +# +;logs = /var/log/grafana + +#################################### Server #################################### +[server] +# Protocol (http or https) +;protocol = http + +# The ip address to bind to, empty will bind to all interfaces +;http_addr = + +# The http port to use +;http_port = 3000 + +# The public facing domain name used to access grafana from a browser +;domain = localhost + +# Redirect to correct domain if host header does not match domain +# Prevents DNS rebinding attacks +;enforce_domain = false + +# The full public facing url +;root_url = %(protocol)s://%(domain)s:%(http_port)s/ + +# Log web requests +;router_logging = false + +# the path relative working path +;static_root_path = public + +# enable gzip +;enable_gzip = false + +# https certs & key file +;cert_file = +;cert_key = + +#################################### Database #################################### +[database] +# Either "mysql", "postgres" or "sqlite3", it's your choice +type = postgres +host = 127.0.0.1:5432 +name = {{ app_name }} +user = {{ app_name }} +password = {{ db_password.stdout }} + +# For "postgres" only, either "disable", "require" or "verify-full" +ssl_mode = disable + +# For "sqlite3" only, path relative to data_path setting +;path = grafana.db + +#################################### Session #################################### +[session] +# Either "memory", "file", "redis", "mysql", "postgres", default is "file" +;provider = file + +# Provider config options +# memory: not have any config yet +# file: session dir path, is relative to grafana data_path +# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana` +# mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1:3306)/database_name` +# postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable +;provider_config = sessions + +# Session cookie name +;cookie_name = grafana_sess + +# If you use session in https only, default is false +;cookie_secure = false + +# Session life time, default is 86400 +;session_life_time = 86400 + +#################################### Analytics #################################### +[analytics] +# Server reporting, sends usage counters to stats.grafana.org every 24 hours. +# No ip addresses are being tracked, only simple counters to track +# running instances, dashboard and error counts. It is very helpful to us. +# Change this option to false to disable reporting. +reporting_enabled = false + +# Google Analytics universal tracking code, only enabled if you specify an id here +;google_analytics_ua_id = + +#################################### Security #################################### +[security] +# default admin user, created on startup +admin_user = admin + +# default admin password, can be changed before first start of grafana, or in profile settings +admin_password = {{ admin_password.stdout }} + +# used for signing +;secret_key = SW2YcwTIb9zpOOhoPsMm + +# Auto-login remember days +;login_remember_days = 7 +;cookie_username = grafana_user +;cookie_remember_name = grafana_remember + +# disable gravatar profile images +;disable_gravatar = false + +# data source proxy whitelist (ip_or_domain:port seperated by spaces) +;data_source_proxy_whitelist = + +#################################### Users #################################### +[users] +# disable user signup / registration +allow_sign_up = false + +# Allow non admin users to create organizations +allow_org_create = false + +# Set to true to automatically assign new users to the default organization (id 1) +;auto_assign_org = true + +# Default role new users will be automatically assigned (if disabled above is set to true) +;auto_assign_org_role = Viewer + +# Background text for the user field on the login page +;login_hint = email or username + +#################################### Anonymous Auth ########################## +[auth.anonymous] +# enable anonymous access +;enabled = false + +# specify organization name that should be used for unauthenticated users +org_name = Ceph + +# specify role for unauthenticated users +;org_role = Viewer + +#################################### Github Auth ########################## +[auth.github] +enabled = false +;allow_sign_up = false +client_id = {{ github_client_id }} +client_secret = {{ github_client_secret }} +scopes = user:email,read:org +;auth_url = https://github.com/login/oauth/authorize +;token_url = https://github.com/login/oauth/access_token +;api_url = https://api.github.com/user +;team_ids = +allowed_organizations = ceph + +#################################### Google Auth ########################## +[auth.google] +;enabled = false +;allow_sign_up = false +;client_id = some_client_id +;client_secret = some_client_secret +;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email +;auth_url = https://accounts.google.com/o/oauth2/auth +;token_url = https://accounts.google.com/o/oauth2/token +;api_url = https://www.googleapis.com/oauth2/v1/userinfo +;allowed_domains = + +#################################### Auth Proxy ########################## +[auth.proxy] +;enabled = false +;header_name = X-WEBAUTH-USER +;header_property = username +;auto_sign_up = true + +#################################### Basic Auth ########################## +[auth.basic] +;enabled = true + +#################################### Auth LDAP ########################## +[auth.ldap] +;enabled = false +;config_file = /etc/grafana/ldap.toml + +#################################### SMTP / Emailing ########################## +[smtp] +;enabled = false +;host = localhost:25 +;user = +;password = +;cert_file = +;key_file = +;skip_verify = false +;from_address = admin@grafana.localhost + +[emails] +;welcome_email_on_sign_up = false + +#################################### Logging ########################## +[log] +# Either "console", "file", default is "console" +# Use comma to separate multiple modes, e.g. "console, file" +;mode = console, file + +# Buffer length of channel, keep it as it is if you don't know what it is. +;buffer_len = 10000 + +# Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace" +;level = Info + +# For "console" mode only +[log.console] +;level = + +# For "file" mode only +[log.file] +;level = +# This enables automated log rotate(switch of following options), default is true +;log_rotate = true + +# Max line number of single file, default is 1000000 +;max_lines = 1000000 + +# Max size shift of single file, default is 28 means 1 << 28, 256MB +;max_lines_shift = 28 + +# Segment log daily, default is true +;daily_rotate = true + +# Expired days of log file(delete after max days), default is 7 +;max_days = 7 + +#################################### AMPQ Event Publisher ########################## +[event_publisher] +;enabled = false +;rabbitmq_url = amqp://localhost/ +;exchange = grafana_events + +;#################################### Dashboard JSON files ########################## +[dashboards.json] +;enabled = false +;path = /var/lib/grafana/dashboards diff --git a/ansible/roles/grafana/templates/nginx_site.conf b/ansible/roles/grafana/templates/nginx_site.conf new file mode 100644 index 00000000..ebb84354 --- /dev/null +++ b/ansible/roles/grafana/templates/nginx_site.conf @@ -0,0 +1,26 @@ +server { + listen 443 default_server ssl; + server_name {{ fqdn }}; + + ssl_certificate /etc/ssl/certs/{{ fqdn }}-bundled.crt; + ssl_certificate_key /etc/ssl/private/{{ fqdn }}.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + add_header Strict-Transport-Security "max-age=31536000"; + + access_log /var/log/nginx/{{ app_name }}-access.log; + error_log /var/log/nginx/{{ app_name }}-error.log; + + # Some binaries are gigantic + client_max_body_size 2048m; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://127.0.0.1:3000; + proxy_read_timeout 500; + } + +} diff --git a/ansible/roles/grafana/vars/main.yml b/ansible/roles/grafana/vars/main.yml new file mode 100644 index 00000000..69eac404 --- /dev/null +++ b/ansible/roles/grafana/vars/main.yml @@ -0,0 +1,21 @@ +--- + +system_packages: + - grafana + - git + - g++ + - gcc + - libpq-dev + - postgresql + - postgresql-common + - postgresql-contrib + - python-psycopg2 + - nginx + - vim + # needed for the ansible apt_repository module + - python-apt + - python + +ssl_requirements: + - openssl + - libssl-dev