Add monitoring

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

roles/grafana/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart grafana
+  service:
+    name: grafana-server
+    state: restarted

roles/grafana/tasks/main.yml

@@ -0,0 +1,100 @@
+---
+- name: Install GPG
+  apt:
+    name: gnupg
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Import Grafana GPG signing key
+  apt_key:
+    url: https://packages.grafana.com/gpg.key
+    state: present
+    validate_certs: false
+  register: apt_key_result
+  retries: 3
+  until: apt_key_result is succeeded
+
+- name: Add Grafana repository
+  apt_repository:
+    repo: deb http://mirror.adm.ynerant.fr/grafana/oss/deb stable main
+    state: present
+    update_cache: true
+
+- name: Install Grafana
+  apt:
+    name: grafana
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure Grafana
+  ini_file:
+    path: /etc/grafana/grafana.ini
+    section: "{{ item.section }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    mode: 0640
+  loop:
+    - section: server
+      option: root_url
+      value: "{{ grafana.root_url }}"
+    - section: analytics
+      option: reporting_enabled
+      value: "false"
+    - section: analytics
+      option: check_for_updates
+      value: "false"
+    - section: security
+      option: disable_initial_admin_creation
+      value: "true"
+    - section: security
+      option: cookie_secure
+      value: "true"
+    - section: snapshots
+      option: external_enabled
+      value: "false"
+    - section: users
+      option: allow_sign_up
+      value: "false"
+    - section: users
+      option: allow_org_create
+      value: "false"
+    - section: auth.anonymous
+      option: enabled
+      value: "true"
+    - section: auth.anonymous
+      option: hide_version
+      value: "true"
+    - section: auth.basic  # Only LDAP auth
+      option: enabled
+      value: "false"
+    - section: auth.ldap
+      option: enabled
+      value: "true"
+    - section: alerting
+      option: enabled
+      value: "false"
+  notify: Restart grafana
+
+- name: Configure Grafana LDAP
+  template:
+    src: ldap.toml.j2
+    dest: /etc/grafana/ldap.toml
+    mode: 0640
+  notify: Restart grafana
+
+- name: Enable and start Grafana
+  systemd:
+    name: grafana-server
+    enabled: true
+    state: started
+    daemon_reload: true
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/05-service.j2
+    dest: /etc/update-motd.d/05-grafana
+    mode: 0755

roles/grafana/templates/ldap.toml.j2

@@ -0,0 +1,47 @@
+{{ ansible_header | comment }}
+# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
+# [log]
+# filters = ldap:debug
+
+[[servers]]
+# Ldap server host (specify multiple hosts space separated)
+host = "{{ grafana.ldap_master_ipv4 }}"
+# Default port is 389 or 636 if use_ssl = true
+port = 636
+# Set to true if ldap server supports TLS
+use_ssl = true
+# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
+start_tls = false
+# set to true if you want to skip ssl cert validation
+ssl_skip_verify = true
+# set to the path to your root CA certificate or leave unset to use system defaults
+# root_ca_cert = "/path/to/certificate.crt"
+# Authentication against LDAP servers requiring client certificates
+# client_cert = "/path/to/client.crt"
+# client_key = "/path/to/client.key"
+
+# Use direct bind
+bind_dn = "uid=%s,{{ grafana.ldap_user_tree }}"
+
+# Useless as we are doing direct bind,
+# but without LDAP auth hang
+search_filter = "(uid=%s)"
+search_base_dns = ["ou=passwd,dc=ynerant,dc=fr"]
+
+## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
+## Please check grafana LDAP docs for examples
+group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
+group_search_base_dns = ["ou=group,{{ grafana.ldap_base }}"]
+group_search_filter_user_attribute = "cn"
+
+# Specify names of the ldap attributes your ldap uses
+[servers.attributes]
+name = "givenName"
+surname = "sn"
+username = "uid"
+email =  "mail"
+
+# All LDAP members can edit
+[[servers.group_mappings]]
+group_dn = "*"
+org_role = "Admin"

roles/grafana/templates/update-motd.d/05-service.j2

@@ -0,0 +1,3 @@
+#!/usr/bin/tail +14
+{{ ansible_header | comment }}
+> grafana a été déployé sur cette machine. Voir /etc/grafana/.