crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'grafana_newinfra' into 'newinfra' 

Grafana newinfra

See merge request nounous/ansible!176
certbot_on_virtu
erdnaxe 2021-01-05 19:26:57 +01:00
parent d81d9768dc b7f64f33ac
commit 91b8f5e6d6
3 changed files with 28 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
plays/monitoring.yml
View File

@ -25,12 +25,10 @@
grafana: grafana:
root_url: https://grafana.crans.org root_url: https://grafana.crans.org
ldap_bind_dn: "cn=grafana,ou=service-users,{{ ldap_base }}"
ldap_passwd: "{{ vault_ldap_grafana_passwd }}"
ldap_base: 'dc=crans,dc=org' ldap_base: 'dc=crans,dc=org'
ldap_master_ipv4: '172.16.10.1' ldap_master_ipv4: '172.16.10.1'
ldap_user_tree: "ou=users,{{ ldap_base }}" ldap_user_tree: "ou=passwd,{{ ldap_base }}"
roles: roles:
- prometheus - prometheus
- prometheus-alertmanager - prometheus-alertmanager

18
roles/grafana/tasks/main.yml
View File

@ -33,12 +33,18 @@
- section: server - section: server
option: root_url option: root_url
value: "{{ grafana.root_url }}" value: "{{ grafana.root_url }}"
- section: session # This will break with HTTPS
option: cookie_secure
value: "true"
- section: analytics - section: analytics
option: reporting_enabled option: reporting_enabled
value: "false" value: "false"
- section: analytics
option: check_for_updates
value: "false"
- section: security
option: disable_initial_admin_creation
value: "true"
- section: security
option: cookie_secure
value: "true"
- section: snapshots - section: snapshots
option: external_enabled option: external_enabled
value: "false" value: "false"
@ -48,6 +54,12 @@
- section: users - section: users
option: allow_org_create option: allow_org_create
value: "false" value: "false"
- section: auth.anonymous
option: enabled
value: "true"
- section: auth.anonymous
option: hide_version
value: "true"
- section: auth.basic # Only LDAP auth - section: auth.basic # Only LDAP auth
option: enabled option: enabled
value: "false" value: "false"

38
roles/grafana/templates/ldap.toml.j2
View File

@ -7,13 +7,13 @@
# Ldap server host (specify multiple hosts space separated) # Ldap server host (specify multiple hosts space separated)
host = "{{ ldap_master_ipv4 }}" host = "{{ ldap_master_ipv4 }}"
# Default port is 389 or 636 if use_ssl = true # Default port is 389 or 636 if use_ssl = true
port = 389 port = 636
# Set to true if ldap server supports TLS # Set to true if ldap server supports TLS
use_ssl = false use_ssl = true
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS) # Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false start_tls = false
# set to true if you want to skip ssl cert validation # set to true if you want to skip ssl cert validation
ssl_skip_verify = false ssl_skip_verify = true
# set to the path to your root CA certificate or leave unset to use system defaults # set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt" # root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates # Authentication against LDAP servers requiring client certificates
@ -21,13 +21,13 @@ ssl_skip_verify = false
# client_key = "/path/to/client.key" # client_key = "/path/to/client.key"
# Search user bind dn # Search user bind dn
bind_dn = "{{ grafana.ldap_bind_dn }}" bind_dn = "uid=%s,{{ ldap_user_tree }}"
# Search user bind password # Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = '{{ grafana.ldap_passwd }}' #bind_password = ''
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(cn=%s)" search_filter = "(uid=%s)"
# An array of base dns to search through # An array of base dns to search through
search_base_dns = ["{{ ldap_user_tree }}"] search_base_dns = ["{{ ldap_user_tree }}"]
@ -35,31 +35,17 @@ search_base_dns = ["{{ ldap_user_tree }}"]
## For Posix or LDAP setups that does not support member_of attribute you can define the below settings ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples ## Please check grafana LDAP docs for examples
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))" group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
group_search_base_dns = ["ou=posix,ou=groups,{{ ldap_base }}"] group_search_base_dns = ["ou=group,{{ ldap_base }}"]
group_search_filter_user_attribute = "cn" group_search_filter_user_attribute = "cn"
# Specify names of the ldap attributes your ldap uses # Specify names of the ldap attributes your ldap uses
[servers.attributes] [servers.attributes]
name = "sn" name = "givenName"
surname = "" surname = "sn"
username = "cn" username = "uid"
member_of = "dn"
email = "mail" email = "mail"
# Map ldap groups to grafana org roles # All LDAP members can edit
[[servers.group_mappings]] [[servers.group_mappings]]
group_dn = "cn=nounou,ou=posix,ou=groups,dc=crans,dc=org"
org_role = "Admin"
# To make user an instance admin (Grafana Admin) uncomment line below
# grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1
[[servers.group_mappings]]
group_dn = "cn=apprenti,ou=posix,ou=groups,dc=crans,dc=org"
org_role = "Editor"
[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*" group_dn = "*"
org_role = "Viewer" org_role = "Editor"