Merge branch 'grafana_newinfra' into 'newinfra'

Grafana newinfra See merge request nounous/ansible!176
2021-01-05 19:26:57 +01:00 · 2021-01-05 19:26:57 +01:00 · 91b8f5e6d6
parent d81d9768dc b7f64f33ac
commit 91b8f5e6d6
3 changed files with 28 additions and 32 deletions
--- a/plays/monitoring.yml
+++ b/plays/monitoring.yml
@ -25,12 +25,10 @@

    grafana:
      root_url: https://grafana.crans.org
-      ldap_bind_dn: "cn=grafana,ou=service-users,{{ ldap_base }}"
-      ldap_passwd: "{{ vault_ldap_grafana_passwd }}"

    ldap_base: 'dc=crans,dc=org'
    ldap_master_ipv4: '172.16.10.1'
-    ldap_user_tree: "ou=users,{{ ldap_base }}"
+    ldap_user_tree: "ou=passwd,{{ ldap_base }}"
  roles:
    - prometheus
    - prometheus-alertmanager
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@ -33,12 +33,18 @@
    - section: server
      option: root_url
      value: "{{ grafana.root_url }}"
-    - section: session  # This will break with HTTPS
-      option: cookie_secure
-      value: "true"
    - section: analytics
      option: reporting_enabled
      value: "false"
+    - section: analytics
+      option: check_for_updates
+      value: "false"
+    - section: security
+      option: disable_initial_admin_creation
+      value: "true"
+    - section: security
+      option: cookie_secure
+      value: "true"
    - section: snapshots
      option: external_enabled
      value: "false"
@ -48,6 +54,12 @@
    - section: users
      option: allow_org_create
      value: "false"
+    - section: auth.anonymous
+      option: enabled
+      value: "true"
+    - section: auth.anonymous
+      option: hide_version
+      value: "true"
    - section: auth.basic  # Only LDAP auth
      option: enabled
      value: "false"
--- a/roles/grafana/templates/ldap.toml.j2
+++ b/roles/grafana/templates/ldap.toml.j2
@ -7,13 +7,13 @@
 # Ldap server host (specify multiple hosts space separated)
 host = "{{ ldap_master_ipv4 }}"
 # Default port is 389 or 636 if use_ssl = true
-port = 389
+port = 636
 # Set to true if ldap server supports TLS
-use_ssl = false
+use_ssl = true
 # Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
 start_tls = false
 # set to true if you want to skip ssl cert validation
-ssl_skip_verify = false
+ssl_skip_verify = true
 # set to the path to your root CA certificate or leave unset to use system defaults
 # root_ca_cert = "/path/to/certificate.crt"
 # Authentication against LDAP servers requiring client certificates
@ -21,13 +21,13 @@ ssl_skip_verify = false
 # client_key = "/path/to/client.key"

 # Search user bind dn
-bind_dn = "{{ grafana.ldap_bind_dn }}"
+bind_dn = "uid=%s,{{ ldap_user_tree }}"
 # Search user bind password
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-bind_password = '{{ grafana.ldap_passwd }}'
+#bind_password = ''

 # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
-search_filter = "(cn=%s)"
+search_filter = "(uid=%s)"

 # An array of base dns to search through
 search_base_dns = ["{{ ldap_user_tree }}"]
@ -35,31 +35,17 @@ search_base_dns = ["{{ ldap_user_tree }}"]
 ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
 ## Please check grafana LDAP docs for examples
 group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
-group_search_base_dns = ["ou=posix,ou=groups,{{ ldap_base }}"]
+group_search_base_dns = ["ou=group,{{ ldap_base }}"]
 group_search_filter_user_attribute = "cn"

 # Specify names of the ldap attributes your ldap uses
 [servers.attributes]
-name = "sn"
-surname = ""
-username = "cn"
-member_of = "dn"
+name = "givenName"
+surname = "sn"
+username = "uid"
 email =  "mail"

-# Map ldap groups to grafana org roles
+# All LDAP members can edit
 [[servers.group_mappings]]
-group_dn = "cn=nounou,ou=posix,ou=groups,dc=crans,dc=org"
-org_role = "Admin"
-# To make user an instance admin  (Grafana Admin) uncomment line below
-# grafana_admin = true
-# The Grafana organization database id, optional, if left out the default org (id 1) will be used
-# org_id = 1
-
-[[servers.group_mappings]]
-group_dn = "cn=apprenti,ou=posix,ou=groups,dc=crans,dc=org"
-org_role = "Editor"
-
-[[servers.group_mappings]]
-# If you want to match all (or no ldap groups) then you can use wildcard
 group_dn = "*"
-org_role = "Viewer"
+org_role = "Editor"