---
- name: Install APT HTTPS support
  apt:
    name:
      - apt-transport-https
      - gpg
    state: present
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded

- name: Import Grafana GPG signing key
  apt_key:
    url: https://packages.grafana.com/gpg.key
    state: present
    validate_certs: false
  register: apt_key_result
  retries: 3
  until: apt_key_result is succeeded

- name: Add Grafana repository
  apt_repository:
    repo: deb https://packages.grafana.com/oss/deb stable main
    state: present
    update_cache: true

- name: Install Grafana
  apt:
    name: grafana
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded

# This capability enables grafana to bind :80
- name: Add cap_net_bind_service to grafana
  capabilities:
    path: /usr/sbin/grafana-server
    capability: cap_net_bind_service+ep
    state: present

- name: Configure Grafana
  ini_file:
    path: /etc/grafana/grafana.ini
    section: "{{ item.section }}"
    option: "{{ item.option }}"
    value: "{{ item.value }}"
    mode: 0640
  loop:
    - section: server
      option: http_port
      value: "80"
    - section: server
      option: root_url
      value: "{{ grafana_root_url }}"
    - section: session  # This will break with HTTPS
      option: cookie_secure
      value: "true"
    - section: analytics
      option: reporting_enabled
      value: "false"
    - section: snapshots
      option: external_enabled
      value: "false"
    - section: users
      option: allow_sign_up
      value: "false"
    - section: users
      option: allow_org_create
      value: "false"
    - section: auth.basic  # Only LDAP auth
      option: enabled
      value: "false"
    - section: auth.ldap
      option: enabled
      value: "true"
    - section: alerting
      option: enabled
      value: "false"
  notify: Restart grafana

- name: Configure Grafana LDAP
  template:
    src: ldap.toml.j2
    dest: /etc/grafana/ldap.toml
    mode: 0640
  notify: Restart grafana

- name: Change grafana logo
  copy:
    src: grafana_icon.svg
    dest: /usr/share/grafana/public/img/grafana_icon.svg
    owner: root
    group: root
    mode: 0664

- name: Enable and start Grafana
  systemd:
    name: grafana-server
    enabled: true
    state: started
    daemon_reload: true

- name: Indicate role in motd
  template:
    src: update-motd.d/05-service.j2
    dest: /etc/update-motd.d/05-grafana
    mode: 0755