Erstelle Grafana-Rolle

README.md

@@ -0,0 +1,48 @@
+Grafana
+=======
+
+[Grafana](https://grafana.com) ist eine Redering-Enging für Zeitreihen.
+
+# Ausführen der Rolle
+- In der jeweiligen `host_vars`-Datei die Variablen in einer `grafana`-Map setzen:
+  | Variable | Wert | Beschreibung |
+  |----------|------|--------------|
+  | `domain` | string | Domainname der Grafana-Instanz |
+- Rolle ausführen:
+  ```Shell
+  ansible-playbook playbooks/grafana.yml
+  ```
+- Grafana aufrufen - der Erstlogin erfolgt mit `admin:amdin`. Anschließend das Passwort ändern und in unsere Zugangsdatenbank eintragen.
+
+# Grafana mit Icinga verknüpfen
+Mit Grafana lassen sich die Performance-Daten aus den Icinga-Checks grafisch in Icinga-Web2 darstellen:
+- Neue "Data Source" hinzufügen und InfluxDB als Datenquelle angeben
+- Unte `/org/apikeys` einen API-Schlüssel erzeugen
+- Nun die Icinga-Dashboards unter `/dashboard/import` importieren. Dazu [hier](https://github.com/Mikesch-mp/icingaweb2-module-grafana/tree/master/dashboards/influxdb) die Dateien `base-metrics.json` und `icinga2-default.json` herunter laden.
+- Beim Import von `icinga2-default.json` müssen die [Queries](https://github.com/Mikesch-mp/icingaweb2-module-grafana/blob/master/doc/06-create-grafana-dashboards-influxdb.md#Templating) (Hostname, Service, Command) angepasst werden
+- Die Darstellung des Grafen für den http-Check anpassen, da sie ansonsten keine Aussagekraft hat:
+  - Dazu das Dashboard ''icinga2-default'' öffnen und einen beliebigen http-Check auswählen
+  - ''Edit Panel'':
+   - Rechts in den Panel-Optionen: ''Axes'' --> ''Left Y'': Unit auf ''Seconds'' und ''Scale'' --> ''log(base 2)''
+   - Unten bei der Query-Abfrage: ''Transform'' --> ''Filter by name '' --> ''size'' deaktivieren
+- Das [Icingaweb2-Modul](https://github.com/Mikesch-mp/icingaweb2-module-grafana|Icingaweb2-Modul) herunter laden und entpacken. Als Pfad kann `/data/icingaweb2-modules` gewählt werden
+- Modulepfad in `/etc/icingaweb2/global.ini` anpassen:
+  ```Ini
+  [global]
+  ...
+  module_path = "/usr/share/icingaweb2/modules:/data/icingaweb2-modules"
+  ```
+- Verzeichnis `/etc/icingaweb2/modules/grafana` anlegen und Besitzrechte analog zu den anderen Verzeichnissen vergeben
+-  Modul in Icingaweb2 `/config/modules#!/grafana/config` konfigurieren:
+  - host: Grafana-Domain
+  - Default Dashboard UID: Dazu in Grafana eine Grafik öffnen und über die *Share*-Funktion die Panel-ID aus der URL kopieren
+  - Grafana access: Indirect proxy
+  - Authentication type: API Token
+- Das Redering der Graphen erfolgt mit dem [Grafana Image Renderer](https://grafana.com/grafana/plugins/grafana-image-renderer) - Installation mit:
+  ```Shell
+  grafana-cli plugins install grafana-image-renderer
+  ```
+- Zusätzlich muss Chromium installiert werden (automatisch durch die Rolle)
+- [Hostalive](https://dokuwiki.tachtler.net/doku.php?id=tachtler:icinga2_-_grafana#icingaweb2add_new_grafana_graphhostalive)-Graph hinzufügen:
+  - Dashboard name: base-metrics
+  - Dashborad UID und Panel-ID erneut aus dem Share-Link kopieren

defaults/main.yml

@@ -0,0 +1,4 @@
+---
+grafana_db: grafana
+grafana_db_user: grafana
+grafana_db_password: "{{ lookup('password', '/tmp/grafana_database_pwd length=42 chars=ascii_letters,digits') }}"

files/fail2ban/filter.conf

@@ -0,0 +1,10 @@
+[INCLUDES]
+before = common.conf
+
+[Definition]
+failregex = ^ lvl=[a-zA-z]* msg=\"Invalid username or password\" (?:\S*=(?:\".*\"|\S*) )*remote_addr=<HOST>
+
+ignoreregex =
+
+[Init]
+datepattern = ^t=%%Y-%%m-%%dT%%H:%%M:%%S%%z

files/fail2ban/jail.conf

@@ -0,0 +1,7 @@
+[grafana]
+enabled  = true
+findtime = 3600
+bantime  = 3600
+port     = http,https
+filter   = grafana
+logpath  = /var/log/grafana/grafana.log

files/grafana.monit

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+check process grafana with pidfile /var/run/grafana/grafana-server.pid
+  group monitor
+  start program = "/bin/systemctl start grafana-server.service"
+  stop  program = "/bin/systemctl stop grafana-server.service"
+  if failed host localhost port 3000 with timeout 15 seconds for 3 times within 4 cycles then restart
+  if 5 restarts with 5 cycles then timeout

files/influxdb.monit

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+check process influxdb
+  matching "/usr/bin/influxd -config /etc/influxdb/influxdb.conf"
+  group database
+  start program = "/usr/sbin/service influxd start"
+  stop program = "/usr/sbin/service influxd stop"
+  if failed host localhost port 8088 with timeout 15 seconds for 3 times within 4 cycles then restart
+  if 5 restarts with 5 cycles then timeout

handlers/main.yml

@@ -0,0 +1,18 @@
+---
+- name: get certificate
+  ansible.builtin.command: dehydrated --cron -g
+
+- name: restart grafana
+  ansible.builtin.service:
+    name: grafana-server
+    state: restarted
+
+- name: reload monit
+  ansible.builtin.service:
+    name: monit
+    state: reloaded
+
+- name: reload fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    state: reloaded

meta/main.yml

@@ -0,0 +1,10 @@
+galaxy_info:
+  author: systemausfall.org
+  description: Role to install Grafana
+  company: Sense.Lab e.V.
+  license: GPLv3
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Debian
+      versions:
+        - bullseye

tasks/database.yml

@@ -0,0 +1,14 @@
+---
+- name: "database | Erstelle Datenbank"
+  ansible.builtin.mysql_db:
+    name: "{{ grafana_db }}"
+    login_unix_socket: "{{ mysql_socket }}"
+    login_user: root
+
+- name: "database | Erstelle Datenbank-Nutzer"
+  ansible.builtin.mysql_user:
+    name: "{{ grafana_db_user }}"
+    password: "{{ grafana_db_password }}"
+    priv: "{{ grafana_db }}.*:ALL"
+    login_unix_socket: "{{ mysql_socket }}"
+    login_user: root

tasks/grafana.yml

@@ -0,0 +1,29 @@
+---
+- name: "grafana | Erzeuge Grafana-Konfiguration"
+  ansible.builtin.template:
+    src: grafana.ini
+    dest: /etc/grafana/grafana.ini
+    mode: 0640
+  notify: restart grafana
+
+- name: "grafana | Aktiviere Monit-Ueberwachung"
+  ansible.builtin.copy:
+    src: "{{ item }}.monit"
+    dest: "/etc/monit/conf-enabled/{{ item }}"
+    mode: 0644
+  notify: reload monit
+  loop:
+    - grafana
+    - influxdb
+
+- name: "grafana | fail2ban-Konfiguration kopieren"
+  ansible.builtin.copy:
+    src: "fail2ban/{{ item.src }}"
+    dest: "/etc/fail2ban/{{ item.dest }}"
+    mode: 0644
+  loop:
+    - src: jail.conf
+      dest: jail.d/grafana.conf
+    - src: filter.conf
+      dest: filter.d/grafana.conf
+  notify: reload fail2ban

tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- import_tasks: packages.yml
+  tags: packages
+
+- import_tasks: database.yml
+  delegate_to: "{{ database_host }}"
+
+- import_tasks: grafana.yml
+  tags: grafana
+
+- import_tasks: webserver.yml
+  tags: webserver

tasks/packages.yml

@@ -0,0 +1,18 @@
+---
+- name: "packages | Fuege apt-key hinzu"
+  ansible.builtin.apt_key:
+    url: https://packages.grafana.com/gpg.key
+
+- name: "packages | Fuege deb-Repository hinzu"
+  ansible.builtin.apt_repository:
+    repo: deb https://packages.grafana.com/oss/deb stable main
+    filename: grafana
+
+- name: "packages | Installiere Grafana"
+  ansible.builtin.apt:
+    name: grafana
+
+- name: "packages | Installiere chromium"
+  ansible.builtin.apt:
+    name: chromium
+    install_recommends: false

tasks/webserver.yml

@@ -0,0 +1,16 @@
+---
+- name: "webserver | Erzeuge Letsencrypt-Zertifikat"
+  ansible.builtin.lineinfile:
+    path: /etc/dehydrated/domains.txt
+    line: "{{ grafana.domain }}"
+  notify: get certificate
+
+- name: "webserver | Grafana-Seitenkonfigurationen kopieren"
+  ansible.builtin.template:
+    src: apache2-site.conf
+    dest: "/etc/apache2/sites-available/{{ grafana.domain }}.conf"
+    mode: 0644
+
+- name: "webserver | Grafana-Seitenkonfiguration aktivieren"
+  ansible.builtin.command: "a2ensite {{ grafana.domain }}"
+  notify: reload apache2

templates/apache2-site.conf

@@ -0,0 +1,26 @@
+<VirtualHost *:80>
+    ServerName {{ grafana.domain }}
+    Redirect permanent / https://{{ grafana.domain }}/
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+    <VirtualHost *:443>
+        ServerName {{ grafana.domain }}
+        Protocols h2 http/1.1
+        DocumentRoot /var/www/html
+        IncludeOptional /etc/apache2/conf-available/add-headers.conf
+
+        ErrorLog ${APACHE_LOG_DIR}/grafana.error.log
+        #CustomLog ${APACHE_LOG_DIR}/grafana.access.log combined
+        LogLevel Error
+
+        SSLEngine On
+        SSLCertificateFile /var/lib/dehydrated/certs/{{ grafana.domain }}/fullchain.pem
+        SSLCertificateKeyFile /var/lib/dehydrated/certs/{{ grafana.domain }}/privkey.pem
+
+        ProxyPreserveHost On
+        ProxyPass /.well-known !
+        ProxyPass / http://127.0.0.1:3000/
+        ProxyPassReverse / http://127.0.0.1:3000/
+    </VirtualHost>
+</IfModule>

templates/grafana.ini

@@ -0,0 +1,27 @@
+# {{ ansible_managed }}
+
+[server]
+domain = {{ grafana.domain }}
+
+[database]
+type = mysql
+host = 127.0.0.1:3306
+name = {{ grafana_db }}
+user = {{ grafana_db_user }}
+password = {{ grafana_db_password }}
+
+[security]
+disable_gravatar = true
+cookie_secure = true
+cookie_samesite = strict
+strict_transport_security = true
+strict_transport_security_max_age_seconds = 86400
+strict_transport_security_preload = true
+strict_transport_security_subdomains = true
+x_content_type_options = true
+x_xss_protection = true
+content_security_policy = true
+content_security_policy_template = """script-src 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';"""
+
+[auth.anonymous]
+enabled = false

vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for roles/grafana