Erstelle Grafana-Rolle
This commit is contained in:
commit
9ecb9985fb
16 changed files with 258 additions and 0 deletions
48
README.md
Normal file
48
README.md
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
Grafana
|
||||||
|
=======
|
||||||
|
|
||||||
|
[Grafana](https://grafana.com) ist eine Redering-Enging für Zeitreihen.
|
||||||
|
|
||||||
|
# Ausführen der Rolle
|
||||||
|
- In der jeweiligen `host_vars`-Datei die Variablen in einer `grafana`-Map setzen:
|
||||||
|
| Variable | Wert | Beschreibung |
|
||||||
|
|----------|------|--------------|
|
||||||
|
| `domain` | string | Domainname der Grafana-Instanz |
|
||||||
|
- Rolle ausführen:
|
||||||
|
```Shell
|
||||||
|
ansible-playbook playbooks/grafana.yml
|
||||||
|
```
|
||||||
|
- Grafana aufrufen - der Erstlogin erfolgt mit `admin:amdin`. Anschließend das Passwort ändern und in unsere Zugangsdatenbank eintragen.
|
||||||
|
|
||||||
|
# Grafana mit Icinga verknüpfen
|
||||||
|
Mit Grafana lassen sich die Performance-Daten aus den Icinga-Checks grafisch in Icinga-Web2 darstellen:
|
||||||
|
- Neue "Data Source" hinzufügen und InfluxDB als Datenquelle angeben
|
||||||
|
- Unte `/org/apikeys` einen API-Schlüssel erzeugen
|
||||||
|
- Nun die Icinga-Dashboards unter `/dashboard/import` importieren. Dazu [hier](https://github.com/Mikesch-mp/icingaweb2-module-grafana/tree/master/dashboards/influxdb) die Dateien `base-metrics.json` und `icinga2-default.json` herunter laden.
|
||||||
|
- Beim Import von `icinga2-default.json` müssen die [Queries](https://github.com/Mikesch-mp/icingaweb2-module-grafana/blob/master/doc/06-create-grafana-dashboards-influxdb.md#Templating) (Hostname, Service, Command) angepasst werden
|
||||||
|
- Die Darstellung des Grafen für den http-Check anpassen, da sie ansonsten keine Aussagekraft hat:
|
||||||
|
- Dazu das Dashboard ''icinga2-default'' öffnen und einen beliebigen http-Check auswählen
|
||||||
|
- ''Edit Panel'':
|
||||||
|
- Rechts in den Panel-Optionen: ''Axes'' --> ''Left Y'': Unit auf ''Seconds'' und ''Scale'' --> ''log(base 2)''
|
||||||
|
- Unten bei der Query-Abfrage: ''Transform'' --> ''Filter by name '' --> ''size'' deaktivieren
|
||||||
|
- Das [Icingaweb2-Modul](https://github.com/Mikesch-mp/icingaweb2-module-grafana|Icingaweb2-Modul) herunter laden und entpacken. Als Pfad kann `/data/icingaweb2-modules` gewählt werden
|
||||||
|
- Modulepfad in `/etc/icingaweb2/global.ini` anpassen:
|
||||||
|
```Ini
|
||||||
|
[global]
|
||||||
|
...
|
||||||
|
module_path = "/usr/share/icingaweb2/modules:/data/icingaweb2-modules"
|
||||||
|
```
|
||||||
|
- Verzeichnis `/etc/icingaweb2/modules/grafana` anlegen und Besitzrechte analog zu den anderen Verzeichnissen vergeben
|
||||||
|
- Modul in Icingaweb2 `/config/modules#!/grafana/config` konfigurieren:
|
||||||
|
- host: Grafana-Domain
|
||||||
|
- Default Dashboard UID: Dazu in Grafana eine Grafik öffnen und über die *Share*-Funktion die Panel-ID aus der URL kopieren
|
||||||
|
- Grafana access: Indirect proxy
|
||||||
|
- Authentication type: API Token
|
||||||
|
- Das Redering der Graphen erfolgt mit dem [Grafana Image Renderer](https://grafana.com/grafana/plugins/grafana-image-renderer) - Installation mit:
|
||||||
|
```Shell
|
||||||
|
grafana-cli plugins install grafana-image-renderer
|
||||||
|
```
|
||||||
|
- Zusätzlich muss Chromium installiert werden (automatisch durch die Rolle)
|
||||||
|
- [Hostalive](https://dokuwiki.tachtler.net/doku.php?id=tachtler:icinga2_-_grafana#icingaweb2add_new_grafana_graphhostalive)-Graph hinzufügen:
|
||||||
|
- Dashboard name: base-metrics
|
||||||
|
- Dashborad UID und Panel-ID erneut aus dem Share-Link kopieren
|
4
defaults/main.yml
Normal file
4
defaults/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
grafana_db: grafana
|
||||||
|
grafana_db_user: grafana
|
||||||
|
grafana_db_password: "{{ lookup('password', '/tmp/grafana_database_pwd length=42 chars=ascii_letters,digits') }}"
|
10
files/fail2ban/filter.conf
Normal file
10
files/fail2ban/filter.conf
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
[INCLUDES]
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
failregex = ^ lvl=[a-zA-z]* msg=\"Invalid username or password\" (?:\S*=(?:\".*\"|\S*) )*remote_addr=<HOST>
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
datepattern = ^t=%%Y-%%m-%%dT%%H:%%M:%%S%%z
|
7
files/fail2ban/jail.conf
Normal file
7
files/fail2ban/jail.conf
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
[grafana]
|
||||||
|
enabled = true
|
||||||
|
findtime = 3600
|
||||||
|
bantime = 3600
|
||||||
|
port = http,https
|
||||||
|
filter = grafana
|
||||||
|
logpath = /var/log/grafana/grafana.log
|
8
files/grafana.monit
Normal file
8
files/grafana.monit
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
check process grafana with pidfile /var/run/grafana/grafana-server.pid
|
||||||
|
group monitor
|
||||||
|
start program = "/bin/systemctl start grafana-server.service"
|
||||||
|
stop program = "/bin/systemctl stop grafana-server.service"
|
||||||
|
if failed host localhost port 3000 with timeout 15 seconds for 3 times within 4 cycles then restart
|
||||||
|
if 5 restarts with 5 cycles then timeout
|
9
files/influxdb.monit
Normal file
9
files/influxdb.monit
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
check process influxdb
|
||||||
|
matching "/usr/bin/influxd -config /etc/influxdb/influxdb.conf"
|
||||||
|
group database
|
||||||
|
start program = "/usr/sbin/service influxd start"
|
||||||
|
stop program = "/usr/sbin/service influxd stop"
|
||||||
|
if failed host localhost port 8088 with timeout 15 seconds for 3 times within 4 cycles then restart
|
||||||
|
if 5 restarts with 5 cycles then timeout
|
18
handlers/main.yml
Normal file
18
handlers/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
- name: get certificate
|
||||||
|
ansible.builtin.command: dehydrated --cron -g
|
||||||
|
|
||||||
|
- name: restart grafana
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: grafana-server
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: reload monit
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: monit
|
||||||
|
state: reloaded
|
||||||
|
|
||||||
|
- name: reload fail2ban
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: fail2ban
|
||||||
|
state: reloaded
|
10
meta/main.yml
Normal file
10
meta/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
galaxy_info:
|
||||||
|
author: systemausfall.org
|
||||||
|
description: Role to install Grafana
|
||||||
|
company: Sense.Lab e.V.
|
||||||
|
license: GPLv3
|
||||||
|
min_ansible_version: "2.9"
|
||||||
|
platforms:
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- bullseye
|
14
tasks/database.yml
Normal file
14
tasks/database.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
- name: "database | Erstelle Datenbank"
|
||||||
|
ansible.builtin.mysql_db:
|
||||||
|
name: "{{ grafana_db }}"
|
||||||
|
login_unix_socket: "{{ mysql_socket }}"
|
||||||
|
login_user: root
|
||||||
|
|
||||||
|
- name: "database | Erstelle Datenbank-Nutzer"
|
||||||
|
ansible.builtin.mysql_user:
|
||||||
|
name: "{{ grafana_db_user }}"
|
||||||
|
password: "{{ grafana_db_password }}"
|
||||||
|
priv: "{{ grafana_db }}.*:ALL"
|
||||||
|
login_unix_socket: "{{ mysql_socket }}"
|
||||||
|
login_user: root
|
29
tasks/grafana.yml
Normal file
29
tasks/grafana.yml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
- name: "grafana | Erzeuge Grafana-Konfiguration"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: grafana.ini
|
||||||
|
dest: /etc/grafana/grafana.ini
|
||||||
|
mode: 0640
|
||||||
|
notify: restart grafana
|
||||||
|
|
||||||
|
- name: "grafana | Aktiviere Monit-Ueberwachung"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "{{ item }}.monit"
|
||||||
|
dest: "/etc/monit/conf-enabled/{{ item }}"
|
||||||
|
mode: 0644
|
||||||
|
notify: reload monit
|
||||||
|
loop:
|
||||||
|
- grafana
|
||||||
|
- influxdb
|
||||||
|
|
||||||
|
- name: "grafana | fail2ban-Konfiguration kopieren"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "fail2ban/{{ item.src }}"
|
||||||
|
dest: "/etc/fail2ban/{{ item.dest }}"
|
||||||
|
mode: 0644
|
||||||
|
loop:
|
||||||
|
- src: jail.conf
|
||||||
|
dest: jail.d/grafana.conf
|
||||||
|
- src: filter.conf
|
||||||
|
dest: filter.d/grafana.conf
|
||||||
|
notify: reload fail2ban
|
12
tasks/main.yml
Normal file
12
tasks/main.yml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
- import_tasks: packages.yml
|
||||||
|
tags: packages
|
||||||
|
|
||||||
|
- import_tasks: database.yml
|
||||||
|
delegate_to: "{{ database_host }}"
|
||||||
|
|
||||||
|
- import_tasks: grafana.yml
|
||||||
|
tags: grafana
|
||||||
|
|
||||||
|
- import_tasks: webserver.yml
|
||||||
|
tags: webserver
|
18
tasks/packages.yml
Normal file
18
tasks/packages.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
- name: "packages | Fuege apt-key hinzu"
|
||||||
|
ansible.builtin.apt_key:
|
||||||
|
url: https://packages.grafana.com/gpg.key
|
||||||
|
|
||||||
|
- name: "packages | Fuege deb-Repository hinzu"
|
||||||
|
ansible.builtin.apt_repository:
|
||||||
|
repo: deb https://packages.grafana.com/oss/deb stable main
|
||||||
|
filename: grafana
|
||||||
|
|
||||||
|
- name: "packages | Installiere Grafana"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: grafana
|
||||||
|
|
||||||
|
- name: "packages | Installiere chromium"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: chromium
|
||||||
|
install_recommends: false
|
16
tasks/webserver.yml
Normal file
16
tasks/webserver.yml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
- name: "webserver | Erzeuge Letsencrypt-Zertifikat"
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /etc/dehydrated/domains.txt
|
||||||
|
line: "{{ grafana.domain }}"
|
||||||
|
notify: get certificate
|
||||||
|
|
||||||
|
- name: "webserver | Grafana-Seitenkonfigurationen kopieren"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: apache2-site.conf
|
||||||
|
dest: "/etc/apache2/sites-available/{{ grafana.domain }}.conf"
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: "webserver | Grafana-Seitenkonfiguration aktivieren"
|
||||||
|
ansible.builtin.command: "a2ensite {{ grafana.domain }}"
|
||||||
|
notify: reload apache2
|
26
templates/apache2-site.conf
Normal file
26
templates/apache2-site.conf
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
<VirtualHost *:80>
|
||||||
|
ServerName {{ grafana.domain }}
|
||||||
|
Redirect permanent / https://{{ grafana.domain }}/
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
<IfModule mod_ssl.c>
|
||||||
|
<VirtualHost *:443>
|
||||||
|
ServerName {{ grafana.domain }}
|
||||||
|
Protocols h2 http/1.1
|
||||||
|
DocumentRoot /var/www/html
|
||||||
|
IncludeOptional /etc/apache2/conf-available/add-headers.conf
|
||||||
|
|
||||||
|
ErrorLog ${APACHE_LOG_DIR}/grafana.error.log
|
||||||
|
#CustomLog ${APACHE_LOG_DIR}/grafana.access.log combined
|
||||||
|
LogLevel Error
|
||||||
|
|
||||||
|
SSLEngine On
|
||||||
|
SSLCertificateFile /var/lib/dehydrated/certs/{{ grafana.domain }}/fullchain.pem
|
||||||
|
SSLCertificateKeyFile /var/lib/dehydrated/certs/{{ grafana.domain }}/privkey.pem
|
||||||
|
|
||||||
|
ProxyPreserveHost On
|
||||||
|
ProxyPass /.well-known !
|
||||||
|
ProxyPass / http://127.0.0.1:3000/
|
||||||
|
ProxyPassReverse / http://127.0.0.1:3000/
|
||||||
|
</VirtualHost>
|
||||||
|
</IfModule>
|
27
templates/grafana.ini
Normal file
27
templates/grafana.ini
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
[server]
|
||||||
|
domain = {{ grafana.domain }}
|
||||||
|
|
||||||
|
[database]
|
||||||
|
type = mysql
|
||||||
|
host = 127.0.0.1:3306
|
||||||
|
name = {{ grafana_db }}
|
||||||
|
user = {{ grafana_db_user }}
|
||||||
|
password = {{ grafana_db_password }}
|
||||||
|
|
||||||
|
[security]
|
||||||
|
disable_gravatar = true
|
||||||
|
cookie_secure = true
|
||||||
|
cookie_samesite = strict
|
||||||
|
strict_transport_security = true
|
||||||
|
strict_transport_security_max_age_seconds = 86400
|
||||||
|
strict_transport_security_preload = true
|
||||||
|
strict_transport_security_subdomains = true
|
||||||
|
x_content_type_options = true
|
||||||
|
x_xss_protection = true
|
||||||
|
content_security_policy = true
|
||||||
|
content_security_policy_template = """script-src 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';"""
|
||||||
|
|
||||||
|
[auth.anonymous]
|
||||||
|
enabled = false
|
2
vars/main.yml
Normal file
2
vars/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
# vars file for roles/grafana
|
Loading…
Reference in a new issue