Skip to content

Commit

Permalink
Update Grafana to version 11
Browse files Browse the repository at this point in the history
Update Grafana to version 11 and switch from deprecated role `cloudalchemy.grafana` to the official Grafana role from the `grafana.grafana` collection. Update `usegalaxy_eu.grafana_matrix_forwarder`.

Instead of disabling firewalld on the Grafana host, open the nginx ports.
  • Loading branch information
kysrpex committed Jun 17, 2024
1 parent b55a6df commit acc9b9a
Show file tree
Hide file tree
Showing 5 changed files with 431 additions and 345 deletions.
106 changes: 74 additions & 32 deletions grafana.yml
Original file line number Diff line number Diff line change
@@ -1,54 +1,96 @@
---
- name: Grafana
hosts: grafana
become: true
vars:
hostname: stats.galaxyproject.eu
vars_files:
- group_vars/grafana-gitter-bridge.yml
- secret_group_vars/all.yml
# This shouldn't be necessary? but if certs fail, then do this. This is
# *supposed* to be properly handled by the nginx role, but the permission
# change is likely only applied if a change is detected since it can't figure
# out if the rule is there or not.
# TODO: make the nginx task check if the rule is in place, rather than a change in path.
# pre_tasks:
# - name: Put SELinux in permissive mode, logging actions that would be blocked.
# selinux:
# policy: targeted
# state: permissive
pre_tasks:
#- name: Put SELinux in permissive mode, logging actions that would be blocked.
# # Putting SELinux in permissive mode should not be necessary. But if
# # certs fail, then do it. It is supposed to be properly handled by
# # the `galaxyproject.nginx` role, but the permission change is likely
# # only applied if a change is detected since it can't figure out if
# # the rule is there or not.
# # TODO: make the nginx task check if the rule is in place, rather than a change in path.
# become: true
# ansible.posix.selinux:
# policy: targeted
# state: permissive
- name: Set default version of Python
alternatives:
become: true
community.general.alternatives:
name: python
path: /usr/bin/python3
- name: Install Dependencies
package:
become: true
ansible.builtin.package:
name: ['python3-virtualenv']
- name: Ensure git is installed. (hxr.monitor-ssl)
become: true
- name: Disable firewalld service
ansible.builtin.service:
name: firewalld
enabled: false
state: stopped
ansible.builtin.package:
name:
- git
collections:
- devsec.hardening
- grafana.grafana
roles:
## Starting configuration of the operating system
- role: usegalaxy_eu.handy.os_setup
become: true
vars:
hostname: "{{ grafana_domain }}"
enable_hostname: true
enable_powertools: true # geerlingguy.repo-epel role doesn't enable PowerTools repository
- geerlingguy.repo-epel # Install EPEL repository
- usegalaxy-eu.autoupdates # keep all of our packages up to date
- influxdata.chrony # Keep our time in sync.
enable_powertools: true # geerlingguy.repo-epel role doesn't enable PowerTools repository
- role: geerlingguy.repo-epel # Install EPEL repository
become: true
- role: usegalaxy-eu.autoupdates # keep all of our packages up to date
become: true
vars:
hostname: "{{ grafana_domain }}"
- influxdata.chrony # Keep our time in sync.

## Monitoring
- hxr.monitor-ssl
- hxr.monitor-email
- dj-wasabi.telegraf
- role: hxr.monitor-ssl
become: true
- role: hxr.monitor-email
become: true

- galaxyproject.nginx
- cloudalchemy.grafana
- pgs
- hxr.grafana-gitter-bridge
## Grafana
- role: galaxyproject.nginx
become: true
- grafana
- role: pgs
become: true
- role: hxr.grafana-gitter-bridge
become: true
- usegalaxy_eu.grafana_matrix_forwarder
- dj-wasabi.telegraf

post_tasks:
# The `[unified_alerting]` section of grafana.ini is not populated by the
# `grafana.grafana.grafana` role yet. It will be when PR [1] is merged. In
# the meantime, it is populated with this post-task.
#
# References:
# - [1] https://github.com/grafana/grafana-ansible-collection/pull/215
- name: Write Grafana unified alerting settings to grafana.ini (grafana.grafana.grafana)
become: true
community.general.ini_file:
path: /etc/grafana/grafana.ini
section: unified_alerting
option: "{{ item.key }}"
value: "{{ item.value }}"
state: present
owner: "root" # copied from `grafana.grafana.grafana` v5.2.0
group: "grafana" # copied from `grafana.grafana.grafana` v5.2.0
mode: "0640" # copied from `grafana.grafana.grafana` v5.2.0
loop: "{{ grafana_unified_alerting | default({}) | dict2items }}"

- name: Open nginx ports
become: true
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
state: enabled
with_items:
- 80/tcp
- 443/tcp
4 changes: 0 additions & 4 deletions group_vars/grafana-gitter-bridge.yml

This file was deleted.

48 changes: 39 additions & 9 deletions group_vars/grafana.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,10 @@ nginx_conf_ssl_certificate: /etc/ssl/certs/fullchain.pem
nginx_conf_ssl_certificate_key: /etc/ssl/user/privkey-nginx.pem

# Grafana
grafana_data_dir: /data/monitoring/grafana_data
grafana_instance: "{{ hostname }}"
grafana_version: 11.0.0

grafana_address: "127.0.0.1"
grafana_url: "https://stats.galaxyproject.eu"
grafana_server:
domain: "{{ hostname }}"
root_url: "https://%(domain)s/"
grafana_url: "https://{{ grafana_domain }}"

grafana_users:
default_theme: "light"
Expand Down Expand Up @@ -72,14 +69,36 @@ grafana_auth:
grafana_image_storage:
provider: local

grafana_environment:
GF_PANELS_DISABLE_SANITIZE_HTML: 'true'
grafana_panels:
disable_sanitize_html: "true"

# This setting is not yet used by the role `grafana.grafana.grafana`. It will
# be when PR [1] is merged.
#
# References:
# - [1] https://github.com/grafana/grafana-ansible-collection/pull/215
grafana_unified_alerting:
enabled: "true"
execute_alerts: "true"

# Legacy alerting was removed in Grafana 11 [1]. However, the Ansible role
# `grafana.grafana.grafana` still populates the [alerting] section [2] unless
# `grafana_alerting` is empty. The setting can be removed from this file as
# soon as PR [3] is merged.
#
# References:
# - [1] https://grafana.com/blog/2024/04/04/legacy-alerting-removal-what-you-need-to-know-about-upgrading-to-grafana-alerting/
# - [2] https://github.com/grafana/grafana-ansible-collection/blob/2e7fd0591d8ad1700186174213b8142047525b88/roles/grafana/templates/grafana.ini.j2#L116-L127
# - [3] https://github.com/grafana/grafana-ansible-collection/pull/215
grafana_alerting: {}

grafana_plugins:
- grafana-worldmap-panel
- grafana-piechart-panel
- natel-discrete-panel

grafana_dashboards_dir: "files/grafana"

grafana_datasources:
- name: Galaxy
type: influxdb
Expand Down Expand Up @@ -219,4 +238,15 @@ galaxy_nagios_urls:
url: "https://usegalaxy.eu/phinch/index.html"
code: 200

matrix_forwarder_resolve_mode: reaction

# Grafana Gitter Bridge
ggb_create_user: true
ggb_create_group: true

# Grafana Matrix Forwarder
grafana_matrix_forwarder_version: "0.6.0"
grafana_matrix_forwarder_user: centos
grafana_matrix_forwarder_group: centos
grafana_matrix_forwarder_homeserver: https://matrix-client.matrix.org
grafana_matrix_forwarder_port: 6000
grafana_matrix_forwarder_resolve_mode: reaction
27 changes: 22 additions & 5 deletions requirements.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,29 @@ collections:
version: 1.9.0
source: https://galaxy.ansible.com
type: galaxy
- name: community.grafana
version: 1.2.1
- name: grafana.grafana
# This collection has dependencies
# (https://github.com/grafana/grafana-ansible-collection/blob/5.2.0/requirements.yml)
# that have not been defined as they should
# (https://docs.ansible.com/ansible/latest/dev_guide/developing_collections_shared.html#listing-collection-dependencies).
# Therefore, they have to be included in this file. @kysrpex opened an issue on the repository of the Grafana Ansible collection
# https://github.com/grafana/grafana-ansible-collection/issues/222
# notifying the developers of this issue.
version: 5.2.0
source: https://galaxy.ansible.com
type: galaxy
# - name: community.general # required by `grafana.grafana` (already specified above)
# source: https://github.com/ansible-collections/community.general.git
# version: 9.0.1
# type: git
- name: community.grafana # required by `grafana.grafana`
source: https://github.com/ansible-collections/community.grafana.git
version: 2.0.0
type: git
- name: ansible.posix # required by `grafana.grafana`
source: https://github.com/ansible-collections/ansible.posix.git
version: 1.5.2
type: git
- name: community.rabbitmq
version: 1.1.0
source: https://galaxy.ansible.com
Expand Down Expand Up @@ -82,8 +101,6 @@ roles:
- name: usegalaxy-eu.dynmotd
src: https://github.com/usegalaxy-eu/ansible-dynmotd
version: 0.0.1
- name: cloudalchemy.grafana
version: 0.16.2
- name: galaxyproject.tiaas2
version: 2.1.3
- name: usegalaxy-eu.autoupdates
Expand Down Expand Up @@ -130,7 +147,7 @@ roles:
- name: usegalaxy_eu.tpv_auto_lint
version: 0.2.1
- name: usegalaxy_eu.grafana_matrix_forwarder
version: 1.0.0
version: 2.0.0
- name: geerlingguy.redis
version: 1.8.0
- name: artis3n.tailscale
Expand Down
Loading

0 comments on commit acc9b9a

Please sign in to comment.