feat(services): sandboxed grafana installation

tgragnato · May 4, 2024 · 559abfb · 559abfb
1 parent 0f24dd3
commit 559abfb
Show file tree

Hide file tree

Showing 10 changed files with 148 additions and 9 deletions.
diff --git a/.gitignore b/.gitignore
@@ -7,4 +7,5 @@ cmd/nfguard/nfguard
 roles/firewall/files/client
 roles/firewall/files/snowflake
 roles/services/files/magneticod
-roles/services/files/magneticow
+roles/services/files/magneticow
+roles/services/files/grafana*
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-all: dnsd nfguard snowflake client magnetico
+all: dnsd nfguard snowflake client magnetico grafana
 	ansible-playbook --ask-vault-password -i inventory.yaml playbook.yaml
 
 clean:
@@ -40,3 +40,8 @@ magneticow: roles/services/files/magneticow
 
 roles/services/files/magneticow:
 	GOOS=linux GOARCH=amd64 go build -C magnetico/cmd/magneticow --tags fts5 -o ../../../roles/services/files/magneticow
+
+grafana: roles/services/files/grafana-10.4.2.linux-amd64.tar.gz
+
+roles/services/files/grafana-10.4.2.linux-amd64.tar.gz:
+	curl https://dl.grafana.com/oss/release/grafana-10.4.2.linux-amd64.tar.gz -o roles/services/files/grafana-10.4.2.linux-amd64.tar.gz
diff --git a/roles/services/handlers/main.yml b/roles/services/handlers/main.yml
@@ -18,3 +18,10 @@
     name: magneticow.service
     state: restarted
   listen: restart magneticow
+
+- name: Restart grafana
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: grafana.service
+    state: restarted
+  listen: restart grafana
diff --git a/roles/services/tasks/grafana.yml b/roles/services/tasks/grafana.yml
@@ -0,0 +1,45 @@
+---
+
+- name: Check if folder exist for grafana
+  ansible.builtin.stat:
+    path: "{{ grafana_folder }}"
+  register: grafana_installed
+  tags: grafana
+
+- name: Extract the standalone archive
+  ansible.builtin.unarchive:
+    src: "grafana-{{ grafana_version }}.linux-amd64.tar.gz"
+    dest: "{{ local_folder }}"
+    remote_src: false
+  when: not grafana_installed.stat.exists
+  tags: grafana
+
+- name: Setup grafana
+  ansible.builtin.template:
+    src: grafana.ini.j2
+    dest: "{{ grafana_folder }}/conf/grafana.ini"
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - restart grafana
+  tags: grafana
+
+- name: Setup the grafana systemd service
+  ansible.builtin.template:
+    src: grafana.service.j2
+    dest: "{{ systemd_system }}/grafana.service"
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - restart grafana
+  tags: grafana
+
+- name: Enable and start grafana
+  ansible.builtin.systemd:
+    name: grafana.service
+    state: started
+    enabled: true
+    masked: false
+  tags: grafana
diff --git a/roles/services/tasks/magnetico.yml b/roles/services/tasks/magnetico.yml
@@ -3,7 +3,7 @@
 - name: Install magneticod
   ansible.builtin.copy:
     src: magneticod
-    dest: /usr/local/bin/magneticod
+    dest: "{{ magneticod_path }}"
     owner: daemon
     group: daemon
     mode: '0500'
@@ -31,7 +31,7 @@
 - name: Install magneticow
   ansible.builtin.copy:
     src: magneticow
-    dest: /usr/local/bin/magneticow
+    dest: "{{ magneticow_path }}"
     owner: nobody
     group: nogroup
     mode: '0500'

diff --git a/roles/services/tasks/main.yml b/roles/services/tasks/main.yml
@@ -8,3 +8,6 @@
 
 - name: Install magnetico
   ansible.builtin.import_tasks: magnetico.yml
+
+- name: Install grafana
+  ansible.builtin.import_tasks: grafana.yml
diff --git a/roles/services/tasks/postgresql.yml b/roles/services/tasks/postgresql.yml
@@ -27,6 +27,7 @@
   become_user: "{{ postgresql_socketuser }}"
   loop:
     - { username: "magnetico", password: "magnetico" }
+    - { username: "grafana", password: "grafana" }
   tags: postgresql
 
 - name: Ensure specified PostgreSQL databases are present
@@ -42,6 +43,7 @@
   become_user: "{{ postgresql_socketuser }}"
   loop:
     - { name: "magnetico", owner: "magnetico" }
+    - { name: "grafana", owner: "grafana" }
   tags: postgresql
 
 - name: Ensure specified PostgreSQL extensions are loaded

diff --git a/roles/services/templates/grafana.ini.j2 b/roles/services/templates/grafana.ini.j2
@@ -0,0 +1,27 @@
+[paths]
+data = /tmp
+temp_data_lifetime = 1h
+logs = /var/log
+
+[server]
+protocol = https
+min_tls_version = TLS1.3
+http_addr = [{{ wg0_ipv6 }}]
+http_port = 3000
+
+[database]
+type = postgres
+host = [::1]:5432
+name = grafana
+user = grafana
+password = grafana
+
+[remote_cache]
+type = database
+
+[security]
+admin_user = grafana
+admin_password = grafana
+
+[plugins]
+plugin_admin_enabled = false
diff --git a/roles/services/templates/grafana.service.j2 b/roles/services/templates/grafana.service.j2
@@ -0,0 +1,46 @@
+[Unit]
+Description=Grafana instance
+Documentation=http://docs.grafana.org
+Wants=network-online.target
+After=network-online.target
+After=postgresql.service
+
+[Service]
+AmbientCapabilities=
+CapabilityBoundingSet=
+DevicePolicy=closed
+ExecStart={{ grafana_folder }}/bin/grafana server --config={{ grafana_folder }}/conf/grafana.ini
+Group=nogroup
+LimitNOFILE=32768
+LockPersonality=true
+MemoryDenyWriteExecute=false
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=true
+Restart=on-failure
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+TimeoutStopSec=20
+Type=simple
+UMask=0027
+User=nobody
+WorkingDirectory={{ grafana_folder }}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/vars.yaml b/vars.yaml
@@ -4,6 +4,7 @@ debian_security: https://deb.debian.org/debian-security
 systemd_prefix: /etc/systemd
 systemd_system: "{{ systemd_prefix }}/system"
 systemd_network: "{{ systemd_prefix }}/network"
+local_folder: /usr/local
 ntp_servers: ntp1.inrim.it ntp2.inrim.it time.euro.apple.com time.asia.apple.com time.apple.com
 ntp_fallback: time.cloudflare.com ntp1.fortiguard.com ntp2.fortiguard.com ntp.checkpoint.com ntp2.checkpoint.com
 wg0_privatekey: !vault |
@@ -72,15 +73,17 @@ wgpeers:
           6366633337373065323835613839336665323339373561366263
     allowedips: 192.168.33.4/32, fd5d:2ddd:f4a5::4/128
 client_path: /usr/bin/snowflake-client
-snowflake_path: /usr/local/bin/snowflake
-dnsd_path: /usr/local/bin/dnsd
-nfguard_path: /usr/local/bin/nfguard
+snowflake_path: "{{ local_folder }}/bin/snowflake"
+dnsd_path: "{{ local_folder }}/bin/dnsd"
+nfguard_path: "{{ local_folder }}/bin/nfguard"
 runner_arch: x64
 runner_version: "2.311.0"
 runner_workdir: /var/lib/runner
 runner_confdir: /etc/runners
 postgresql_socketdir: /var/run/postgresql/
 postgresql_version: 15
 postgresql_socketuser: postgres
-magneticod_path: /usr/local/bin/magneticod
-magneticow_path: /usr/local/bin/magneticow
+magneticod_path: "{{ local_folder }}/bin/magneticod"
+magneticow_path: "{{ local_folder }}/bin/magneticow"
+grafana_version: 10.4.2
+grafana_folder: "{{ local_folder }}/grafana-v{{ grafana_version }}"