diff --git a/.gitignore b/.gitignore index bfad043..1d59e93 100644 --- a/.gitignore +++ b/.gitignore @@ -7,4 +7,5 @@ cmd/nfguard/nfguard roles/firewall/files/client roles/firewall/files/snowflake roles/services/files/magneticod -roles/services/files/magneticow \ No newline at end of file +roles/services/files/magneticow +roles/services/files/grafana* \ No newline at end of file diff --git a/Makefile b/Makefile index 537bdb1..ca44c6c 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -all: dnsd nfguard snowflake client magnetico +all: dnsd nfguard snowflake client magnetico grafana ansible-playbook --ask-vault-password -i inventory.yaml playbook.yaml clean: @@ -40,3 +40,8 @@ magneticow: roles/services/files/magneticow roles/services/files/magneticow: GOOS=linux GOARCH=amd64 go build -C magnetico/cmd/magneticow --tags fts5 -o ../../../roles/services/files/magneticow + +grafana: roles/services/files/grafana-10.4.2.linux-amd64.tar.gz + +roles/services/files/grafana-10.4.2.linux-amd64.tar.gz: + curl https://dl.grafana.com/oss/release/grafana-10.4.2.linux-amd64.tar.gz -o roles/services/files/grafana-10.4.2.linux-amd64.tar.gz diff --git a/roles/services/handlers/main.yml b/roles/services/handlers/main.yml index 47cd21a..76a4bc4 100644 --- a/roles/services/handlers/main.yml +++ b/roles/services/handlers/main.yml @@ -18,3 +18,10 @@ name: magneticow.service state: restarted listen: restart magneticow + +- name: Restart grafana + ansible.builtin.systemd: + daemon_reload: true + name: grafana.service + state: restarted + listen: restart grafana diff --git a/roles/services/tasks/grafana.yml b/roles/services/tasks/grafana.yml new file mode 100644 index 0000000..c311206 --- /dev/null +++ b/roles/services/tasks/grafana.yml @@ -0,0 +1,45 @@ +--- + +- name: Check if folder exist for grafana + ansible.builtin.stat: + path: "{{ grafana_folder }}" + register: grafana_installed + tags: grafana + +- name: Extract the standalone archive + ansible.builtin.unarchive: + src: "grafana-{{ grafana_version }}.linux-amd64.tar.gz" + dest: "{{ local_folder }}" + remote_src: false + when: not grafana_installed.stat.exists + tags: grafana + +- name: Setup grafana + ansible.builtin.template: + src: grafana.ini.j2 + dest: "{{ grafana_folder }}/conf/grafana.ini" + owner: root + group: root + mode: '0644' + notify: + - restart grafana + tags: grafana + +- name: Setup the grafana systemd service + ansible.builtin.template: + src: grafana.service.j2 + dest: "{{ systemd_system }}/grafana.service" + owner: root + group: root + mode: '0644' + notify: + - restart grafana + tags: grafana + +- name: Enable and start grafana + ansible.builtin.systemd: + name: grafana.service + state: started + enabled: true + masked: false + tags: grafana diff --git a/roles/services/tasks/magnetico.yml b/roles/services/tasks/magnetico.yml index 2e7b9e2..f7924fa 100644 --- a/roles/services/tasks/magnetico.yml +++ b/roles/services/tasks/magnetico.yml @@ -3,7 +3,7 @@ - name: Install magneticod ansible.builtin.copy: src: magneticod - dest: /usr/local/bin/magneticod + dest: "{{ magneticod_path }}" owner: daemon group: daemon mode: '0500' @@ -31,7 +31,7 @@ - name: Install magneticow ansible.builtin.copy: src: magneticow - dest: /usr/local/bin/magneticow + dest: "{{ magneticow_path }}" owner: nobody group: nogroup mode: '0500' diff --git a/roles/services/tasks/main.yml b/roles/services/tasks/main.yml index e4a419b..ac16676 100644 --- a/roles/services/tasks/main.yml +++ b/roles/services/tasks/main.yml @@ -8,3 +8,6 @@ - name: Install magnetico ansible.builtin.import_tasks: magnetico.yml + +- name: Install grafana + ansible.builtin.import_tasks: grafana.yml diff --git a/roles/services/tasks/postgresql.yml b/roles/services/tasks/postgresql.yml index 83dbb3a..835fd70 100644 --- a/roles/services/tasks/postgresql.yml +++ b/roles/services/tasks/postgresql.yml @@ -27,6 +27,7 @@ become_user: "{{ postgresql_socketuser }}" loop: - { username: "magnetico", password: "magnetico" } + - { username: "grafana", password: "grafana" } tags: postgresql - name: Ensure specified PostgreSQL databases are present @@ -42,6 +43,7 @@ become_user: "{{ postgresql_socketuser }}" loop: - { name: "magnetico", owner: "magnetico" } + - { name: "grafana", owner: "grafana" } tags: postgresql - name: Ensure specified PostgreSQL extensions are loaded diff --git a/roles/services/templates/grafana.ini.j2 b/roles/services/templates/grafana.ini.j2 new file mode 100644 index 0000000..1a8ffd6 --- /dev/null +++ b/roles/services/templates/grafana.ini.j2 @@ -0,0 +1,27 @@ +[paths] +data = /tmp +temp_data_lifetime = 1h +logs = /var/log + +[server] +protocol = https +min_tls_version = TLS1.3 +http_addr = [{{ wg0_ipv6 }}] +http_port = 3000 + +[database] +type = postgres +host = [::1]:5432 +name = grafana +user = grafana +password = grafana + +[remote_cache] +type = database + +[security] +admin_user = grafana +admin_password = grafana + +[plugins] +plugin_admin_enabled = false \ No newline at end of file diff --git a/roles/services/templates/grafana.service.j2 b/roles/services/templates/grafana.service.j2 new file mode 100644 index 0000000..d5f55c4 --- /dev/null +++ b/roles/services/templates/grafana.service.j2 @@ -0,0 +1,46 @@ +[Unit] +Description=Grafana instance +Documentation=http://docs.grafana.org +Wants=network-online.target +After=network-online.target +After=postgresql.service + +[Service] +AmbientCapabilities= +CapabilityBoundingSet= +DevicePolicy=closed +ExecStart={{ grafana_folder }}/bin/grafana server --config={{ grafana_folder }}/conf/grafana.ini +Group=nogroup +LimitNOFILE=32768 +LockPersonality=true +MemoryDenyWriteExecute=false +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=true +Restart=on-failure +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources @privileged +TimeoutStopSec=20 +Type=simple +UMask=0027 +User=nobody +WorkingDirectory={{ grafana_folder }} + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/vars.yaml b/vars.yaml index 262bf70..be21fcd 100644 --- a/vars.yaml +++ b/vars.yaml @@ -4,6 +4,7 @@ debian_security: https://deb.debian.org/debian-security systemd_prefix: /etc/systemd systemd_system: "{{ systemd_prefix }}/system" systemd_network: "{{ systemd_prefix }}/network" +local_folder: /usr/local ntp_servers: ntp1.inrim.it ntp2.inrim.it time.euro.apple.com time.asia.apple.com time.apple.com ntp_fallback: time.cloudflare.com ntp1.fortiguard.com ntp2.fortiguard.com ntp.checkpoint.com ntp2.checkpoint.com wg0_privatekey: !vault | @@ -72,9 +73,9 @@ wgpeers: 6366633337373065323835613839336665323339373561366263 allowedips: 192.168.33.4/32, fd5d:2ddd:f4a5::4/128 client_path: /usr/bin/snowflake-client -snowflake_path: /usr/local/bin/snowflake -dnsd_path: /usr/local/bin/dnsd -nfguard_path: /usr/local/bin/nfguard +snowflake_path: "{{ local_folder }}/bin/snowflake" +dnsd_path: "{{ local_folder }}/bin/dnsd" +nfguard_path: "{{ local_folder }}/bin/nfguard" runner_arch: x64 runner_version: "2.311.0" runner_workdir: /var/lib/runner @@ -82,5 +83,7 @@ runner_confdir: /etc/runners postgresql_socketdir: /var/run/postgresql/ postgresql_version: 15 postgresql_socketuser: postgres -magneticod_path: /usr/local/bin/magneticod -magneticow_path: /usr/local/bin/magneticow +magneticod_path: "{{ local_folder }}/bin/magneticod" +magneticow_path: "{{ local_folder }}/bin/magneticow" +grafana_version: 10.4.2 +grafana_folder: "{{ local_folder }}/grafana-v{{ grafana_version }}" \ No newline at end of file