Ansible Role grafana

This role installs and configures Grafana.

Mandatory Requirements

Tags

Tag

What it does

grafana

Installs and configures Grafana

grafana:configure

Deploys the Grafana config files

grafana:plugins

Manages Grafana Plugins

grafana:provisioning

Deploys the Grafana provisioning config files

grafana:service_accounts

Creates Service Accounts and their tokens

Mandatory Role Variables

Variable

Description

grafana__admin_login

The Grafana admin account.

grafana__root_url

The root url on which Grafana is reachable.

Example:

# mandatory
grafana__admin_login:
  username: 'grafana-admin-user'
  password: 'linuxfabrik'
grafana__root_url: 'https://monitoring.example.com/grafana'

Optional Role Variables

Variable

Description

Default Value

grafana__allow_embedding

Whether to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>.

true

grafana__api_url

The url on which the Grafana API is reachable. This might differ from the grafana__root_url when running a Grafana cluster behind a loadbalancer.

'{{ grafana__root_url }}'

grafana__auth_anonymous_enabled

Whether to allow anonymous (passwordless) access or not. Possible options: true or false

false

grafana__auth_anonymous_org_name

The organization name that should be used for unauthenticated users.

'Main Org.'

grafana__auth_anonymous_org_role

The role for unauthenticated users.

'Viewer'

grafana__bitwarden_collection_id

Will be used to store the token of the created service accounts to this Bitwarden Collection. Can be obtained from the URL in Bitwarden WebGUI.

`‘{{ lfops__bitwarden_collection_id

grafana__bitwarden_organization_id

Will be used to store the token of the created service accounts to this Bitwarden Organization. Can be obtained from the URL in Bitwarden WebGUI.

`‘{{ lfops__bitwarden_organization_id

grafana__cookie_samesite

The SameSite cookie attribute. Possible options:
* disabled
* lax
* none
* strict

'lax'

grafana__https_config

Determines whether HTTPS is enabled or not. Subkeys:

  • cert_file: Mandatory, string. The path of the certificate file used for SSL encryption.
  • cert_key: Mandatory, string. The path of the certificate key file used for SSL encryption.

unset

grafana__ldap_config

The configuration to use a LDAP user base for logging into Grafana. More information can be found here. Subkeys:

  • host: Optional, string. Defaults to 127.0.0.1. The host on which the LDAP server is accessible. Specify multiple hosts space separated.
  • port: Optional, integer. Defaults to 389. The port on which the LDAP server is accessible.
  • use_ssl: Optional, boolean. Defaults to false. If an encrypted TLS connection should be used.
  • ssl_skip_verify: Optional, boolean. Defaults to false. If the ssl cert validation should be skipped.
  • bind_dn: Mandatory, string. The distinguished name of the account which should be used to login to the LDAP server.
  • bind_password: Mandatory, string. The password of the account which should be used to login to the LDAP server.
  • search_base_dns: Mandatory, list. List of base dns to search through for users.
  • search_filter: Mandatory, string. A LDAP user filter expression.
  • group_search_base_dns: Optional, list. Defaults to unset. List of base dns to search through for groups.
  • group_search_filter_user_attribute: Optional, list. Defaults to unset. The %s in the search filter will be replaced by this.
  • group_search_filter: Optional, string. Defaults to unset. A LDAP filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).
  • admin_group_dn: Optional, string. Defaults to unset. The distinguished name of the LDAP group that should be Grafana admins.
  • editor_group_dn: Optional, string. Defaults to unset. The distinguished name of the LDAP group that should be Grafana editors.
  • viewer_group_dn: Optional, string. Defaults to unset. The distinguished name of the LDAP group that should be Grafana viewers.
  • email: Optional, string. Defaults to email. Email attribute in the LDAP directory.
  • username: Optional, string. Defaults to cn. Username attribute in the LDAP directory.

unset

grafana__plugins__group_var/
grafana__plugins__host_var

List of dictionaries containing Grafana plugins. Subkeys:

  • name: Mandatory, string. Name of the plugin. Can be found using grafana-cli plugins list-remote.
  • state: Optional, string. Either present or absent. Defaults to present.

For the usage in host_vars / group_vars (can only be used in one group at a time).

[]

grafana__provisioning_dashboards__group_var/
grafana__provisioning_dashboards__host_var

List of dictionaries containing the dashboards to deploy via provisioning. Subkeys:


For the usage in host_vars / group_vars (can only be used in one group at a time).

[]

grafana__provisioning_datasources__group_var /
grafana__provisioning_datasources__host_var

List of dictionaries containing the datasources to deploy via provisioning. Subkeys:


For the usage in host_vars / group_vars (can only be used in one group at a time).

[]

grafana__provisioning_service_accounts__group_var /
grafana__provisioning_service_accounts__host_var

List of dictionaries containing service accounts to create. It automatically creates a token for the service account, with the same role as the service account itself. Beware that the token is only displayed once during the Ansible run, or optionally saved to Bitwarden. Subkeys:

  • name: Mandatory, string. Name of the service account.
  • role: Optional, string. Role of the service account. Possible options: 'Admin', 'Editor' or 'Viewer'. Defaults to 'Viewer'
  • state: Optional, string. Either present or absent. Defaults to present.

For the usage in host_vars / group_vars (can only be used in one group at a time).

[]

grafana__serve_from_sub_path

Bool. Whether Grafana itself should run on a subpath or not. Only effective if there is a subpath in grafana__root_url

true

grafana__service_enabled

Bool. Enables or disables the service, analogous to systemctl enable/disable --now.

true

grafana__skip_token_to_bitwarden

Skip the storing of the service account tokens to Bitwarden.

false

grafana__smtp_config

Email server settings. More information can be found here: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#smtp. Subkeys:
* host: Optional, string. Defaults to localhost:25. The host and port on which the SMTP server is accessible.
* user: Optional, string. Defaults to unset. The user, in case of SMTP auth.
* password: Optional, string. Defaults to unset. The password, in case of SMTP auth.
* cert_file: Optional, string. Defaults to unset. File path to a cert file.
* key_file: Optional, string. Defaults to unset. File path to a key file.
* skip_verify: Optional, string. Defaults to false.If the ssl cert validation should be skipped.
* from_name: Optional, string. Defaults to Grafana. Name to be used when sending out emails.
* from_address: Optional, string. Defaults to admin@grafana.localhost. Address used when sending out emails.

unset

grafana__users_case_insensitive_login

Have a look at https://grafana.com/blog/2022/12/12/guide-to-using-the-new-grafana-cli-user-identity-conflict-tool-in-grafana-9.3

unset

grafana__validate_certs

If set to false, the role will not validate SSL certificates when connecting to Grafana via grafana__root_url. This is useful when using self-signed certificates.

true

Example:

# optional
grafana__allow_embedding: true
grafana__api_url: 'https://grafana01.example.com/grafana'
grafana__auth_anonymous_enabled: false
grafana__auth_anonymous_org_name: 'Main Org.'
grafana__auth_anonymous_org_role: 'Viewer'
grafana__cookie_samesite: 'lax'
grafana__https_config:
  cert_file: '/etc/ssl/ssl-certificate.crt'
  cert_key: '/etc/ssl/ssl-certificate.key'
grafana__ldap_config:
  username: 'uid'
  bind_dn: 'uid=freeipa-reader,cn=sysaccounts,cn=etc,dc=example,dc=com'
  bind_password: 'linuxfabrik'
  editor_group_dn: 'cn=monitoring,cn=groups,cn=accounts,dc=example,dc=com'
  host: 'ldap.example.com'
  port: 389
  search_base_dns:
    - 'cn=users,cn=accounts,dc=example,dc=com'
  search_filter: '(uid=%s)' # or for example: '(cn=%s)' or '(sAMAccountName=%s)'
  viewer_group_dn: '*'
grafana__plugins__group_var: []
grafana__plugins__host_var:
  - name: 'yesoreyeram-infinity-datasource'
grafana__provisioning_dashboards__group_var: []
grafana__provisioning_dashboards__host_var:
  - name: 'linuxfabrik-monitoring-plugins'
    orgId: 1
    folder: 'Linuxfabrik Monitoring Plugins'
    folderUid: 'linuxfabrik-monitoring-plugins'
    type: 'file'
    disableDeletion: false
    editable: false
    updateIntervalSeconds: 60
    options:
      path: '/var/lib/grafana/dashboards/linuxfabrik-monitoring-plugins'
grafana__provisioning_datasources__group_var: []
grafana__provisioning_datasources__host_var:
  - name: 'InfluxDB'
    type: 'influxdb'
    access: 'proxy'
    orgId: 1
    url: 'http://{{ icinga2_master__influxdb_host }}:8086'
    user: '{{ icinga2_master__influxdb_login["username"] }}'
    database: '{{ icinga2_master__influxdb_database_name }}'
    isDefault: true
    jsonData:
       timeInterval: '1m'
       tlsAuth: false
       tlsAuthWithCACert: false
    secureJsonData:
      password: '{{ icinga2_master__influxdb_login["password"] }}'
    version: 1
    editable: false
  - name: 'icinga_director'
    type: 'mysql'
    access: 'proxy'
    orgId: 1
    url: '{{ icingaweb2_module_director__database_host }}:3306'
    user: '{{ icingaweb2_module_director__database_login["username"] }}'
    database: '{{ icingaweb2_module_director__database_name }}'
    isDefault: false
    secureJsonData:
      password: '{{ icingaweb2_module_director__database_login["password"] }}'
    version: 1
    editable: false
grafana__provisioning_service_accounts__group_var: []
grafana__provisioning_service_accounts__host_var:
  - name: 'grizzly'
    role: 'Admin'
grafana__serve_from_sub_path: false
grafana__service_enabled: true
grafana__skip_token_to_bitwarden: true
grafana__smtp_config:
  host: 'mail.example.com:25'
  user: 'smtp-user'
  password: 'linuxfabrik'
  from_address: 'grafana@example.com'
grafana__users_case_insensitive_login: false
grafana__validate_certs: true

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich