Refactoring

- moved inventory
- add some variables
- splitted files and templates
- added role grafana
- add a play 'all'
This commit is contained in:
Darks 2020-09-10 21:56:13 +02:00
parent 065b5d42a8
commit 5a211c975a
Signed by: Darks
GPG Key ID: F61F10FA138E797C
22 changed files with 612 additions and 51 deletions

View File

@ -16,28 +16,23 @@ Usually, it looks like this:
```
# Dummy try with --check
ansible-playbook -i inventory.yml role.yml -v --diff --check --ask-become-pass
ansible-playbook -i inventory/main.yml role.yml -vv --diff --check --ask-become-pass
# Real try
ansible-playbook -i inventory.yml role.yml -v --ask-become-pass
ansible-playbook -i inventory/main.yml role.yml -v --ask-become-pass
```
The file `inventory.yml` already contains an host: the main VPS, `aperture-labs`.
The file `inventory/main.yml` already contains an host: the main VPS, `aperture-labs`.
See [Configuration](#Configuration) to add the host to your SSH config.
## Existing roles
## Variables
### Nginx
Variables are defined in `inventory/host_vars/aperture-labs.yml`.
They can be overriden, see [the documentation](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable).
**Update the nginx configuration, reload the service**
They may be mandatory for execution of roles.
| Variable name | Mandatory | Comment |
|------------------|-----------|----------------------------------------------|
| sites_enabled | yes | List of sites to enable from sites-available |
### Uwsgi
**Update the uwsgi configuration, restart the service**
| Variable name | Mandatory | Comment |
|------------------|-----------|----------------------------------------------|
| environments | yes | List of environments to restart |
| Variable name | Comment |
|------------------|----------------------------------------------|
| sites_enabled | List of sites to enable from sites-available |
| proxy_ports | List of ports to use with proxy_pass |
| allowed_users | List of users allowed to login through SSH |

13
all.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: Run all roles
hosts: all
become: yes
become_user: root
become_method: sudo
roles:
- grafana
- iptables
- nginx
- ssh
- uwsgi

View File

@ -1,3 +1,19 @@
---
sites_enabled:
- "000-default"
- "bible"
- "creativecalc"
- "gitea"
- "grafana"
- "mumbleweb"
- "p7"
- "pc-dev"
proxy_ports:
grafana: 3000
gitea: 3001
mumbleweb: 64737
allowed_users:
- "breizh"
- "cake"

View File

@ -1 +1,2 @@
[vps]
aperture-labs # Add an entry in your ~/.ssh/config

12
monitoring.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Update monitoring configuration
hosts: all
become: yes
become_user: root
become_method: sudo
roles:
- grafana
- telegraf
- influxdb
- goaccess

View File

@ -0,0 +1,17 @@
---
- name: "Install Grafana"
pacman:
name: "grafana"
state: present
- name: "Copy ini file"
template:
src: 'grafana.ini'
dest: '/etc/'
owner: 'grafana'
mode: 0644
- name: "Restarting grafana"
service:
name: "grafana"
state: restarted

View File

@ -0,0 +1,517 @@
##################### Grafana Configuration Example #####################
#
# Everything has defaults so you only need to uncomment things you want to
# change
# possible values : production, development
;app_mode = production
# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
;instance_name = ${HOSTNAME}
#################################### Paths ####################################
[paths]
# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
;data = /var/lib/grafana
# Temporary files in `data` directory older than given duration will be removed
;temp_data_lifetime = 24h
# Directory where grafana can store logs
;logs = /var/log/grafana
# Directory where grafana will automatically scan and look for plugins
;plugins = /var/lib/grafana/plugins
# folder that contains provisioning config files that grafana will apply on startup and while running.
;provisioning = conf/provisioning
#################################### Server ####################################
[server]
# Protocol (http, https, socket)
;protocol = http
# The ip address to bind to, empty will bind to all interfaces
http_addr = 127.0.0.1
# The http port to use
http_port = {{ proxy_ports.grafana | mandatory }}
# The public facing domain name used to access grafana from a browser
domain = grafana.planet-casio.com
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://grafana.planet-casio.com
# Log web requests
;router_logging = false
# the path relative working path
;static_root_path = public
# enable gzip
;enable_gzip = false
# https certs & key file
;cert_file =
;cert_key =
# Unix socket path
;socket =
#################################### Database ####################################
[database]
# You can configure the database connection by specifying type, host, name, user and password
# as separate properties or as on string using the url properties.
# Either "mysql", "postgres" or "sqlite3", it's your choice
;type = sqlite3
;host = 127.0.0.1:3306
;name = grafana
;user = root
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
;password =
# Use either URL or the previous fields to configure the database
# Example: mysql://user:secret@host:port/database
;url =
# For "postgres" only, either "disable", "require" or "verify-full"
;ssl_mode = disable
# For "sqlite3" only, path relative to data_path setting
;path = grafana.db
# Max idle conn setting default is 2
;max_idle_conn = 2
# Max conn setting default is 0 (mean not set)
;max_open_conn =
# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
;conn_max_lifetime = 14400
# Set to true to log the sql calls and execution times.
log_queries =
# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
;cache_mode = private
#################################### Session ####################################
[session]
# Either "memory", "file", "redis", "mysql", "postgres", default is "file"
;provider = file
# Provider config options
# memory: not have any config yet
# file: session dir path, is relative to grafana data_path
# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana`
# mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1:3306)/database_name`
# postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable
;provider_config = sessions
# Session cookie name
;cookie_name = grafana_sess
# If you use session in https only, default is false
cookie_secure = true
# Session life time, default is 86400
;session_life_time = 86400
#################################### Data proxy ###########################
[dataproxy]
# This enables data proxy logging, default is false
;logging = false
# How long the data proxy should wait before timing out default is 30 (seconds)
;timeout = 30
#################################### Analytics ####################################
[analytics]
# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
# No ip addresses are being tracked, only simple counters to track
# running instances, dashboard and error counts. It is very helpful to us.
# Change this option to false to disable reporting.
;reporting_enabled = true
# Set to false to disable all checks to https://grafana.net
# for new vesions (grafana itself and plugins), check is used
# in some UI views to notify that grafana or plugin update exists
# This option does not cause any auto updates, nor send any information
# only a GET request to http://grafana.com to get latest versions
;check_for_updates = true
# Google Analytics universal tracking code, only enabled if you specify an id here
;google_analytics_ua_id =
# Google Tag Manager ID, only enabled if you specify an id here
;google_tag_manager_id =
#################################### Security ####################################
[security]
# default admin user, created on startup
; admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
;admin_password = admin
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm
# disable gravatar profile images
;disable_gravatar = false
# data source proxy whitelist (ip_or_domain:port separated by spaces)
;data_source_proxy_whitelist =
# disable protection against brute force login attempts
;disable_brute_force_login_protection = false
# set to true if you host Grafana behind HTTPS. default is false.
cookie_secure = true
# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict" and "none"
;cookie_samesite = lax
#################################### Snapshots ###########################
[snapshots]
# snapshot sharing options
;external_enabled = true
;external_snapshot_url = https://snapshots-origin.raintank.io
;external_snapshot_name = Publish to snapshot.raintank.io
# remove expired snapshot
;snapshot_remove_expired = true
#################################### Dashboards History ##################
[dashboards]
# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
;versions_to_keep = 20
#################################### Users ###############################
[users]
# disable user signup / registration
;allow_sign_up = true
# Allow non admin users to create organizations
;allow_org_create = true
# Set to true to automatically assign new users to the default organization (id 1)
;auto_assign_org = true
# Default role new users will be automatically assigned (if disabled above is set to true)
;auto_assign_org_role = Viewer
# Background text for the user field on the login page
;login_hint = email or username
# Default UI theme ("dark" or "light")
;default_theme = dark
# External user management, these options affect the organization users view
;external_manage_link_url =
;external_manage_link_name =
;external_manage_info =
# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
;viewers_can_edit = false
[auth]
# Login cookie name
;login_cookie_name = grafana_session
# The lifetime (days) an authenticated user can be inactive before being required to login at next visit. Default is 7 days,
;login_maximum_inactive_lifetime_days = 7
# The maximum lifetime (days) an authenticated user can be logged in since login time before being required to login. Default is 30 days.
;login_maximum_lifetime_days = 30
# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
;token_rotation_interval_minutes = 10
# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
;disable_login_form = false
# Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
;disable_signout_menu = false
# URL to redirect the user to after sign out
;signout_redirect_url =
# Set to true to attempt login with OAuth automatically, skipping the login screen.
# This setting is ignored if multiple OAuth providers are configured.
;oauth_auto_login = false
#################################### Anonymous Auth ######################
[auth.anonymous]
# enable anonymous access
;enabled = false
# specify organization name that should be used for unauthenticated users
;org_name = Main Org.
# specify role for unauthenticated users
;org_role = Viewer
#################################### Github Auth ##########################
[auth.github]
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email,read:org
;auth_url = https://github.com/login/oauth/authorize
;token_url = https://github.com/login/oauth/access_token
;api_url = https://api.github.com/user
;team_ids =
;allowed_organizations =
#################################### Google Auth ##########################
[auth.google]
;enabled = false
;allow_sign_up = true
;client_id = some_client_id
;client_secret = some_client_secret
;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
;auth_url = https://accounts.google.com/o/oauth2/auth
;token_url = https://accounts.google.com/o/oauth2/token
;api_url = https://www.googleapis.com/oauth2/v1/userinfo
;allowed_domains =
#################################### Generic OAuth ##########################
[auth.generic_oauth]
;enabled = false
;name = OAuth
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email,read:org
;auth_url = https://foo.bar/login/oauth/authorize
;token_url = https://foo.bar/login/oauth/access_token
;api_url = https://foo.bar/user
;team_ids =
;allowed_organizations =
;tls_skip_verify_insecure = false
;tls_client_cert =
;tls_client_key =
;tls_client_ca =
; Set to true to enable sending client_id and client_secret via POST body instead of Basic authentication HTTP header
; This might be required if the OAuth provider is not RFC6749 compliant, only supporting credentials passed via POST payload
;send_client_credentials_via_post = false
#################################### Grafana.com Auth ####################
[auth.grafana_com]
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email
;allowed_organizations =
#################################### Auth Proxy ##########################
[auth.proxy]
;enabled = false
;header_name = X-WEBAUTH-USER
;header_property = username
;auto_sign_up = true
;ldap_sync_ttl = 60
;whitelist = 192.168.1.1, 192.168.2.1
;headers = Email:X-User-Email, Name:X-User-Name
#################################### Basic Auth ##########################
[auth.basic]
;enabled = true
#################################### Auth LDAP ##########################
[auth.ldap]
;enabled = false
;config_file = /etc/grafana/ldap.toml
;allow_sign_up = true
#################################### SMTP / Emailing ##########################
[smtp]
enabled = true
host = localhost:25
;user =
# If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
;password =
;cert_file =
;key_file =
;skip_verify = false
from_address = grafana@planet-casio.com
from_name = "Grafana"
# EHLO identity in SMTP dialog (defaults to instance_name)
; ehlo_identity =
[emails]
;welcome_email_on_sign_up = false
#################################### Logging ##########################
[log]
# Either "console", "file", "syslog". Default is console and file
# Use space to separate multiple modes, e.g. "console file"
;mode = console file
# Either "debug", "info", "warn", "error", "critical", default is "info"
;level = info
# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
;filters =
# For "console" mode only
[log.console]
;level =
# log line format, valid options are text, console and json
;format = console
# For "file" mode only
[log.file]
;level =
# log line format, valid options are text, console and json
;format = text
# This enables automated log rotate(switch of following options), default is true
;log_rotate = true
# Max line number of single file, default is 1000000
;max_lines = 1000000
# Max size shift of single file, default is 28 means 1 << 28, 256MB
;max_size_shift = 28
# Segment log daily, default is true
;daily_rotate = true
# Expired days of log file(delete after max days), default is 7
;max_days = 7
[log.syslog]
;level =
# log line format, valid options are text, console and json
;format = text
# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
;network =
;address =
# Syslog facility. user, daemon and local0 through local7 are valid.
;facility =
# Syslog tag. By default, the process' argv[0] is used.
;tag =
#################################### Alerting ############################
[alerting]
# Disable alerting engine & UI features
;enabled = true
# Makes it possible to turn off alert rule execution but alerting UI is visible
;execute_alerts = true
# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
;error_or_timeout = alerting
# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
;nodata_or_nullvalues = no_data
# Alert notifications can include images, but rendering many images at the same time can overload the server
# This limit will protect the server from render overloading and make sure notifications are sent out quickly
;concurrent_render_limit = 5
#################################### Explore #############################
[explore]
# Enable the Explore section
;enabled = true
#################################### Internal Grafana Metrics ##########################
# Metrics available at HTTP API Url /metrics
[metrics]
# Disable / Enable internal metrics
;enabled = true
# Publish interval
;interval_seconds = 10
# Send internal metrics to Graphite
[metrics.graphite]
# Enable by setting the address setting (ex localhost:2003)
;address =
;prefix = prod.grafana.%(instance_name)s.
#################################### Distributed tracing ############
[tracing.jaeger]
# Enable by setting the address sending traces to jaeger (ex localhost:6831)
;address = localhost:6831
# Tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
;always_included_tag = tag1:value1
# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
;sampler_type = const
# jaeger samplerconfig param
# for "const" sampler, 0 or 1 for always false/true respectively
# for "probabilistic" sampler, a probability between 0 and 1
# for "rateLimiting" sampler, the number of spans per second
# for "remote" sampler, param is the same as for "probabilistic"
# and indicates the initial sampling rate before the actual one
# is received from the mothership
;sampler_param = 1
#################################### Grafana.com integration ##########################
# Url used to import dashboards directly from Grafana.com
[grafana_com]
;url = https://grafana.com
#################################### External image storage ##########################
[external_image_storage]
# Used for uploading images to public servers so they can be included in slack/email messages.
# you can choose between (s3, webdav, gcs, azure_blob, local)
;provider =
[external_image_storage.s3]
;bucket =
;region =
;path =
;access_key =
;secret_key =
[external_image_storage.webdav]
;url =
;public_url =
;username =
;password =
[external_image_storage.gcs]
;key_file =
;bucket =
;path =
[external_image_storage.azure_blob]
;account_name =
;account_key =
;container_name =
[external_image_storage.local]
# does not require any configuration
[rendering]
# Options to configure external image rendering server like https://github.com/grafana/grafana-image-renderer
;server_url =
;callback_url =
[enterprise]
# Path to a valid Grafana Enterprise license.jwt file
;license_path =
[panels]
;enable_alpha = false
# If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities.
;disable_sanitize_html = false

View File

@ -5,14 +5,14 @@
state: present
- name: "Copy rules"
template:
file:
src: '{{ item }}'
dest: '/etc/iptables/'
owner: 'root'
mode: 0644
with_fileglob: '*.rules'
- name: "Restarting iptables"
- name: "Reloading iptables"
service:
name: "iptables"
state: reloaded

View File

@ -14,7 +14,7 @@
- "sites-enabled"
- name: "Copy common files"
copy:
file:
src: '{{ item }}'
dest: '/etc/nginx/'
owner: 'root'
@ -22,7 +22,7 @@
with_fileglob: '*.conf'
- name: "Copy conf.d"
copy:
file:
src: '{{ item }}'
dest: '/etc/nginx/sites-available/'
owner: 'root'
@ -30,12 +30,12 @@
with_fileglob: 'conf.d/*.conf'
- name: "Copy sites-available"
copy:
template:
src: '{{ item }}'
dest: '/etc/nginx/sites-available/'
owner: 'root'
mode: 0644
with_fileglob: 'sites-available/*.conf'
with_fileglob: '../templates/sites-available/*.conf'
- name: "Enable sites"
file:
@ -44,7 +44,7 @@
state: link
loop: "{{ sites_enabled }}"
- name: "Restarting nginx"
- name: "Reloading nginx"
service:
name: "nginx"
state: reloaded

View File

@ -3,7 +3,7 @@ server {
listen *:80;
server_name gitea.planet-casio.com git.planet-casio.com;
include common.conf;
access_log /var/log/nginx/gitea_access.log;
@ -19,7 +19,7 @@ server {
listen *:443 ssl http2;
server_name gitea.planet-casio.com git.planet-casio.com;
include common.conf;
include ssl.conf;
@ -36,6 +36,6 @@ server {
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:3001;
proxy_pass http://127.0.0.1:{{ proxy_ports.gitea | mandatory }};
}
}

View File

@ -3,7 +3,7 @@ server {
listen *:80;
server_name grafana.planet-casio.com;
include common.conf;
access_log /var/log/nginx/grafana_access.log;
@ -19,7 +19,7 @@ server {
listen *:443 ssl http2;
server_name grafana.planet-casio.com;
include common.conf;
include ssl.conf;
@ -32,6 +32,6 @@ server {
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:3000;
proxy_pass http://127.0.0.1:{{ proxy_ports.grafana | mandatory }};
}
}

View File

@ -3,7 +3,7 @@ server {
listen *:80;
server_name mumble.planet-casio.com;
include common.conf;
access_log /var/log/nginx/mumbleweb_access.log;
@ -23,8 +23,8 @@ server {
include common.conf;
include ssl.conf;
ssl_certificate /etc/dehydrated/certs/mumble.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/mumble.planet-casio.com/privkey.pem;
ssl_certificate /etc/dehydrated/certs/mumble.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/mumble.planet-casio.com/privkey.pem;
access_log /var/log/nginx/mumbleweb_access.log;
error_log /var/log/nginx/mumbleweb_error.log;
@ -37,7 +37,7 @@ server {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://localhost:64737;
proxy_pass http://localhost:{{ proxy_ports.mumbleweb | mandatory }};
}
}

View File

@ -1,9 +0,0 @@
sites_enabled:
- "000-default"
- "bible"
- "creativecalc"
- "gitea"
- "grafana"
- "mumbleweb"
- "p7"
- "pc-dev"

View File

@ -11,7 +11,7 @@
owner: 'root'
mode: 0644
- name: "Restarting sshd"
- name: "Reloading sshd"
service:
name: "sshd"
state: reloaded

View File

@ -6,22 +6,23 @@
- name: "Copy ini files"
copy:
src: '{{ item }}'
src: '{{ item }}.ini'
dest: '/etc/uwsgi/'
owner: 'root'
mode: 0644
with_fileglob: '*.ini'
loop: "{{ sites_enabled }}"
when: item in ["pc", "pc-dev"]
- name: "Copy systemd service"
copy:
src: '{{ item }}'
src: 'uwsgi@.service'
dest: '/etc/systemd/system/'
owner: 'root'
mode: 0644
with_fileglob: '*.service'
- name: "Restarting uwsgi"
service:
name: "uwsgi@{{ item }}"
state: restarted
loop: "{{ environments }}"
loop: "{{ sites_enabled }}"
when: item in ["pc", "pc-dev"]

View File

@ -1,2 +0,0 @@
environments:
- "pc-dev"