Add initial config for dedicated monitoring server
This commit is contained in:
48
roles/dashboard/tasks/grafana.yaml
Normal file
48
roles/dashboard/tasks/grafana.yaml
Normal file
@@ -0,0 +1,48 @@
|
||||
---
|
||||
- name: Install Grafana Enterprise repository
|
||||
become: true
|
||||
ansible.builtin.copy:
|
||||
src: grafana.repo
|
||||
dest: /etc/yum.repos.d/grafana.repo
|
||||
owner: root
|
||||
group: "{{ ansible_user }}"
|
||||
mode: 0644
|
||||
register: _grafana_repo
|
||||
|
||||
- name: Install Grafana repository GPG key
|
||||
become: true
|
||||
ansible.builtin.rpm_key:
|
||||
state: present
|
||||
key: https://packages.grafana.com/gpg.key
|
||||
|
||||
- name: Install Grafana
|
||||
become: true
|
||||
ansible.builtin.dnf:
|
||||
name: grafana
|
||||
state: present
|
||||
update_cache: "{{ _grafana_repo.changed }}"
|
||||
|
||||
- name: Enable and start Grafana
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
name: grafana-server
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Fetch installed grafana plugins
|
||||
become: true
|
||||
ansible.builtin.command:
|
||||
cmd: grafana-cli plugins ls
|
||||
changed_when: false
|
||||
register: _grafana_plugins_raw
|
||||
|
||||
- name: Install plugins
|
||||
become: true
|
||||
ansible.builtin.command:
|
||||
cmd: grafana-cli plugins install {{ item }}
|
||||
changed_when: item not in _grafana_plugins_raw.stdout
|
||||
notify: [restart-grafana]
|
||||
loop:
|
||||
- marcusolsson-json-datasource
|
||||
- grafana-clock-panel
|
||||
- ayoungprogrammer-finance-datasource
|
||||
6
roles/dashboard/tasks/main.yaml
Normal file
6
roles/dashboard/tasks/main.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: Install and configure Grafana
|
||||
ansible.builtin.import_tasks: grafana.yaml
|
||||
|
||||
- name: Install and configure Nginx
|
||||
ansible.builtin.import_tasks: nginx.yaml
|
||||
107
roles/dashboard/tasks/nginx.yaml
Normal file
107
roles/dashboard/tasks/nginx.yaml
Normal file
@@ -0,0 +1,107 @@
|
||||
---
|
||||
- name: Install nginx
|
||||
become: true
|
||||
ansible.builtin.dnf:
|
||||
name: nginx
|
||||
state: present
|
||||
|
||||
- name: Enable and start nginx
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
name: nginx
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Configure firewall for Nginx
|
||||
become: true
|
||||
ansible.posix.firewalld:
|
||||
service: "{{ item }}"
|
||||
state: enabled
|
||||
zone: internal
|
||||
permanent: true
|
||||
immediate: true
|
||||
loop:
|
||||
- http
|
||||
- https
|
||||
|
||||
- name: Configure SELinux for Nginx
|
||||
when: ansible_selinux.status | default("") == "enabled"
|
||||
become: true
|
||||
ansible.posix.seboolean:
|
||||
name: httpd_can_network_connect
|
||||
state: true
|
||||
persistent: true
|
||||
notify: [restart-nginx]
|
||||
|
||||
- name: Create certificate directory
|
||||
become: true
|
||||
ansible.builtin.file:
|
||||
path: "{{ dashboard_certificate_directory }}"
|
||||
state: directory
|
||||
owner: nginx
|
||||
group: "{{ ansible_user }}"
|
||||
mode: 0570
|
||||
|
||||
- name: Generate X509 private key
|
||||
become: true
|
||||
vars:
|
||||
ansible_python_interpreter: "{{ skylab_ansible_venv }}/bin/python"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ dashboard_certificate_directory }}/{{ dashboard_hostname }}.key"
|
||||
type: RSA
|
||||
size: 8192
|
||||
passphrase: "{{ dashboard_certificate_password }}"
|
||||
cipher: auto
|
||||
owner: nginx
|
||||
group: "{{ ansible_user }}"
|
||||
mode: 0460
|
||||
|
||||
- name: Install private key password file
|
||||
become: true
|
||||
ansible.builtin.copy:
|
||||
content: "{{ dashboard_certificate_password }}"
|
||||
dest: "{{ dashboard_certificate_directory }}/{{ dashboard_hostname }}.password"
|
||||
owner: nginx
|
||||
group: "{{ ansible_user }}"
|
||||
mode: 0460
|
||||
|
||||
- name: Create self-signed certificate
|
||||
become: true
|
||||
vars:
|
||||
ansible_python_interpreter: "{{ skylab_ansible_venv }}/bin/python"
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ dashboard_certificate_directory }}/{{ dashboard_hostname }}.pem"
|
||||
privatekey_path: "{{ dashboard_certificate_directory }}/{{ dashboard_hostname }}.key"
|
||||
privatekey_passphrase: "{{ dashboard_certificate_password }}"
|
||||
provider: selfsigned
|
||||
owner: nginx
|
||||
group: "{{ ansible_user }}"
|
||||
mode: 0460
|
||||
notify: [restart-nginx]
|
||||
|
||||
- name: Copy nginx SSL parameters
|
||||
become: true
|
||||
ansible.builtin.copy:
|
||||
src: ssl-options.conf
|
||||
dest: /etc/nginx/ssl-options.conf
|
||||
owner: nginx
|
||||
group: "{{ ansible_user }}"
|
||||
mode: 0664
|
||||
notify: [restart-nginx]
|
||||
|
||||
- name: Export Diffie-Hellman parameters
|
||||
become: true
|
||||
ansible.builtin.command:
|
||||
cmd: openssl dhparam -out /etc/nginx/ssl-dhparam.pem 2048
|
||||
creates: /etc/nginx/ssl-dhparam.pem
|
||||
notify: [restart-nginx]
|
||||
|
||||
- name: Configure nginx server
|
||||
become: true
|
||||
ansible.builtin.template:
|
||||
src: nginx.conf.j2
|
||||
dest: /etc/nginx/conf.d/{{ dashboard_hostname }}.conf
|
||||
owner: nginx
|
||||
group: "{{ ansible_user }}"
|
||||
mode: 0444
|
||||
notify: [restart-nginx]
|
||||
Reference in New Issue
Block a user