Merge branch 'add-dashboards' into 'master'

Add dashboards.archlinux.org for public Grafana dashboards Closes #172 See merge request !368

Merge branch 'add-dashboards' into 'master'
Add dashboards.archlinux.org for public Grafana dashboards Closes #172 See merge request !368
2136ced8 · Jelle van der Waa · 2cbfa2c0 · 9ef30adb · 2136ced8 · 2136ced8
Commit 2136ced8 authored May 13, 2021 by Jelle van der Waa 🚧
--- a/docs/grafana.md
+++ b/docs/grafana.md
 # Grafana

 Our Grafana is hosted on https://monitoring.archlinux.org and is accessible for
-all Arch Linux Staff, editing rights are restricted to users with the Devops
+all DevOps Staff, editing rights are restricted to users with the Devops
 Role.

+A public accessible instance is hosted on https://dashboards.archlinux.org with selected metrics.
+
 Dashboards and datasources are automatically provisioned by Grafana with Grafana's built-in [provisioning configuration](https://grafana.com/docs/grafana/latest/administration/provisioning/).

 ## Adding a new Dashboard

--- a/docs/servers.md
+++ b/docs/servers.md
@@ -118,6 +118,14 @@ Medium-fast-ish packet.net Arch Linux box.
  - [Grafana](https://monitoring.archlinux.org) and [docs/grafana.md](./docs/grafana.md)
  - Prometheus

+## dashboards.archlinux.org
+
+Prometheus, and Grafana server which receives selected performance/metrics from monitoring.archlinux.org and make them public accessible.
+
+### Services
+  - [Grafana](https://dashboards.archlinux.org) and [docs/grafana.md](./docs/grafana.md)
+  - Prometheus
+
 ## patchwork.archlinux.org

 ### Services

--- a/group_vars/all/root_access.yml
+++ b/group_vars/all/root_access.yml
@@ -26,6 +26,7 @@ root_ssh_keys:
      - monitoring.archlinux.org
      - runner1.archlinux.org
      - runner2.archlinux.org
+      - dashboards.archlinux.org

 # run playbook 'playbooks/tasks/reencrypt-vault-key.yml' when this changes
 # before running it, make sure to gpg --lsign-key all of the below keys

--- a/host_vars/dashboards.archlinux.org
+++ b/host_vars/dashboards.archlinux.org
+---
+filesystem: btrfs
+ipv4_address: 157.90.255.107
--- a/hosts
+++ b/hosts
@@ -142,6 +142,7 @@ repro2.pkgbuild.com
 runner1.archlinux.org
 md.archlinux.org
 man.archlinux.org
+dashboards.archlinux.org

 [kape_servers]
 asia.mirror.pkgbuild.com

--- a/playbooks/dashboards.archlinux.org.yml
+++ b/playbooks/dashboards.archlinux.org.yml
+- name: setup public dashboards server
+  hosts: dashboards.archlinux.org
+  remote_user: root
+  roles:
+    - { role: firewalld }
+    - { role: common }
+    - { role: tools }
+    - { role: sshd }
+    - { role: root_ssh }
+    - { role: hardening }
+    - { role: borg_client, tags: ["borg"], when: "'borg_clients' in group_names" }
+    - { role: prometheus, prometheus_receive_only: true }
+    - { role: prometheus_exporters }
+    - { role: promtail }
+    - { role: certbot }
+    - { role: nginx }
+    - { role: grafana, grafana_anonymous_access: true, grafana_domain: 'dashboards.archlinux.org' }
+    - { role: fail2ban }
--- a/playbooks/monitoring.archlinux.org.yml
+++ b/playbooks/monitoring.archlinux.org.yml
@@ -10,6 +10,7 @@
    - { role: hardening }
    - { role: borg_client, tags: ["borg"], when: "'borg_clients' in group_names" }
    - { role: prometheus }
+    - { role: alertmanager }
    - { role: prometheus_exporters }
    - { role: loki }
    - { role: promtail }

--- a/roles/alertmanager/handlers/main.yml
+++ b/roles/alertmanager/handlers/main.yml
+---
+
+- name: reload alertmanager
+  service: name=alertmanager state=reloaded
--- a/roles/alertmanager/tasks/main.yml
+++ b/roles/alertmanager/tasks/main.yml
+---
+
+- name: install alertmanager server
+  pacman: name=alertmanager state=present
+
+- name: install alertmanager configuration
+  template: src=alertmanager.yml.j2 dest=/etc/alertmanager/alertmanager.yml owner=root group=alertmanager mode=640
+  notify: reload alertmanager
+
+- name: enable alertmanager server service
+  systemd: name=alertmanager enabled=yes daemon_reload=yes state=started
--- a/roles/prometheus/templates/alertmanager.yml.j2
+++ b/roles/prometheus/templates/alertmanager.yml.j2
--- a/roles/grafana/defaults/main.yml
+++ b/roles/grafana/defaults/main.yml
 ---
 grafana_domain: "grafana.archlinux.org"
+grafana_anonymous_access: false
--- a/roles/grafana/files/public-dashboards/archive.json
+++ b/roles/grafana/files/public-dashboards/archive.json
+../dashboards/archive.json
\ No newline at end of file
--- a/roles/grafana/files/public-dashboards/home.json
+++ b/roles/grafana/files/public-dashboards/home.json
+archive.json
\ No newline at end of file
--- a/roles/grafana/files/public-dashboards/rebuilderd.json
+++ b/roles/grafana/files/public-dashboards/rebuilderd.json
+../dashboards/rebuilderd.json
\ No newline at end of file
--- a/roles/grafana/files/public-dashboards/repository.json
+++ b/roles/grafana/files/public-dashboards/repository.json
+../dashboards/repository.json
\ No newline at end of file
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@@ -36,6 +36,10 @@
 - name: copy grafana dashboards
  copy: src=dashboards dest=/var/lib/grafana/dashboards owner=grafana group=grafana mode=0600

+- name: copy (public) grafana dashboards
+  copy: src=public-dashboards dest=/var/lib/grafana/ owner=root group=grafana mode=0640
+  when: grafana_anonymous_access
+
 - name: install grafana config
  template: src=grafana.ini.j2 dest=/etc/grafana.ini owner=grafana group=root mode=0600
  notify: restart grafana

--- a/roles/grafana/templates/dashboard.yaml.j2
+++ b/roles/grafana/templates/dashboard.yaml.j2
@@ -9,6 +9,10 @@ providers:
   allowUiUpdates: false
   type: file
   options:
+{% if grafana_anonymous_access %}
+     path: /var/lib/grafana/public-dashboards
+{% else %}
     path: /var/lib/grafana/dashboards
+{% endif %}
     foldersFromFilesStructure: true

--- a/roles/grafana/templates/datasources.yaml.j2
+++ b/roles/grafana/templates/datasources.yaml.j2
 apiVersion: 1

 datasources:
+{% if grafana_anonymous_access %}
+- name: Prometheus
+  type: prometheus
+  access: proxy
+  basicAuth: true
+  basicAuthUser: {{ vault_prometheus_user }}
+  secureJsonData:
+    basicAuthPassword: {{ vault_prometheus_passwd }}
+  url: https://{{ prometheus_domain }}:9090
+{% else %}
 - name: Prometheus
  type: prometheus
  access: proxy
@@ -9,4 +19,4 @@ datasources:
  type: loki
  access: proxy
  url: http://localhost:3100
-
+{% endif %}
--- a/roles/grafana/templates/grafana.ini.j2
+++ b/roles/grafana/templates/grafana.ini.j2
@@ -233,6 +233,11 @@ x_xss_protection = true
 # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
 ;min_refresh_interval =

+{% if grafana_anonymous_access %}
+# Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
+default_home_dashboard_path = /var/lib/grafana/public-dashboards/home.json
+{% endif %}
+
 #################################### Users ###############################
 [users]
 # disable user signup / registration
@@ -303,13 +308,15 @@ oauth_auto_login = true
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access
-;enabled = false
+{% if grafana_anonymous_access %}
+enabled = true
+{% endif %}

 # specify organization name that should be used for unauthenticated users
 ;org_name = Main Org.

 # specify role for unauthenticated users
-;org_role = Viewer
+org_role = Viewer

 #################################### Github Auth ##########################
 [auth.github]
@@ -373,6 +380,7 @@ oauth_auto_login = true
 ;allowed_domains =
 ;allowed_groups =

+{% if not grafana_anonymous_access %}
 #################################### Generic OAuth ##########################
 [auth.generic_oauth]
 enabled = true
@@ -394,6 +402,7 @@ role_attribute_path: contains(roles[*], 'DevOps') && 'Admin' || contains(roles[*
 ;tls_client_cert =
 ;tls_client_key =
 ;tls_client_ca =
+{% endif %}

 #################################### SAML Auth ###########################
 [auth.saml] # Enterprise only

--- a/roles/prometheus/defaults/main.yml
+++ b/roles/prometheus/defaults/main.yml
 monitoring_domain: monitoring.archlinux.org
 gitlab_runner_exporter_port: '9252'
+prometheus_domain: dashboards.archlinux.org
 prometheus_mysqld_exporter_port: '9104'
+prometheus_receive_only: false

 # for d in $(curl -sf "https://crt.sh/?q=archlinux.org&output=json" "https://crt.sh/?q=pkgbuild.com&output=json" | jq -r ".[].name_value" | sort -u); do if curl -o /dev/null -sS "https://$d"; then echo $d; fi; done | grep -v "\@" | sort | sed "s/^/  - https:\/\//"
 blackbox_targets:
@@ -17,6 +19,7 @@ blackbox_targets:
    - https://bbs.archlinux.org
    - https://bugs.archlinux.org
    - https://conf.archlinux.org
+    - https://dashboards.archlinux.org/healthz
    - https://dev.archlinux.org
    - https://europe.archive.pkgbuild.com
    - https://europe.mirror.pkgbuild.com
@@ -56,6 +59,7 @@ blackbox_targets:
    - mail.archlinux.org:465
    - mail.archlinux.org:993
    - mail.archlinux.org:995
+    - dashboards.archlinux.org:9090
  smtp_starttls:
    - mail.archlinux.org:25
    - mail.archlinux.org:587