grafana: Update, use Quadlet, use LDAP for auth

2023-11-19 12:49:58 +00:00 · 2023-11-19 12:49:58 +00:00 · 6304685aa6
parent 08b39ff5e2
commit 6304685aa6
8 changed files with 109 additions and 22 deletions
--- a/host/virtual/virtual.env
+++ b/host/virtual/virtual.env
@ -73,3 +73,6 @@ GOTOSOCIAL_SMTP_FROM=noreply@social.localhost

 # Configuration for Slidge.
 SLIDGE_SECRET_KEY=password
+
+# Configuration for Grafana.
+GRAFANA_DOMAIN=metrics.localhost
--- a/service/grafana/Containerfile
+++ b/service/grafana/Containerfile
@ -1,2 +1,16 @@
-FROM docker.io/grafana/grafana:8.5.0
+FROM docker.io/debian:bookworm-slim
+ARG VERSION=10.2.1
+
+RUN apt-get update -y && apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends curl ca-certificates
+
+RUN addgroup --system --gid 10000 grafana
+RUN adduser --system --uid 10000 --ingroup grafana --home /var/lib/grafana grafana
+
+RUN curl --silent --show-error -L https://dl.grafana.com/oss/release/grafana-${VERSION}.linux-amd64.tar.gz | \
+    tar -C /opt --no-same-owner -xvzf - && mv /opt/grafana-v${VERSION} /opt/grafana
+
 COPY container/config /etc/grafana
+USER grafana
+
+ENTRYPOINT ["/opt/grafana/bin/grafana", "server", "--config", "/etc/grafana/grafana.ini", "--homepath", "/opt/grafana", "web"]
--- a/service/grafana/container/config/grafana.ini
+++ b/service/grafana/container/config/grafana.ini
@ -1,8 +1,16 @@
 [paths]
+# Folders used for persistent data files, logs, plugins, etc.
+data = /var/lib/grafana
+logs = /var/lib/grafana/logs
+plugins = /var/lib/grafana/plugins
+
 # Folder used for static provisioning of dependencies.
 provisioning = /etc/grafana/provisioning

 [server]
+# The domain name used to serve Grafana.
+domain = ${GRAFANA_DOMAIN}
+
 # The HTTP port to use.
 http_port = 8080

@ -10,6 +18,31 @@ http_port = 8080
 # Only log to standard output.
 mode = console

+[news]
+# Disable the news feed section.
+news_feed_enabled = false
+
 [analytics]
 # Disable anonymous usage collection.
 reporting_enabled = false
+
+# Disable automated update checks.
+check_for_updates = false
+check_for_plugin_updates = false
+
+[security]
+# Don't create default users, instead relying on LDAP.
+disable_initial_admin_creation = true
+
+# Assume that Grafana is served behind HTTPS.
+cookie_secure = false
+
+[auth.basic]
+# Don't allow authentication via HTTP Basic auth.
+enabled = false
+
+[auth.ldap]
+# Enable LDAP authentication.
+enabled = true
+config_file = /etc/grafana/ldap.toml
+allow_sign_up = true
--- a/service/grafana/container/config/ldap.toml
+++ b/service/grafana/container/config/ldap.toml
@ -0,0 +1,28 @@
+[[servers]]
+host = "${GRAFANA_AUTH_LDAP_HOST}"
+port = ${GRAFANA_AUTH_LDAP_PORT}
+use_ssl = false
+start_tls = false
+ssl_skip_verify = false
+
+bind_dn = "uid=${GRAFANA_AUTH_LDAP_BIND_UID},ou=people,dc=ldap,dc=local"
+bind_password = "${GRAFANA_AUTH_LDAP_BIND_PASSWORD}"
+
+search_filter = "(|(uid=%s)(mail=%s))"
+search_base_dns = ["dc=ldap,dc=local"]
+
+[servers.attributes]
+member_of = "memberOf"
+email = "mail"
+name = "givenName"
+surname = "sn"
+username = "uid"
+
+[[servers.group_mappings]]
+group_dn = "cn=grafana_admin,ou=groups,dc=ldap,dc=local"
+org_role = "Admin"
+grafana_admin = true
+
+[[servers.group_mappings]]
+group_dn = "cn=grafana_user,ou=groups,dc=ldap,dc=local"
+org_role = "Editor"
--- a/service/grafana/grafana.env.template
+++ b/service/grafana/grafana.env.template
@ -0,0 +1,8 @@
+# Virtual host options.
+GRAFANA_DOMAIN=${GRAFANA_DOMAIN}
+
+# Authentication options.
+GRAFANA_AUTH_LDAP_HOST=lldap
+GRAFANA_AUTH_LDAP_PORT=3890
+GRAFANA_AUTH_LDAP_BIND_UID=${LLDAP_ADMIN_USERNAME}
+GRAFANA_AUTH_LDAP_BIND_PASSWORD=${LLDAP_ADMIN_PASSWORD}
--- a/service/grafana/quadlet/grafana.container
+++ b/service/grafana/quadlet/grafana.container
@ -0,0 +1,20 @@
+[Unit]
+Description=Grafana Visualization and Analytics
+Wants=container-build@%N.service container-volume@%N.service prometheus.service lldap.service
+After=container-build@%N.service container-volume@%N.service prometheus.service lldap.service
+
+[Container]
+AutoUpdate=local
+ContainerName=%N
+EnvironmentFile=%E/coreos-home-server/%N/%N.env
+HealthCmd=timeout 5s curl --fail --silent --show-error -o /dev/null localhost:8080/api/health
+Image=localhost/%N:latest
+Network=internal
+PodmanArgs=--sdnotify=healthy
+Volume=%N:/var/lib/%N:z
+
+[Service]
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/service/grafana/spec.bu
+++ b/service/grafana/spec.bu
@ -6,7 +6,5 @@ storage:
      local: service/grafana/
    - path: /etc/systemd/system
      local: service/grafana/systemd/
-systemd:
-  units:
-    - name: grafana.service
-      enabled: true
+    - path: /etc/containers/systemd
+      local: service/grafana/quadlet/
--- a/service/grafana/systemd/grafana.service
+++ b/service/grafana/systemd/grafana.service
@ -1,17 +0,0 @@
-[Unit]
-Description=Grafana Visualization and Analytics
-Wants=container-build@%N.service container-volume@%N.service prometheus.service
-After=container-build@%N.service container-volume@%N.service prometheus.service
-
-[Service]
-Type=notify
-NotifyAccess=all
-SyslogIdentifier=%N
-Restart=on-failure
-Environment=PODMAN_SYSTEMD_UNIT=%n
-ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon --volume %N:/var/lib/%N:z localhost/%N:latest
-ExecStop=/bin/podman stop --ignore --time 10 %N
-ExecStopPost=/bin/podman rm --ignore --force %N
-
-[Install]
-WantedBy=multi-user.target