Add initial config for dedicated monitoring server

inventory.yaml

@@ -10,6 +10,7 @@ all:
 en1:
   vars:
     skylab_location: Newton MA
+    skylab_dashboard: info.en1.local
     # gross hack for now, will be refactored later
     _skylab_adguard_nat_rule: 8
 

playbooks/configure.yaml

@@ -16,7 +16,7 @@
     - include_tasks: tasks/meta/bootstrap-remote-env.yaml
 
 
-# "server", here, is a word used to mean "not a workstation"
+# [lemony snicket voice] "server" here being a word used to mean "not a workstation"
 - name: Configure servers
   hosts: linux:!workstation
   gather_facts: false
@@ -30,3 +30,11 @@
   roles:
     - role: datastore
     - role: swarm
+
+
+- name: Configure dashboard nodes
+  hosts: iridium
+  gather_facts: false
+  roles:
+    - role: dashboard
+      dashboard_hostname: "{{ skylab_dashboard }}"

roles/dashboard/files/grafana.repo

@@ -0,0 +1,9 @@
+[grafana]
+name=grafana
+baseurl=https://packages.grafana.com/enterprise/rpm
+repo_gpgcheck=1
+enabled=1
+gpgcheck=1
+gpgkey=https://packages.grafana.com/gpg.key
+sslverify=1
+sslcacert=/etc/pki/tls/certs/ca-bundle.crt

roles/dashboard/files/ssl-options.conf

@@ -0,0 +1,22 @@
+# Ansible managed file - DO NOT EDIT
+#
+# https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04
+#
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 1.1.1.1 1.0.0.1 valid=300s;
+resolver_timeout 5s;
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+ssl_dhparam /etc/nginx/ssl-dhparam.pem;
+
+# EOF

roles/dashboard/handlers/main.yaml

@@ -0,0 +1,12 @@
+---
+- name: restart-nginx
+  become: true
+  ansible.builtin.systemd:
+    name: nginx
+    state: restarted
+
+- name: restart-grafana
+  become: true
+  ansible.builtin.systemd:
+    name: grafana-server
+    state: restarted

roles/dashboard/tasks/grafana.yaml

@@ -0,0 +1,48 @@
+---
+- name: Install Grafana Enterprise repository
+  become: true
+  ansible.builtin.copy:
+    src: grafana.repo
+    dest: /etc/yum.repos.d/grafana.repo
+    owner: root
+    group: "{{ ansible_user }}"
+    mode: 0644
+  register: _grafana_repo
+
+- name: Install Grafana repository GPG key
+  become: true
+  ansible.builtin.rpm_key:
+    state: present
+    key: https://packages.grafana.com/gpg.key
+
+- name: Install Grafana
+  become: true
+  ansible.builtin.dnf:
+    name: grafana
+    state: present
+    update_cache: "{{ _grafana_repo.changed }}"
+
+- name: Enable and start Grafana
+  become: true
+  ansible.builtin.systemd:
+    name: grafana-server
+    state: started
+    enabled: true
+
+- name: Fetch installed grafana plugins
+  become: true
+  ansible.builtin.command:
+    cmd: grafana-cli plugins ls
+  changed_when: false
+  register: _grafana_plugins_raw
+
+- name: Install plugins
+  become: true
+  ansible.builtin.command:
+    cmd: grafana-cli plugins install {{ item }}
+  changed_when: item not in _grafana_plugins_raw.stdout
+  notify: [restart-grafana]
+  loop:
+    - marcusolsson-json-datasource
+    - grafana-clock-panel
+    - ayoungprogrammer-finance-datasource

roles/dashboard/tasks/main.yaml

@@ -0,0 +1,6 @@
+---
+- name: Install and configure Grafana
+  ansible.builtin.import_tasks: grafana.yaml
+
+- name: Install and configure Nginx
+  ansible.builtin.import_tasks: nginx.yaml

roles/dashboard/tasks/nginx.yaml

@@ -0,0 +1,107 @@
+---
+- name: Install nginx
+  become: true
+  ansible.builtin.dnf:
+    name: nginx
+    state: present
+
+- name: Enable and start nginx
+  become: true
+  ansible.builtin.systemd:
+    name: nginx
+    state: started
+    enabled: true
+
+- name: Configure firewall for Nginx
+  become: true
+  ansible.posix.firewalld:
+    service: "{{ item }}"
+    state: enabled
+    zone: internal
+    permanent: true
+    immediate: true
+  loop:
+    - http
+    - https
+
+- name: Configure SELinux for Nginx
+  when: ansible_selinux.status | default("") == "enabled"
+  become: true
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+  notify: [restart-nginx]
+
+- name: Create certificate directory
+  become: true
+  ansible.builtin.file:
+    path: "{{ dashboard_certificate_directory }}"
+    state: directory
+    owner: nginx
+    group: "{{ ansible_user }}"
+    mode: 0570
+
+- name: Generate X509 private key
+  become: true
+  vars:
+    ansible_python_interpreter: "{{ skylab_ansible_venv }}/bin/python"
+  community.crypto.openssl_privatekey:
+    path: "{{ dashboard_certificate_directory }}/{{ dashboard_hostname }}.key"
+    type: RSA
+    size: 8192
+    passphrase: "{{ dashboard_certificate_password }}"
+    cipher: auto
+    owner: nginx
+    group: "{{ ansible_user }}"
+    mode: 0460
+
+- name: Install private key password file
+  become: true
+  ansible.builtin.copy:
+    content: "{{ dashboard_certificate_password }}"
+    dest: "{{ dashboard_certificate_directory }}/{{ dashboard_hostname }}.password"
+    owner: nginx
+    group: "{{ ansible_user }}"
+    mode: 0460
+
+- name: Create self-signed certificate
+  become: true
+  vars:
+    ansible_python_interpreter: "{{ skylab_ansible_venv }}/bin/python"
+  community.crypto.x509_certificate:
+    path: "{{ dashboard_certificate_directory }}/{{ dashboard_hostname }}.pem"
+    privatekey_path: "{{ dashboard_certificate_directory }}/{{ dashboard_hostname }}.key"
+    privatekey_passphrase: "{{ dashboard_certificate_password }}"
+    provider: selfsigned
+    owner: nginx
+    group: "{{ ansible_user }}"
+    mode: 0460
+  notify: [restart-nginx]
+
+- name: Copy nginx SSL parameters
+  become: true
+  ansible.builtin.copy:
+    src: ssl-options.conf
+    dest: /etc/nginx/ssl-options.conf
+    owner: nginx
+    group: "{{ ansible_user }}"
+    mode: 0664
+  notify: [restart-nginx]
+
+- name: Export Diffie-Hellman parameters
+  become: true
+  ansible.builtin.command:
+    cmd: openssl dhparam -out /etc/nginx/ssl-dhparam.pem 2048
+    creates: /etc/nginx/ssl-dhparam.pem
+  notify: [restart-nginx]
+
+- name: Configure nginx server
+  become: true
+  ansible.builtin.template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/conf.d/{{ dashboard_hostname }}.conf
+    owner: nginx
+    group: "{{ ansible_user }}"
+    mode: 0444
+  notify: [restart-nginx]

roles/dashboard/templates/nginx.conf.j2

@@ -0,0 +1,29 @@
+# Ansible managed file - DO NOT MANUALLY EDIT
+#
+server {
+    server_name  {{ dashboard_hostname }};
+    root         /usr/share/nginx/html;
+
+    location / {
+        proxy_pass        http://127.0.0.1:3000/;
+        proxy_set_header  Host $host;
+    }
+
+    listen 443            ssl http2;
+    ssl_certificate       {{ dashboard_certificate_directory }}/{{ dashboard_hostname }}.pem;
+    ssl_certificate_key   {{ dashboard_certificate_directory }}/{{ dashboard_hostname }}.key;
+    ssl_password_file     {{ dashboard_certificate_directory }}/{{ dashboard_hostname }}.password;
+    include               /etc/nginx/ssl-options.conf;
+}
+
+server {
+    if ($host = {{ dashboard_hostname }}) {
+        return 301  https://$host$request_uri;
+    }
+
+    server_name     {{ dashboard_hostname }};
+    listen          80;
+    return          404;
+}
+#
+# EOF

roles/dashboard/vars/main.yaml

@@ -0,0 +1,15 @@
+---
+dashboard_certificate_directory: /etc/nginx/certs
+dashboard_certificate_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62373265623036656632396637363539313437656433656461356561393538333536303961363462
+          3964353831633165363430313533623563343732623930630a393030393336613563313431306233
+          62393235303234336365313138633137663430653061343737616466303136616130643061356566
+          3165313038393163340a396365643335343332333335363539326635633466313264373639353930
+          36646462396139346432353233646635303031613639323266366235373132346363653431323666
+          38336365303431646530613030613437663035613332653865366432636238303437323633666239
+          64366435353762656362666531393865383639343461616365316634326334623733653664666161
+          63366234646466326531363666633966326462373562313839393731633931383762306663396562
+          65663031653661333439373461333234613863623364643464323863656630386561316565353232
+          35313338373631356231376361346662353365373030653965626434336339613936656138656637
+          666430306334623563306236616663623438