From 0d537a0c349a291fcdd518794732a43e982cf0cc Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Tue, 20 Dec 2022 13:03:01 +0100
Subject: [PATCH] Configuration managed by ini_file.

---
 defaults/main.yml        | 78 ++++++++++++++++++++++++++++++++---
 tasks/main.yml           | 31 ++++++++++----
 templates/grafana.ini.j2 | 88 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 184 insertions(+), 13 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 63b3e93..d07e026 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,17 +5,83 @@ grafana_pkg_state: latest
 grafana_packages:
   - grafana
 
-grafana_conf_files:
-  - grafana.ini
+grafana_conf:
+  - {section: '', option: 'app_mode', value: '{{ grafana_app_mode }}', state: present}
+  - {section: '', option: 'instance_name', value: '{{ grafana_instance_name }}', state: present}
+  - {section: 'paths', option: 'data', value: '{{ grafana_data_path }}', state: present}
+  - {section: 'server', option: 'protocol', value: '{{ grafana_server_protocol }}', state: present}
+  - {section: 'server', option: 'http_addr', value: '{{ grafana_bind_ip_address }}', state: present}
+  - {section: 'server', option: 'http_port', value: '{{ grafana_http_port }}', state: present}
+  - {section: 'server', option: 'domain', value: '{{ grafana_domain_name }}', state: present}
+  - {section: 'server', option: 'enforce_domain', value: '{{ grafana_enforce_dns_name }}', state: present}
+  - {section: 'database', option: 'type', value: '{{ grafana_db_type }}', state: present}
+  - {section: 'database', option: 'host', value: '{{ grafana_db_hostport }}', state: present}
+  - {section: 'database', option: 'name', value: '{{ grafana_db_name }}', state: present}
+  - {section: 'database', option: 'user', value: '{{ grafana_db_user }}', state: present}
+  - {section: 'database', option: 'password', value: '{{ grafana_db_password }}', state: present}
+  - {section: 'database', option: 'ssl_mode', value: '{{ grafana_db_pg_ssl_mode }}', state: present}
+  - {section: 'session', option: 'provider', value: '{{ grafana_session_provider }}', state: present}
+  - {section: 'session', option: 'provider_config', value: '{{ grafana_session_config  }}', state: present}
+  - {section: 'session', option: 'secure_cookie', value: '{{ grafana_secure_cookie | lower  }}', state: present}
+  - {section: 'session', option: 'cookie_name', value: '{{ grafana_cookie_name  }}', state: present}
+  - {section: 'analytics', option: 'reporting_enabled', value: '{{ grafana_analytics_reporting_enabled | lower }}', state: present}
+  - {section: 'analytics', option: 'check_for_updates', value: '{{ grafana_analytics_updates_check | lower }}', state: present}
+  - {section: 'security', option: 'admin_user', value: '{{ grafana_admin_user }}', state: "{% if grafana_setup_admin_user %}present{% else %}absent{% endif %}"}
+  - {section: 'security', option: 'secret_key', value: '{{grafana_signing_key }}', state: "{% if grafana_setup_signing_key %}present{% else %}absent{% endif %}"}
+  - {section: 'security', option: 'cookie_secure', value: '{{ grafana_secure_cookies | lower }}', state: present}
+  - {section: 'security', option: 'cookie_samesite', value: "{{ grafana_cookie_samesite | default('lax') }}", state: present}
+  - {section: 'security', option: 'allow_embedding', value: "{{ grafana_allow_embedding | default(false) }}", state: present}
+  - {section: 'dashboards', option: 'versions_to_keep', value: "{{ grafana_dashboards_versions_to_keep | default('20') }}", state: present}
+  - {section: 'dashboards', option: 'min_refresh_interval', value: "{{ grafana_dashbards_min_default_interval | default('5s') }}", state: present}
+  - {section: 'users', option: 'allow_sign_up', value: '{{ grafana_u_allow_signup | lower }}', state: present}
+  - {section: 'users', option: 'allow_org_create', value: '{{ grafana_u_allow_org_create | lower  }}', state: present}
+  - {section: 'users', option: 'auto_assign_org', value: "{{ grafana_u_auto_assign_org | default(true) | lower }}", state: present}
+  - {section: 'users', option: 'auto_assign_org_role', value: "{{grafana_u_default_role | lower }}", state: present}
+  - {section: 'users', option: 'default_theme', value: '{{ grafana_u_default_theme  }}', state: present}
+  - {section: 'users', option: 'disable_login_form', value: '{{ grafana_u_disable_login_form | lower }}', state: present}
+  - {section: 'auth.anonymous', option: 'enabled', value: '{{ grafana_auth_anon | lower }}', state: present}
+  - {section: 'auth.generic_oauth', option: 'enabled', value: '{{ grafana_oauth_generic_enabled | lower }}', state: present}
+  - {section: 'auth.generic_oauth', option: 'name', value: '{{ grafana_oauth_name  }}', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'icon', value: 'signin', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'scopes', value: '{{ grafana_oauth_scopes  }}', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'empty_scopes', value: '{{ grafana_oauth_empty_scopes | lower }}', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'tls_skip_verify_insecure', value: '{{ grafana_tls_skip_verify_insecure | lower }}', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'allow_sign_up', value: '{{ grafana_oauth_allow_signup | lower }}', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'client_id', value: '{{ grafana_oauth_client_id | default('grafana') }}', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'client_secret', value: '{{ grafana_oauth_client_secret }}', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'auth_url', value: '{{ grafana_oauth_auth_url }}', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'token_url', value: "{{ grafana_oauth_token_url | default('') }}", state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'api_url', value: '{{grafana_oauth_api_url }}', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'use_pkce', value: '{{ grafana_oauth_use_pkce | lower }}', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'auth_style', value: "{{ grafana_oauth_auth_style | default('') }}", state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'allow_assign_grafana_admin', value: '{{ grafana_oauth_allow_assign_grafana_admin | lower }}', state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.generic_oauth', option: 'role_attribute_path', value: "{{ grafana_oauth_role_attribute_path }}", state: "{% if grafana_oauth_generic_enabled %}present{% else %}absent{% endif %}"}
+  - {section: 'auth.ldap', option: 'enabled', value: '{{grafana_ldap_auth | lower }}', state: present}
+  - {section: 'auth.ldap', option: 'config_file', value: '/etc/grafana/ldap.toml', state: present}
+  - {section: 'log', option: 'mode', value: '{{ grafana_log_mode  }}', state: present}
+  - {section: 'log', option: 'level', value: '{{ grafana_log_level  }}', state: present}
+  - {section: 'log.console', option: 'level', value: '{{ grafana_log_level  }}', state: present}
+  - {section: 'log.console', option: 'format', value: "{{ grafana_log_console_format | default('text') }}", state: present}
+  - {section: 'log.syslog', option: 'level', value: '{{ grafana_log_level  }}', state: present}
+  - {section: 'log.syslog', option: 'facility', value: '{{ grafana_syslog_facility  }}', state: present}
+  - {section: 'dashboards.json', option: 'enabled', value: '{{ grafana_dashboard_json | lower }}', state: present}
+  - {section: 'dashboards.json', option: 'path', value: "{{ grafana_dashboards_json_path | default('/var/lib/grafana/dashboards')", state: present}
+  - {section: 'metrics', option: 'enabled', value: "{{ grafana_metrics_enabled | default(true) | lower }}", state: present}
+  - {section: 'grafana_net', option: 'url', value: 'https://grafana.net', state: present}
+
+grafana_additional_conf: []
 
 grafana_ldap_conf_file:
   - ldap.toml
 
 grafana_enabled: true
 grafana_app_mode: production
+grafana_instance_name: '{{ ansible_fqdn }}'
 
 grafana_require_nginx: true
 grafana_require_redis: true
+# redis, file
+grafana_session_provider: file
 
 grafana_data_path: /var/lib/grafana
 grafana_server_protocol: http
@@ -40,11 +106,10 @@ grafana_db_pg_ssl_mode: require
 grafana_setup_admin_user: true
 grafana_admin_user: admin
 # grafana_admin_pwd: 'Use a vault file'
-grafana_setup_signing_key: true
+grafana_setup_signing_key: false
 # grafana_signing_key: 'Use a vault file'
-grafana_session_provider: file
+# sessions, or if redis: 'addr=127.0.0.1:6379,pool_size=100,db=grafana'
 grafana_session_config: sessions
-grafana_session_redis_config: 'addr=127.0.0.1:6379,pool_size=100,db=grafana'
 
 grafana_analytics_reporting_enabled: 'true'
 grafana_analytics_updates_check: 'true'
@@ -54,13 +119,14 @@ grafana_u_allow_org_create: 'false'
 grafana_u_default_role: Viewer
 # dark or light
 grafana_u_default_theme: dark
+grafana_u_disable_login_form: false
 grafana_auth_anon: 'false'
 
 grafana_log_mode: syslog
 grafana_log_level: info
 grafana_syslog_facility: daemon
 
-grafana_dashboard_json: 'true'
+grafana_dashboard_json: true
 
 grafana_additional_plugins:
   - name: grafana-clock-panel
diff --git a/tasks/main.yml b/tasks/main.yml
index d81f975..5c31883 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -22,18 +22,35 @@
     - name: Install the grafana deb packages
       apt: name={{ grafana_packages }} state={{ grafana_pkg_state }} update_cache=yes cache_valid_time=1800
   
-    - name: Install the grafana configuration files
-      ansible.builtin.template:
-        src: '{{ item }}.j2'
-        dest: '/etc/grafana/{{ item }}'
-        mode: 0440
+    - name: Install the grafana configuration
+      ansible.builtin.ini_file:
+        path: '/etc/grafana/grafana.ini'
+        section: '{{ item.section }}'
+        option: '{{ item.option }}'
+        value: '{{ item.value }}'
+        state: "{{ item.state | default('present') }}"
+        mode: '0440'
         owner: root
         group: grafana
-      loop: '{{ grafana_conf_files }}'
+      loop: '{{ grafana_conf }}'
       notify: Restart grafana
       tags: [ 'grafana', 'grafana_conf' ]
 
-    - name: Install the grafana LDAP configuration files
+    - name: Add additional grafana configurations
+      ansible.builtin.ini_file:
+        path: '/etc/grafana/grafana.ini'
+        section: '{{ item.section }}'
+        option: '{{ item.option }}'
+        value: '{{ item.value }}'
+        state: "{{ item.state | default('present') }}"
+        mode: '0440'
+        owner: root
+        group: grafana
+      loop: '{{ grafana_additional_conf }}'
+      notify: Restart grafana
+      tags: [ 'grafana', 'grafana_conf' ]
+
+    - name: Install the grafana LDAP configuration file
       ansible.builtin.template:
         src: '{{ item }}.j2'
         dest: '/etc/grafana/{{ item }}'
diff --git a/templates/grafana.ini.j2 b/templates/grafana.ini.j2
index 5d3cfc8..e4f5a06 100644
--- a/templates/grafana.ini.j2
+++ b/templates/grafana.ini.j2
@@ -146,12 +146,82 @@ admin_password = {{ grafana_admin_pwd }}
 # data source proxy whitelist (ip_or_domain:port separated by spaces)
 ;data_source_proxy_whitelist =
 
+# set to true if you host Grafana behind HTTPS. default is false.
+;cookie_secure = false
+
+# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
+;cookie_samesite = lax
+
+# set to true if you want to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>. default is false.
+;allow_embedding = false
+
+# Set to true if you want to enable http strict transport security (HSTS) response header.
+# HSTS tells browsers that the site should only be accessed using HTTPS.
+;strict_transport_security = false
+
+# Sets how long a browser should cache HSTS. Only applied if strict_transport_security is enabled.
+;strict_transport_security_max_age_seconds = 86400
+
+# Set to true if to enable HSTS preloading option. Only applied if strict_transport_security is enabled.
+;strict_transport_security_preload = false
+
+# Set to true if to enable the HSTS includeSubDomains option. Only applied if strict_transport_security is enabled.
+;strict_transport_security_subdomains = false
+
+# Set to true to enable the X-Content-Type-Options response header.
+# The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
+# in the Content-Type headers should not be changed and be followed.
+;x_content_type_options = true
+
+# Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
+# when they detect reflected cross-site scripting (XSS) attacks.
+;x_xss_protection = true
+
+# Enable adding the Content-Security-Policy header to your requests.
+# CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+;content_security_policy = false
+
+# Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+# $NONCE in the template includes a random nonce.
+# $ROOT_PATH is server.root_url without the protocol.
+;content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline'
+blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""
+
+# Controls if old angular plugins are supported or not. This will be disabled by default in future release
+;angular_support_enabled = true
+
+# List of additional allowed URLs to pass by the CSRF check, separated by spaces. Suggested when authentication comes from an IdP.
+;csrf_trusted_origins = example.com
+
+# List of allowed headers to be set by the user, separated by spaces. Suggested to use for if authentication lives behind reverse proxies.
+;csrf_additional_headers =
+
+[security.encryption]
+# Defines the time-to-live (TTL) for decrypted data encryption keys stored in memory (cache).
+# Please note that small values may cause performance issues due to a high frequency decryption operations.
+;data_keys_cache_ttl = 15m
+
+# Defines the frequency of data encryption keys cache cleanup interval.
+# On every interval, decrypted data encryption keys that reached the TTL are removed from the cache.
+;data_keys_cache_cleanup_interval = 1m
+
 [snapshots]
 # snapshot sharing options
 ;external_enabled = true
 ;external_snapshot_url = https://snapshots-origin.raintank.io
 ;external_snapshot_name = Publish to snapshot.raintank.io
 
+[dashboards]
+# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
+;versions_to_keep = 20
+
+# Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval. Per default this is 5 seconds.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+;min_refresh_interval = 5s
+
+# Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
+;default_home_dashboard_path =
+
 #################################### Users ####################################
 [users]
 # disable user signup / registration
@@ -172,6 +242,19 @@ auto_assign_org_role = {{ grafana_u_default_role }}
 # Default UI theme ("dark" or "light")
 default_theme = {{ grafana_u_default_theme }}
 
+# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
+;disable_login_form = false
+
+# Set to true to disable the sign out link in the side menu. Useful if you use auth.proxy or auth.jwt, defaults to false
+;disable_signout_menu = false
+
+# URL to redirect the user to after sign out
+;signout_redirect_url =
+
+# Set to true to attempt login with OAuth automatically, skipping the login screen.
+# This setting is ignored if multiple OAuth providers are configured.
+;oauth_auto_login = false
+
 #################################### Anonymous Auth ##########################
 [auth.anonymous]
 # enable anonymous access
@@ -201,6 +284,11 @@ allow_sign_up = {{ grafana_oauth_allow_signup | lower }}
 client_id = {{ grafana_oauth_client_id | default('grafana') }}
 client_secret = {{ grafana_oauth_client_secret }}
 auth_url = {{ grafana_oauth_auth_url }}
+
+
+RIPARTIRE DA QUA
+
+
 token_url = {{ grafana_oauth_token_url }}
 api_url = {{ grafana_oauth_api_url }}
 use_pkce = {{ grafana_oauth_use_pkce | lower }}