grafana configuration

intern/docker_grafana/tasks/main.yml

@@ -2,6 +2,7 @@
 
 - include_tasks: ../functions/get_secret.yml
   with_items:
+    - { path: "{{ basedir }}/grafana_secret_key", length: 32 }
     - { path: "{{ basedir }}/grafana_admin_pass", length: 12 }
     - { path: "/srv/mqtt/influxdb_token", length: -1 }
 

intern/docker_grafana/templates/docker-compose.yml

@@ -8,9 +8,6 @@ services:
       - "{{ basedir }}/grafana.ini:/etc/grafana/grafana.ini"
       - "{{ basedir }}/provisioning/:/etc/grafana/provisioning/"
       - "{{ basedir }}/data/:/var/lib/grafana"
-    environment:
-      GF_SERVER_ROOT_URL: "https://{{ domain }}"
-      GF_SECURITY_ADMIN_PASSWORD: "{{ grafana_admin_pass }}"
     labels:
       - traefik.enable=true
       - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)

intern/docker_grafana/templates/grafana.ini

@@ -13,16 +13,16 @@ instance_name = {{ inventory_hostname }}
 #################################### Server ####################################
 [server]
 # Protocol (http, https, socket)
-;protocol = http
+protocol = http
 
 # The ip address to bind to, empty will bind to all interfaces
 ;http_addr =
 
 # The http port  to use
-;http_port = 3000
+http_port = 3000
 
 # The public facing domain name used to access grafana from a browser
-;domain = localhost
+domain = {{ domain }}
 
 # Redirect to correct domain if host header does not match domain
 # Prevents DNS rebinding attacks
@@ -30,7 +30,7 @@ instance_name = {{ inventory_hostname }}
 
 # The full public facing url you use in browser, used for redirects and emails
 # If you use reverse proxy and sub path specify full url (with sub path)
-;root_url = http://localhost:3000
+root_url = https://{{ domain }}
 
 # Log web requests
 ;router_logging = false
@@ -51,14 +51,21 @@ instance_name = {{ inventory_hostname }}
 
 #################################### Security ####################################
 [security]
+
+# disable creation of admin user on first start of grafana
+disable_initial_admin_creation = false
+
 # default admin user, created on startup
-;admin_user = admin
+admin_user = admin
 
 # default admin password, can be changed before first start of grafana,  or in profile settings
-;admin_password = admin
+admin_password = {{ grafana_admin_pass }}
+
+# default admin email, created on startup
+admin_email = admin@localhost
 
 # used for signing
-;secret_key = SW2YcwTIb9zpOOhoPsMm
+secret_key = {{ grafana_secret_key }}
 
 # Auto-login remember days
 ;login_remember_days = 7
@@ -127,6 +134,9 @@ disable_login_form = false
 # Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
 ;disable_signout_menu = false
 
+# Use email lookup in addition to the unique ID provided by the IdP
+oauth_allow_insecure_email_lookup = false
+
 #################################### Anonymous Auth ##########################
 [auth.anonymous]
 # enable anonymous access
@@ -135,10 +145,97 @@ enabled = true
 # specify organization name that should be used for unauthenticated users
 org_name = Main Org.
 
-#################################### Alerting ############################
-[alerting]
-# Disable alerting engine & UI features
+#################################### SMTP / Emailing #####################
+[smtp]
+enabled = false
+;host = localhost:25
+;user =
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+;password =
+;cert_file =
+;key_file =
+;skip_verify = false
+;from_address = admin@grafana.localhost
+;from_name = Grafana
+;ehlo_identity =
+;startTLS_policy =
+;enable_tracing = false
+
+#################################### Logging ##########################
+[log]
+
+# Either "debug", "info", "warn", "error", "critical", default is "info"
+level = debug
+
+#################################### Unified Alerting ####################
+[unified_alerting]
+# Enable the Alerting sub-system and interface.
 enabled = false
-# Makes it possible to turn off alert rule execution but alerting UI is visible
-execute_alerts = false
 
+# Comma-separated list of organization IDs for which to disable unified alerting. Only supported if unified alerting is enabled.
+disabled_orgs =
+
+# Specify the frequency of polling for admin config changes.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+admin_config_poll_interval = 60s
+
+# Specify the frequency of polling for Alertmanager config changes.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+alertmanager_config_poll_interval = 60s
+
+
+# Enable or disable alerting rule execution. The alerting UI remains visible.
+execute_alerts = true
+
+# Alert evaluation timeout when fetching data from the datasource.
+# The timeout string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+evaluation_timeout = 30s
+
+# Number of times we'll attempt to evaluate an alert rule before giving up on that evaluation. The default value is 1.
+max_attempts = 1
+
+# Minimum interval to enforce between rule evaluations. Rules will be adjusted if they are less than this value or if they are not multiple of the scheduler interval (10s). Higher values can help with resource management as we'll schedule fewer evaluations over time.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+min_interval = 10s
+
+# This is an experimental option to add parallelization to saving alert states in the database.
+# It configures the maximum number of concurrent queries per rule evaluated. The default value is 1
+# (concurrent queries per rule disabled).
+max_state_save_concurrency = 1
+
+# If the feature flag 'alertingSaveStatePeriodic' is enabled, this is the interval that is used to persist the alerting instances to the database.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+state_periodic_save_interval = 5m
+
+# Disables the smoothing of alert evaluations across their evaluation window.
+# Rules will evaluate in sync.
+disable_jitter = false
+
+# Retention period for Alertmanager notification log entries.
+notification_log_retention = 5d
+
+# Duration for which a resolved alert state transition will continue to be sent to the Alertmanager.
+resolved_alert_retention = 15m
+
+[unified_alerting.screenshots]
+# Enable screenshots in notifications. You must have either installed the Grafana image rendering
+# plugin, or set up Grafana to use a remote rendering service.
+# For more information on configuration options, refer to [rendering].
+capture = false
+
+# The timeout for capturing screenshots. If a screenshot cannot be captured within the timeout then
+# the notification is sent without a screenshot. The maximum duration is 30 seconds. This timeout
+# should be less than the minimum Interval of all Evaluation Groups to avoid back pressure on alert
+# rule evaluation.
+capture_timeout = 10s
+
+# The maximum number of screenshots that can be taken at the same time. This option is different from
+# concurrent_render_request_limit as max_concurrent_screenshots sets the number of concurrent screenshots
+# that can be taken at the same time for all firing alerts where as concurrent_render_request_limit sets
+# the total number of concurrent screenshots across all Grafana services.
+max_concurrent_screenshots = 5
+
+# Uploads screenshots to the local Grafana server or remote storage such as Azure, S3 and GCS. Please
+# see [external_image_storage] for further configuration options. If this option is false then
+# screenshots will be persisted to disk for up to temp_data_lifetime.
+upload_external_image_storage = false

testserver/docker_grafana/tasks/main.yml

@@ -2,6 +2,7 @@
 
 - include_tasks: ../functions/get_secret.yml
   with_items:
+    - { path: "{{ basedir }}/grafana_secret_key", length: 32 }
     - { path: "{{ basedir }}/secrets/grafana_admin_pass", length: 12 }
     - { path: "{{ basedir }}/secrets/oauth_client_secret", length: 32 }
 #    - { path: "/srv/mqtt/influxdb_token", length: -1 }

testserver/docker_grafana/templates/docker-compose.yml

@@ -6,12 +6,8 @@ services:
     restart: always
     volumes:
       - "{{ basedir }}/grafana.ini:/etc/grafana/grafana.ini"
+      - "{{ basedir }}/provisioning/:/etc/grafana/provisioning/"
       - "{{ basedir }}/data/:/var/lib/grafana"
-    environment:
-      GF_SERVER_ROOT_URL: "https://{{ domain }}"
-      GF_SECURITY_ADMIN_PASSWORD: "{{ grafana_admin_pass }}"
-      GF_AUTH_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP: "true"
-      GF_LOG_LEVEL: "debug"
     labels:
       - traefik.enable=true
       - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)

testserver/docker_grafana/templates/grafana.ini

@@ -13,16 +13,16 @@ instance_name = {{ inventory_hostname }}
 #################################### Server ####################################
 [server]
 # Protocol (http, https, socket)
-;protocol = http
+protocol = http
 
 # The ip address to bind to, empty will bind to all interfaces
 ;http_addr =
 
 # The http port  to use
-;http_port = 3000
+http_port = 3000
 
 # The public facing domain name used to access grafana from a browser
-;domain = localhost
+domain = {{ domain }}
 
 # Redirect to correct domain if host header does not match domain
 # Prevents DNS rebinding attacks
@@ -30,7 +30,7 @@ instance_name = {{ inventory_hostname }}
 
 # The full public facing url you use in browser, used for redirects and emails
 # If you use reverse proxy and sub path specify full url (with sub path)
-;root_url = http://localhost:3000
+root_url = https://{{ domain }}
 
 # Log web requests
 ;router_logging = false
@@ -51,14 +51,21 @@ instance_name = {{ inventory_hostname }}
 
 #################################### Security ####################################
 [security]
+
+# disable creation of admin user on first start of grafana
+disable_initial_admin_creation = false
+
 # default admin user, created on startup
-;admin_user = admin
+admin_user = admin
 
 # default admin password, can be changed before first start of grafana,  or in profile settings
-;admin_password = admin
+admin_password = {{ grafana_admin_pass }}
+
+# default admin email, created on startup
+admin_email = admin@localhost
 
 # used for signing
-;secret_key = SW2YcwTIb9zpOOhoPsMm
+secret_key = {{ grafana_secret_key }}
 
 # Auto-login remember days
 ;login_remember_days = 7
@@ -117,6 +124,7 @@ login_hint = Fallback account
 default_theme = dark
 
 [auth]
+
 # Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
 ;disable_login_form = false
 disable_login_form = true
@@ -127,6 +135,8 @@ oauth_auto_login = true
 # Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
 ;disable_signout_menu = false
 
+# Use email lookup in addition to the unique ID provided by the IdP
+oauth_allow_insecure_email_lookup = false
 
 #################################### Anonymous Auth ##########################
 [auth.anonymous]
@@ -167,11 +177,98 @@ skip_org_role_sync = false
 allow_assign_grafana_admin = true
 role_attribute_path = contains(groups[*], 'grafana_admin') && 'GrafanaAdmin' || 'Editor'
 
-
-#################################### Alerting ############################
-[alerting]
-# Disable alerting engine & UI features
+#################################### SMTP / Emailing #####################
+[smtp]
+enabled = false
+;host = localhost:25
+;user =
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+;password =
+;cert_file =
+;key_file =
+;skip_verify = false
+;from_address = admin@grafana.localhost
+;from_name = Grafana
+;ehlo_identity =
+;startTLS_policy =
+;enable_tracing = false
+
+#################################### Logging ##########################
+[log]
+
+# Either "debug", "info", "warn", "error", "critical", default is "info"
+level = debug
+
+#################################### Unified Alerting ####################
+[unified_alerting]
+# Enable the Alerting sub-system and interface.
 enabled = false
-# Makes it possible to turn off alert rule execution but alerting UI is visible
-execute_alerts = false
+
+# Comma-separated list of organization IDs for which to disable unified alerting. Only supported if unified alerting is enabled.
+disabled_orgs =
+
+# Specify the frequency of polling for admin config changes.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+admin_config_poll_interval = 60s
+
+# Specify the frequency of polling for Alertmanager config changes.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+alertmanager_config_poll_interval = 60s
+
+
+# Enable or disable alerting rule execution. The alerting UI remains visible.
+execute_alerts = true
+
+# Alert evaluation timeout when fetching data from the datasource.
+# The timeout string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+evaluation_timeout = 30s
+
+# Number of times we'll attempt to evaluate an alert rule before giving up on that evaluation. The default value is 1.
+max_attempts = 1
+
+# Minimum interval to enforce between rule evaluations. Rules will be adjusted if they are less than this value or if they are not multiple of the scheduler interval (10s). Higher values can help with resource management as we'll schedule fewer evaluations over time.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+min_interval = 10s
+
+# This is an experimental option to add parallelization to saving alert states in the database.
+# It configures the maximum number of concurrent queries per rule evaluated. The default value is 1
+# (concurrent queries per rule disabled).
+max_state_save_concurrency = 1
+
+# If the feature flag 'alertingSaveStatePeriodic' is enabled, this is the interval that is used to persist the alerting instances to the database.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+state_periodic_save_interval = 5m
+
+# Disables the smoothing of alert evaluations across their evaluation window.
+# Rules will evaluate in sync.
+disable_jitter = false
+
+# Retention period for Alertmanager notification log entries.
+notification_log_retention = 5d
+
+# Duration for which a resolved alert state transition will continue to be sent to the Alertmanager.
+resolved_alert_retention = 15m
+
+[unified_alerting.screenshots]
+# Enable screenshots in notifications. You must have either installed the Grafana image rendering
+# plugin, or set up Grafana to use a remote rendering service.
+# For more information on configuration options, refer to [rendering].
+capture = false
+
+# The timeout for capturing screenshots. If a screenshot cannot be captured within the timeout then
+# the notification is sent without a screenshot. The maximum duration is 30 seconds. This timeout
+# should be less than the minimum Interval of all Evaluation Groups to avoid back pressure on alert
+# rule evaluation.
+capture_timeout = 10s
+
+# The maximum number of screenshots that can be taken at the same time. This option is different from
+# concurrent_render_request_limit as max_concurrent_screenshots sets the number of concurrent screenshots
+# that can be taken at the same time for all firing alerts where as concurrent_render_request_limit sets
+# the total number of concurrent screenshots across all Grafana services.
+max_concurrent_screenshots = 5
+
+# Uploads screenshots to the local Grafana server or remote storage such as Azure, S3 and GCS. Please
+# see [external_image_storage] for further configuration options. If this option is false then
+# screenshots will be persisted to disk for up to temp_data_lifetime.
+upload_external_image_storage = false