- name: Set up Grafana
  hosts: lotus-land-story
  vars_files:
    - vars.yml
  vars:
    version: 11.2.1
  tasks:

    - name: Grafana user
      ansible.builtin.user:
        name: grafana
      register: grafana_user

    - name: Create Grafana dir
      ansible.builtin.file:
        path: /mnt/lotus-land-story/grafana/provisioning/{{ item }}
        state: directory
        mode: "0755"
        owner: "{{ grafana_user.name }}"
      loop:
        - datasources

    - name: Configure Grafana
      ansible.builtin.copy:
        dest: /mnt/lotus-land-story/grafana/grafana.ini
        content: |
          [log]
          # level = debug

          [metrics]
          enabled             = true
          disable_total_stats = false

          [server]
          domain = grafana.{{ domain }}
          http_addr = 0.0.0.0
          root_url = https://grafana.{{ domain }}

          # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication
          [auth]
          oauth_allow_insecure_email_lookup = true
          disable_signout_menu = true

          # https://www.authelia.com/integration/openid-connect/grafana/
          [auth.generic_oauth]
          enabled = true
          name = Authelia
          icon = signin
          client_id = grafana
          client_secret = {{ grafana.oauth_secret }}
          scopes = openid profile email groups
          empty_scopes = false
          auth_url = https://auth.{{ domain }}/api/oidc/authorization
          token_url = https://auth.{{ domain }}/api/oidc/token
          api_url = https://auth.{{ domain }}/api/oidc/userinfo
          login_attribute_path = preferred_username
          groups_attribute_path = groups
          name_attribute_path = name
          use_pkce = true
          auto_login = true
          role_attribute_path = contains(groups, 'admin') && 'Admin' || contains(groups, 'editor') && 'Editor' || 'Viewer'
          allow_assign_grafana_admin = true

          [smtp]
          enabled = true
          host = smtp.sendgrid.net:465
          user = apikey
          password = {{ grafana.smtp_password }}
          from_address = grafana@kejadlen.dev
        mode: "0600"
        owner: "{{ grafana_user.name }}"

    - name: Provision Prometheus
      ansible.builtin.copy:
        dest: /mnt/lotus-land-story/grafana/provisioning/datasources/prometheus.yml
        content: |
          apiVersion: 1

          datasources:
            - name: Prometheus
              type: prometheus
              # Access mode - proxy (server in the UI) or direct (browser in the UI).
              access: proxy
              url: http://prometheus:9090
              jsonData:
                httpMethod: POST
                manageAlerts: true
                prometheusType: Prometheus
                prometheusVersion: 2.37.0
        mode: "0644"

    - name: Create Grafana volume
      community.docker.docker_volume:
        name: grafana

    - name: Run Grafana
      community.docker.docker_container:
        name: grafana
        image: grafana/grafana-oss:{{ version }}
        volumes:
          - /mnt/lotus-land-story/grafana/grafana.ini:/etc/grafana/grafana.ini
          - /mnt/lotus-land-story/grafana/provisioning:/etc/grafana/provisioning
          - grafana:/var/lib/grafana
        env:
          GF_INSTALL_PLUGINS: https://storage.googleapis.com/integration-artifacts/grafana-lokiexplore-app/grafana-lokiexplore-app-latest.zip;grafana-lokiexplore-app
        restart_policy: unless-stopped
        networks:
          - name: lotus_land_story
        etc_hosts:
          host.docker.internal: host-gateway
        user: "{{ grafana_user.uid }}"

# vim: ft=yaml.ansible