diff --git a/data/common/common.yaml b/data/common/common.yaml --- a/data/common/common.yaml +++ b/data/common/common.yaml @@ -3076,10 +3076,6 @@ # Must have a matching certificate in letsencrypt::certificates grafana::vhost::name: grafana.softwareheritage.org -grafana::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" -grafana::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" -grafana::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" -grafana::vhost::hsts_header: "%{hiera('apache::hsts_header')}" grafana::config: app_mode: production diff --git a/data/hostname/pergamon.softwareheritage.org.yaml b/data/hostname/pergamon.softwareheritage.org.yaml --- a/data/hostname/pergamon.softwareheritage.org.yaml +++ b/data/hostname/pergamon.softwareheritage.org.yaml @@ -52,7 +52,6 @@ systemd_journal::role: collector - users: jenkins-push-docs: uid: 3000 diff --git a/site-modules/profile/manifests/grafana.pp b/site-modules/profile/manifests/grafana.pp deleted file mode 100644 --- a/site-modules/profile/manifests/grafana.pp +++ /dev/null @@ -1,30 +0,0 @@ -class profile::grafana { - $db = lookup('grafana::db::database') - $db_username = lookup('grafana::db::username') - $db_password = lookup('grafana::db::password') - - $config = lookup('grafana::config') - - include ::postgresql::server - - ::postgresql::server::db {$db: - user => $db_username, - password => postgresql::postgresql_password($db_username, $db_password), - } - - class {'::grafana': - install_method => 'repo', - cfg => $config + { - database => { - type => 'postgres', - host => '127.0.0.1:5432', - name => $db, - user => $db_username, - password => $db_password - } - } - } - - contain profile::grafana::vhost - contain profile::grafana::objects -} diff --git a/site-modules/profile/manifests/grafana/vhost.pp b/site-modules/profile/manifests/grafana/vhost.pp deleted file mode 100644 --- a/site-modules/profile/manifests/grafana/vhost.pp +++ /dev/null @@ -1,109 +0,0 @@ -# Apache virtual host for grafana - -class profile::grafana::vhost { - include ::profile::apache::common - include ::apache::mod::proxy - include ::profile::apache::mod_proxy_wstunnel - - $grafana_vhost_name = lookup('grafana::vhost::name') - $grafana_vhost_docroot = '/var/www/html' - $grafana_vhost_ssl_protocol = lookup('grafana::vhost::ssl_protocol') - $grafana_vhost_ssl_honorcipherorder = lookup('grafana::vhost::ssl_honorcipherorder') - $grafana_vhost_ssl_cipher = lookup('grafana::vhost::ssl_cipher') - $grafana_vhost_hsts_header = lookup('grafana::vhost::hsts_header') - $grafana_upstream_port = lookup('grafana::backend::port') - $grafana_backend_url = "http://127.0.0.1:${grafana_upstream_port}/" - $grafana_websocket_url = "ws://127.0.0.1:${grafana_upstream_port}/api/live/" - - ::apache::vhost {"${grafana_vhost_name}_non-ssl": - servername => $grafana_vhost_name, - port => '80', - docroot => $grafana_vhost_docroot, - manage_docroot => false, # will be managed by the SSL resource - redirect_status => 'permanent', - redirect_dest => "https://${grafana_vhost_name}/", - } - - ::profile::letsencrypt::certificate {$grafana_vhost_name:} - $cert_paths = ::profile::letsencrypt::certificate_paths($grafana_vhost_name) - - ::apache::vhost {"${grafana_vhost_name}_ssl": - servername => $grafana_vhost_name, - port => '443', - ssl => true, - ssl_protocol => $grafana_vhost_ssl_protocol, - ssl_honorcipherorder => $grafana_vhost_ssl_honorcipherorder, - ssl_cipher => $grafana_vhost_ssl_cipher, - ssl_cert => $cert_paths['cert'], - ssl_chain => $cert_paths['chain'], - ssl_key => $cert_paths['privkey'], - headers => [$grafana_vhost_hsts_header], - docroot => $grafana_vhost_docroot, - manage_docroot => false, - proxy_pass => [ - { path => '/api/live/', - url => $grafana_websocket_url, - reverse_urls => [], - }, - { path => '/', - url => $grafana_backend_url, - }, - ], - require => [ - File[$ssl_cert], - File[$ssl_chain], - File[$ssl_key], - ], - } - - File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service'] - - $icinga_checks_file = lookup('icinga2::exported_checks::filename') - - @@::icinga2::object::service {"grafana http redirect on ${::fqdn}": - service_name => 'grafana http redirect', - import => ['generic-service'], - host_name => $::fqdn, - check_command => 'http', - vars => { - http_address => $grafana_vhost_name, - http_vhost => $grafana_vhost_name, - http_uri => '/', - }, - target => $icinga_checks_file, - tag => 'icinga2::exported', - } - - @@::icinga2::object::service {"grafana https on ${::fqdn}": - service_name => 'grafana https', - import => ['generic-service'], - host_name => $::fqdn, - check_command => 'http', - vars => { - http_address => $grafana_vhost_name, - http_vhost => $grafana_vhost_name, - http_ssl => true, - http_sni => true, - http_uri => '/login', - http_string => 'Grafana', - }, - target => $icinga_checks_file, - tag => 'icinga2::exported', - } - - @@::icinga2::object::service {"grafana https certificate ${::fqdn}": - service_name => 'grafana https certificate', - import => ['generic-service'], - host_name => $::fqdn, - check_command => 'http', - vars => { - http_address => $grafana_vhost_name, - http_vhost => $grafana_vhost_name, - http_ssl => true, - http_sni => true, - http_certificate => 25, - }, - target => $icinga_checks_file, - tag => 'icinga2::exported', - } -} diff --git a/site-modules/role/manifests/swh_sysadmin.pp b/site-modules/role/manifests/swh_sysadmin.pp --- a/site-modules/role/manifests/swh_sysadmin.pp +++ b/site-modules/role/manifests/swh_sysadmin.pp @@ -1,6 +1,5 @@ class role::swh_sysadmin inherits role::swh_server { include profile::prometheus::server - include profile::grafana include profile::prometheus::sql