grafana.yml

---
- name: Configure Grafana
  remote_user: ansible
  become: true
  hosts: grafana
  vars_files:
  - vault.yml

  tasks:
  - import_role:
      name: ansible-grafana
    tags:
    - monitoring
    - grafana
    vars:
      grafana_provisioning_synced: true
      grafana_security:
        admin_password: "'{{ vault_grafana_admin_password }}'"
        admin_user: admin
      grafana_server:
        cert_file: /etc/pki/tls/certs/{{ ansible_fqdn }}.pem
        cert_key: /etc/pki/tls/private/{{ ansible_fqdn }}.key
        enable_gzip: true
        enforce_domain: false
        protocol: https
        router_logging: false
        serve_from_sub_path: false
        socket: ''
        static_root_path: public

  # Admin password doesn't always set properly within the role (and leaves it in plaintext in the config file)...
  - name: Set Grafana Admin password
    command: grafana-cli admin reset-admin-password '{{ vault_grafana_admin_password }}'
    changed_when: false

  - name: Open Grafana firewall port
    tags:
    - monitoring
    - prometheus
    firewalld:
      port: '3000/tcp'
      immediate: yes
      permanent: yes
      state: enabled