diff --git a/ec2.yml b/ec2.yml
index 30744ff..514f410 100644
--- a/ec2.yml
+++ b/ec2.yml
@@ -22,6 +22,17 @@
- role: backups
vars:
backups_outdir: "/cold/backups"
+ - role: grafana
+ vars:
+ grafana_mysql_password: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 61633935373834353866366136316162633638646433343262313537396361393130393733373933
+ 3634316136636163343231613263633163376433316433330a353261643937326565373265303739
+ 39383363653038333235346332653662323836363039613530396333666332343462633935376466
+ 6163383865656534310a636361336333303637356661633231313737303830396366636462343534
+ 34653832353237633336316538356230653033656137323536313833616364356631
+ grafana_url: "monitor.9iron.club"
+ grafana_webroot: "/var/www/grafana"
- role: gitea
vars:
gitea_mysql_password: !vault |
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
new file mode 100644
index 0000000..ddfac5c
--- /dev/null
+++ b/roles/grafana/tasks/main.yml
@@ -0,0 +1,74 @@
+#!/usr/bin/ansible-playbook
+# vim:ft=ansible:
+---
+- name: Install, configure, and start Grafana
+ block:
+ - name: Create and configure DB
+ block:
+ - name: Create DB
+ mysql_db:
+ name: grafana
+ login_user: root
+ login_password: "{{ mysql_root_password }}"
+ state: present
+ - name: Create user
+ mysql_user:
+ name: grafana
+ host: localhost
+ password: "{{ grafana_mysql_password }}"
+ priv: "grafana.*:ALL,GRANT"
+ login_user: root
+ login_password: "{{ mysql_root_password }}"
+ - name: Set up Apache
+ block:
+ - name: Enable modules
+ command:
+ cmd: a2enmod "{{ item }}"
+ creates: "/etc/apache2/mods-enabled/{{ item }}.load"
+ loop:
+ - proxy
+ - proxy_http
+ notify: restart apache
+ - name: Template out vhost
+ template:
+ src: "apache2-vhost-ssl.conf"
+ dest: "/etc/apache2/sites-available/{{ grafana_url }}.conf"
+ notify: restart apache
+ - name: Create webroot
+ file:
+ state: directory
+ path: "{{ grafana_webroot }}"
+ - name: Enable site
+ command:
+ cmd: "a2ensite {{ grafana_url }}.conf"
+ creates: "/etc/apache2/sites-enabled/{{ grafana_url }}.conf"
+ notify: restart apache
+ - name: Generate certificate
+ include_role:
+ name: https
+ vars:
+ website_url: "{{ grafana_url }}"
+ - name: Add and configure packages
+ block:
+ - name: Add APT signing key
+ apt_key:
+ url: "https://packages.grafana.com/gpg.key"
+ - name: Add APT repo
+ apt_repository:
+ repo: "deb https://packages.grafana.com/oss/deb stable main"
+ - name: Install Grafana
+ apt:
+ name:
+ - grafana
+ - name: Configure Grafana
+ template:
+ src: "grafana.ini"
+ dest: "/etc/grafana/grafana.ini"
+ mode: "0640"
+ - name: Enable Grafana
+ systemd:
+ daemon_reload: yes
+ name: "grafana-server.service"
+ enabled: yes
+ state: "started"
+ become: yes
diff --git a/roles/grafana/templates/apache2-vhost-ssl.conf b/roles/grafana/templates/apache2-vhost-ssl.conf
new file mode 100644
index 0000000..9397bcd
--- /dev/null
+++ b/roles/grafana/templates/apache2-vhost-ssl.conf
@@ -0,0 +1,33 @@
+# Configuration for {{ grafana_url }}
+# vim:ft=apache:
+
+# Accept connections from non-SNI clients
+SSLStrictSNIVHostCheck off
+# Need this for SSL proxying, apparently
+SSLProxyEngine on
+
+# Website configuration
+
+ ServerName {{ grafana_url }}
+ Redirect permanent / https://{{ grafana_url }}
+
+
+ SSLEngine on
+ SSLCertificateFile /etc/pki/cert/crt/{{ grafana_url }}.crt
+ SSLCertificateKeyFile /etc/pki/cert/private/{{ grafana_url }}.key
+ SSLCertificateChainFile /etc/pki/cert/crt/{{ grafana_url }}-fullchain.crt
+ ServerName {{ grafana_url }}
+ DocumentRoot {{ grafana_webroot }}
+
+ Require all granted
+ AllowOverride All
+ Options MultiViews FollowSymlinks
+
+ ProxyPreserveHost On
+ ProxyRequests Off
+ ProxyPass / http://127.0.0.1:3001/ nocanon retry=1
+ ProxyPassReverse / https://127.0.0.1:3001/
+
+ RequestHeader set X_FORWARDED_PROTO 'https'
+ RequestHeader set X-Forwarded-Ssl on
+
diff --git a/roles/grafana/templates/grafana.ini b/roles/grafana/templates/grafana.ini
new file mode 100644
index 0000000..95cc4a9
--- /dev/null
+++ b/roles/grafana/templates/grafana.ini
@@ -0,0 +1,714 @@
+##################### Grafana Configuration Example #####################
+#
+# Everything has defaults so you only need to uncomment things you want to
+# change
+
+# possible values : production, development
+;app_mode = production
+
+# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
+;instance_name = ${HOSTNAME}
+
+#################################### Paths ####################################
+[paths]
+# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
+;data = /var/lib/grafana
+
+# Temporary files in `data` directory older than given duration will be removed
+;temp_data_lifetime = 24h
+
+# Directory where grafana can store logs
+;logs = /var/log/grafana
+
+# Directory where grafana will automatically scan and look for plugins
+;plugins = /var/lib/grafana/plugins
+
+# folder that contains provisioning config files that grafana will apply on startup and while running.
+;provisioning = conf/provisioning
+
+#################################### Server ####################################
+[server]
+# Protocol (http, https, h2, socket)
+protocol = http
+
+# The ip address to bind to, empty will bind to all interfaces
+http_addr =
+
+# The http port to use
+http_port = 3001
+
+# The public facing domain name used to access grafana from a browser
+;domain = localhost
+
+# Redirect to correct domain if host header does not match domain
+# Prevents DNS rebinding attacks
+;enforce_domain = false
+
+# The full public facing url you use in browser, used for redirects and emails
+# If you use reverse proxy and sub path specify full url (with sub path)
+;root_url = %(protocol)s://%(domain)s:%(http_port)s/
+
+# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
+;serve_from_sub_path = false
+
+# Log web requests
+;router_logging = false
+
+# the path relative working path
+;static_root_path = public
+
+# enable gzip
+;enable_gzip = false
+
+# https certs & key file
+;cert_file =
+;cert_key =
+
+# Unix socket path
+;socket =
+
+#################################### Database ####################################
+[database]
+# You can configure the database connection by specifying type, host, name, user and password
+# as separate properties or as on string using the url properties.
+
+# Either "mysql", "postgres" or "sqlite3", it's your choice
+type = mysql
+host = 127.0.0.1:3306
+name = grafana
+user = grafana
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+password = {{ grafana_mysql_password }}
+
+# Use either URL or the previous fields to configure the database
+# Example: mysql://user:secret@host:port/database
+;url =
+
+# For "postgres" only, either "disable", "require" or "verify-full"
+;ssl_mode = disable
+
+;ca_cert_path =
+;client_key_path =
+;client_cert_path =
+;server_cert_name =
+
+# For "sqlite3" only, path relative to data_path setting
+;path = grafana.db
+
+# Max idle conn setting default is 2
+;max_idle_conn = 2
+
+# Max conn setting default is 0 (mean not set)
+;max_open_conn =
+
+# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
+;conn_max_lifetime = 14400
+
+# Set to true to log the sql calls and execution times.
+;log_queries =
+
+# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
+;cache_mode = private
+
+#################################### Cache server #############################
+[remote_cache]
+# Either "redis", "memcached" or "database" default is "database"
+;type = database
+
+# cache connectionstring options
+# database: will use Grafana primary database.
+# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false`. Only addr is required. ssl may be 'true', 'false', or 'insecure'.
+# memcache: 127.0.0.1:11211
+;connstr =
+
+#################################### Data proxy ###########################
+[dataproxy]
+
+# This enables data proxy logging, default is false
+;logging = false
+
+# How long the data proxy should wait before timing out default is 30 (seconds)
+;timeout = 30
+
+# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.
+;send_user_header = false
+
+#################################### Analytics ####################################
+[analytics]
+# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
+# No ip addresses are being tracked, only simple counters to track
+# running instances, dashboard and error counts. It is very helpful to us.
+# Change this option to false to disable reporting.
+;reporting_enabled = true
+
+# Set to false to disable all checks to https://grafana.net
+# for new vesions (grafana itself and plugins), check is used
+# in some UI views to notify that grafana or plugin update exists
+# This option does not cause any auto updates, nor send any information
+# only a GET request to http://grafana.com to get latest versions
+;check_for_updates = true
+
+# Google Analytics universal tracking code, only enabled if you specify an id here
+;google_analytics_ua_id =
+
+# Google Tag Manager ID, only enabled if you specify an id here
+;google_tag_manager_id =
+
+#################################### Security ####################################
+[security]
+# disable creation of admin user on first start of grafana
+;disable_initial_admin_creation = false
+
+# default admin user, created on startup
+;admin_user = admin
+
+# default admin password, can be changed before first start of grafana, or in profile settings
+;admin_password = admin
+
+# used for signing
+;secret_key = SW2YcwTIb9zpOOhoPsMm
+
+# disable gravatar profile images
+;disable_gravatar = false
+
+# data source proxy whitelist (ip_or_domain:port separated by spaces)
+;data_source_proxy_whitelist =
+
+# disable protection against brute force login attempts
+;disable_brute_force_login_protection = false
+
+# set to true if you host Grafana behind HTTPS. default is false.
+;cookie_secure = false
+
+# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
+;cookie_samesite = lax
+
+# set to true if you want to allow browsers to render Grafana in a ,