modules: Add prometheus and grafana modules

These are really stubs, and need some more testing and integration, but
there were some people who expressed interest in this, so let's push it
early.

modules/grafana/files/ldap.toml

@@ -0,0 +1,74 @@
+# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
+# [log]
+# filters = ldap:debug
+
+[[servers]]
+# Ldap server host (specify multiple hosts space separated)
+host = "127.0.0.1"
+# Default port is 389 or 636 if use_ssl = true
+port = 389
+# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
+use_ssl = false
+# If set to true, use LDAP with STARTTLS instead of LDAPS
+start_tls = false
+# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_AES_256_GCM_SHA384"])
+# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go
+tls_ciphers = []
+# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1, TLS1.2, TLS1.3.
+min_tls_version = ""
+# set to true if you want to skip ssl cert validation
+ssl_skip_verify = false
+# set to the path to your root CA certificate or leave unset to use system defaults
+# root_ca_cert = "/path/to/certificate.crt"
+# Authentication against LDAP servers requiring client certificates
+# client_cert = "/path/to/client.crt"
+# client_key = "/path/to/client.key"
+
+# Search user bind dn
+bind_dn = "cn=admin,dc=grafana,dc=org"
+# Search user bind password
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+bind_password = 'grafana'
+# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
+# bind_password = '$__env{LDAP_BIND_PASSWORD}'
+
+# Timeout in seconds (applies to each host specified in the 'host' entry (space separated))
+timeout = 10
+
+# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
+search_filter = "(cn=%s)"
+
+# An array of base dns to search through
+search_base_dns = ["dc=grafana,dc=org"]
+
+## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
+## Please check grafana LDAP docs for examples
+# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
+# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
+# group_search_filter_user_attribute = "uid"
+
+# Specify names of the ldap attributes your ldap uses
+[servers.attributes]
+name = "givenName"
+surname = "sn"
+username = "cn"
+member_of = "memberOf"
+email =  "email"
+
+# Map ldap groups to grafana org roles
+[[servers.group_mappings]]
+group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"
+org_role = "Admin"
+# To make user an instance admin  (Grafana Admin) uncomment line below
+# grafana_admin = true
+# The Grafana organization database id, optional, if left out the default org (id 1) will be used
+# org_id = 1
+
+[[servers.group_mappings]]
+group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"
+org_role = "Editor"
+
+[[servers.group_mappings]]
+# If you want to match all (or no ldap groups) then you can use wildcard
+group_dn = "*"
+org_role = "Viewer"

modules/grafana/files/prometheus.yaml.tmpl

@@ -0,0 +1,29 @@
+apiVersion: 1
+
+#deleteDatasources:
+#  - name: "{{ .name }}"
+#    orgId: 1
+
+# Mark provisioned data sources for deletion if they are no longer in a provisioning file.
+# It takes no effect if data sources are already listed in the deleteDatasources section.
+prune: true
+
+datasources:
+{{ if .comment -}}
+#
+#	{{ .comment }}
+#
+{{ end }}
+  - name: "{{ .name }}"
+    type: prometheus
+    access: proxy
+    # Access mode - proxy (server in the UI) or direct (browser in the UI).
+    url: "{{ .url }}"
+    jsonData:
+      httpMethod: POST
+      manageAlerts: true
+      prometheusType: Prometheus
+      #prometheusVersion: 2.44.0
+      #cacheLevel: 'High'
+      #disableRecordingRules: false
+      #incrementalQueryOverlapWindow: 10m

modules/grafana/main.mcl

@@ -0,0 +1,85 @@
+import "deploy"
+import "golang"
+
+class server() {
+	pkg "grafana" { # on fedora
+		state => "installed",
+	}
+
+	file "/etc/grafana/" {
+		state => $const.res.file.state.exists,
+		#recurse => true,
+		#purge => true,
+		owner => "root",
+		group => "grafana",
+		mode => "u=rwx,g=rx,o=", # dir
+	}
+
+	file "/etc/grafana/ldap.toml" {
+		state => $const.res.file.state.exists,
+		content => deploy.readfile("/files/ldap.toml"), # XXX: eventually template
+		owner => "root",
+		group => "grafana",
+		mode => "u=rw,g=r,o=",
+
+		Notify => Svc["grafana-server"],
+	}
+
+	file "/etc/grafana/grafana.ini" {
+		state => $const.res.file.state.exists,
+		content => golang.template(deploy.readfile("/files/grafana.ini.tmpl")),
+		owner => "root",
+		group => "grafana",
+		mode => "u=rw,g=r,o=",
+
+		Notify => Svc["grafana-server"],
+	}
+
+	file "/etc/grafana/provisioning/" {
+		state => $const.res.file.state.exists,
+		#recurse => true,
+		#purge => true,
+		owner => "root",
+		group => "grafana",
+		mode => "u=rwx,g=rx,o=", # dir
+	}
+
+
+	svc "grafana-server" {
+		state => "running",
+		startup => "enabled",
+	}
+}
+
+class server:prometheus_base() {
+
+	file "/etc/grafana/provisioning/datasources/" {
+		state => $const.res.file.state.exists,
+		recurse => true,
+		purge => true,
+		owner => "root",
+		group => "grafana",
+		mode => "u=rwx,g=rx,o=", # dir
+	}
+}
+
+# XXX: if selinux is enabled, this wasn't connecting!
+class server:prometheus($name, $st) {
+	include prometheus_base
+
+	$url = $st->url || "http://localhost:9090"
+	$comment = $st->comment || ""
+
+	$tmpl = struct{
+		name => "${name}",
+		url => "${url}",
+		comment => "${comment}",
+	}
+	file "/etc/grafana/provisioning/datasources/${name}.yaml" {
+		state => $const.res.file.state.exists,
+		content => golang.template(deploy.readfile("/files/prometheus.yaml.tmpl"), $tmpl),
+		owner => "root",
+		group => "grafana",
+		mode => "u=rw,g=r,o=",
+	}
+}