docs: rewrite README with structured overview and quick start guide

Replaces the minimal project description with a comprehensive README including a component overview table, quick start instructions, common Ansible operations, and links to detailed documentation. Aligns with Red Panda Approval™ standards.
2026-03-03 12:49:06 +00:00
parent c7be03a743
commit b4d60f2f38
219 changed files with 34586 additions and 2 deletions
--- a/ansible/grafana/dashboards/puck_containers.json
+++ b/ansible/grafana/dashboards/puck_containers.json
--- a/ansible/grafana/dashboards/puck_processes.json
+++ b/ansible/grafana/dashboards/puck_processes.json
--- a/ansible/grafana/datasource.yml.j2
+++ b/ansible/grafana/datasource.yml.j2
@@ -0,0 +1,15 @@
+apiVersion: 1
+datasources:
+  - name: {{prometheus_datasource_name}}
+    type: prometheus
+    access: proxy
+    url: http://{{prometheus_host}}:{{prometheus_port}}
+    isDefault: true
+    editable: false
+    uid: {{prometheus_datasource_uid}}
+  - name: {{loki_datasource_name}}
+    type: loki
+    access: proxy
+    url: http://{{loki_host}}:{{loki_port}}
+    editable: false
+    uid: {{loki_datasource_uid}}
--- a/ansible/grafana/deploy.yml
+++ b/ansible/grafana/deploy.yml
@@ -0,0 +1,113 @@
+---
+- name: Deploy Grafana
+  hosts: ubuntu
+  become: true
+  tasks:
+  - name: Check if host has grafana service
+    ansible.builtin.set_fact:
+      has_grafana_service: "{{'grafana' in services}}"
+
+  - name: Skip hosts without grafana service
+    ansible.builtin.meta: end_host
+    when: not has_grafana_service
+
+  - name: Add Grafana repository
+    ansible.builtin.deb822_repository:
+      name: grafana
+      types: [deb]
+      uris: https://apt.grafana.com
+      suites: [stable]
+      components: [main]
+      signed_by: https://apt.grafana.com/gpg.key
+      state: present
+
+  - name: Install Grafana
+    become: true
+    ansible.builtin.apt:
+      name: grafana
+      state: present
+      update_cache: true
+
+  - name: Create provisioning directories
+    become: true
+    ansible.builtin.file:
+      path: "{{item}}"
+      state: directory
+      owner: grafana
+      group: grafana
+      mode: '750'
+    loop:
+      - /etc/grafana/provisioning/dashboards
+      - /etc/grafana/provisioning/datasources
+      - /etc/grafana/provisioning/users
+
+  - name: Create dashboards directory
+    become: true
+    ansible.builtin.file:
+      path: /var/lib/grafana/dashboards
+      state: directory
+      owner: grafana
+      group: grafana
+      mode: '750'
+
+  - name: Template configuration files
+    become: true
+    ansible.builtin.template:
+      src: "{{item.src}}"
+      dest: "{{item.dest}}"
+      owner: grafana
+      group: grafana
+      mode: '550'
+    loop:
+      - src: "datasource.yml.j2"
+        dest: "/etc/grafana/provisioning/datasources/prometheus.yml"
+      - src: "users.yml.j2"
+        dest: "/etc/grafana/provisioning/users/users.yml"
+    notify: restart grafana
+
+  - name: Template Grafana main configuration
+    become: true
+    ansible.builtin.template:
+      src: "grafana.ini.j2"
+      dest: "/etc/grafana/grafana.ini"
+      owner: grafana
+      group: grafana
+      mode: '640'
+    when: grafana_oauth_enabled | default(false)
+    notify: restart grafana
+
+  - name: Configure dashboard provisioning
+    become: true
+    ansible.builtin.copy:
+      content: |
+        apiVersion: 1
+        providers:
+          - name: 'default'
+            orgId: 1
+            folder: ''
+            type: file
+            disableDeletion: false
+            updateIntervalSeconds: 10
+            allowUiUpdates: true
+            options:
+              path: /var/lib/grafana/dashboards
+      dest: /etc/grafana/provisioning/dashboards/dashboard.yml
+      owner: grafana
+      group: grafana
+      mode: '550'
+    notify: restart grafana
+
+  - name: Enable and start Grafana service
+    become: true
+    ansible.builtin.systemd:
+      name: grafana-server
+      enabled: true
+      state: started
+      daemon_reload: true
+
+  handlers:
+  - name: restart grafana
+    become: true
+    ansible.builtin.systemd:
+      name: grafana-server
+      state: restarted
--- a/ansible/grafana/grafana.ini.j2
+++ b/ansible/grafana/grafana.ini.j2
@@ -0,0 +1,36 @@
+# Grafana Configuration - Managed by Ansible
+# Do not edit manually - changes will be overwritten
+
+[server]
+root_url = {{ grafana_root_url }}
+
+[auth]
+# Disable login form for OAuth users (admins can still use local auth)
+disable_login_form = false
+
+[auth.generic_oauth]
+enabled = {{ grafana_oauth_enabled | default(false) | lower }}
+name = {{ grafana_oauth_name | default('Casdoor') }}
+allow_sign_up = {{ grafana_oauth_allow_sign_up | default(true) | lower }}
+client_id = {{ grafana_oauth_client_id }}
+client_secret = {{ grafana_oauth_client_secret }}
+scopes = {{ grafana_oauth_scopes | default('openid profile email') }}
+auth_url = {{ grafana_oauth_auth_url }}
+token_url = {{ grafana_oauth_token_url }}
+api_url = {{ grafana_oauth_api_url }}
+# Map Casdoor user attributes to Grafana
+email_attribute_path = email
+login_attribute_path = preferred_username
+name_attribute_path = name
+# Default role for new OAuth users
+role_attribute_path = contains(groups[*], 'grafana-admin') && 'Admin' || contains(groups[*], 'grafana-editor') && 'Editor' || 'Viewer'
+# TLS settings for internal communication
+tls_skip_verify_insecure = {{ grafana_oauth_skip_tls_verify | default(true) | lower }}
+
+[log]
+# Console-only logging — systemd journal captures output, Alloy ships to Loki
+mode = console
+level = {{ grafana_log_level | default('info') }}
+
+[log.console]
+format = text
--- a/ansible/grafana/users.yml.j2
+++ b/ansible/grafana/users.yml.j2
@@ -0,0 +1,15 @@
+apiVersion: 1
+users:
+  - name: {{grafana_admin_name}}
+    orgId: 1
+    login: {{grafana_admin_login}}
+    password: {{grafana_admin_password}}
+    isAdmin: true
+  - name: {{grafana_viewer_name}}
+    orgId: 1
+    login: {{grafana_viewer_login}}
+    password: {{grafana_viewer_password}}
+    isAdmin: false
+    permissions:
+      - permission: 1  # View permission
+        role: Viewer