From b8448569d429eed8a70dd14db1e1bf22811bf75b Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 24 Jan 2022 00:30:29 +0100
Subject: [PATCH 1/4] [monitoring] Zamok don't have certbot neither nginx

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 hosts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hosts b/hosts
index af376853..36241bd6 100644
--- a/hosts
+++ b/hosts
@@ -22,11 +22,13 @@ belenios.adm.crans.org
 routeurs_vm
 
 [blackbox]
+fyre.cachan-adm.crans.org
 monitoring.adm.crans.org
 
 [certbot]
-sputnik.adm.crans.org
+irc.adm.crans.org
 proxy-pve-adh.adm.crans.org
+sputnik.adm.crans.org
 
 [certbot:children]
 dovecot
@@ -37,7 +39,6 @@ mailman
 postfix
 radius  # We use certbot to manage LE certificates
 reverseproxy
-thelounge
 vsftpd_mirror
 
 [constellation:children]
@@ -130,6 +131,7 @@ tealc.adm.crans.org
 
 [nginx]
 eclat.adm.crans.org
+irc.adm.crans.org
 ptf.adm.crans.org
 
 [nginx:children]
@@ -143,7 +145,6 @@ printer
 re2o_front
 reverseproxy
 roundcube
-thelounge
 wiki
 
 [ntp_server]
-- 
GitLab


From d19545cd848b55503014da4aecd3acdd47b8963f Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 24 Jan 2022 00:54:39 +0100
Subject: [PATCH 2/4] [monitoring] Add permission to send pings to
 prometheus-blackbox-exporter

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 roles/prometheus-blackbox-exporter/tasks/main.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/roles/prometheus-blackbox-exporter/tasks/main.yml b/roles/prometheus-blackbox-exporter/tasks/main.yml
index a571e907..8e9915c6 100644
--- a/roles/prometheus-blackbox-exporter/tasks/main.yml
+++ b/roles/prometheus-blackbox-exporter/tasks/main.yml
@@ -1,4 +1,12 @@
 ---
+- name: Configure the exporter to allow pings
+  debconf:
+    name: "prometheus-blackbox-exporter"
+    question: "prometheus-blackbox-exporter/want_cap_net_raw"
+    value: "true"
+    vtype: "boolean"
+  notify: Restart prometheus-blackbox-exporter
+
 - name: Install Prometheus Blackbox exporter
   apt:
     update_cache: true
-- 
GitLab


From da70cc483e5a093916b59fa659cd89eceb6f955c Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 4 Apr 2022 16:48:26 +0200
Subject: [PATCH 3/4] Good bye Cachan, hello Horst, Karst & Rodney!

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 host_vars/monitoring.adm.crans.org.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/host_vars/monitoring.adm.crans.org.yml b/host_vars/monitoring.adm.crans.org.yml
index 8850d61a..fc4f2a9b 100644
--- a/host_vars/monitoring.adm.crans.org.yml
+++ b/host_vars/monitoring.adm.crans.org.yml
@@ -76,6 +76,28 @@ loc_prometheus:
           - target_label: __address__
             replacement: 127.0.0.1:9115
 
+  blackbox_icmp:
+    file: targets_icmp.json
+    targets:
+      - karst.adm.crans.org
+      - horst.adm.crans.org
+      - rodney.adm.crans.org
+    config:
+      - job_name: blackbox_icmp
+        file_sd_configs:
+          - files:
+              - '/etc/prometheus/targets_icmp.json'
+        metrics_path: /probe
+        params:
+          module: [icmp]  # Look for a ICMP ping
+        relabel_configs:
+          - source_labels: [__address__]
+            target_label: __param_target
+          - source_labels: [__param_target]
+            target_label: instance
+          - target_label: __address__
+            replacement: 127.0.0.1:9115
+
   mtail:
     file: targets_mtail.json
     targets:
-- 
GitLab


From 830afd153182bb691243ce79def88b5c9b6f22e8 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 4 Apr 2022 17:26:15 +0200
Subject: [PATCH 4/4] [grafana] More power!

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/grafana.yml               |  4 ++++
 roles/grafana/templates/ldap.toml.j2 | 12 +++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/group_vars/grafana.yml b/group_vars/grafana.yml
index 254405df..9653f4a3 100644
--- a/group_vars/grafana.yml
+++ b/group_vars/grafana.yml
@@ -4,6 +4,10 @@ glob_grafana:
   ldap_base: "{{ glob_ldap.base }}"
   ldap_master_ipv4: "{{ glob_ldap.servers[0] }}"
   ldap_user_tree: "ou=passwd,{{ glob_ldap.base }}"
+  ldap_group_tree: "ou=group,{{ glob_ldap.base }}"
+  ldap_group_filter: "uid"
+  ldap_group_admin: "cn=_nounou,ou=group,{{ glob_ldap.base }}"
+  ldap_group_editor: "*"  # Everyone is editor
 
 logos:
   - which: crans_logo_white_small.svg
diff --git a/roles/grafana/templates/ldap.toml.j2 b/roles/grafana/templates/ldap.toml.j2
index c92a9330..7685d90f 100644
--- a/roles/grafana/templates/ldap.toml.j2
+++ b/roles/grafana/templates/ldap.toml.j2
@@ -31,8 +31,8 @@ search_base_dns = ["ou=passwd,dc=crans,dc=org"]
 ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
 ## Please check grafana LDAP docs for examples
 group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
-group_search_base_dns = ["ou=group,{{ grafana.ldap_base }}"]
-group_search_filter_user_attribute = "cn"
+group_search_base_dns = ["{{ grafana.ldap_group_tree }}"]
+group_search_filter_user_attribute = "{{ grafana.ldap_group_filter }}"
 
 # Specify names of the ldap attributes your ldap uses
 [servers.attributes]
@@ -41,7 +41,13 @@ surname = "sn"
 username = "uid"
 email =  "mail"
 
+# Nounous can administrate
+[[servers.group_mappings]]
+group_dn = "{{ grafana.ldap_group_admin }}"
+org_role = "Admin"
+grafana_admin = true
+
 # All LDAP members can edit
 [[servers.group_mappings]]
-group_dn = "*"
+group_dn = "{{ grafana.ldap_group_editor }}"
 org_role = "Editor"
-- 
GitLab