From 1e44577045721da41f2eac352aa67f6c3c95596e Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 28 Jul 2025 18:43:41 +1000
Subject: [PATCH] feat: add external grafana access

- enable access to grafana through haproxy
- ensure grafana cert created from letsencrypt
- enable user access to grafana
---
 .../au/region/syd1/infra/halb/haproxy2.yaml   | 25 +++++++++++++++++++
 hieradata/roles/infra/auth/glauth.yaml        |  6 +++++
 hieradata/roles/infra/metrics/grafana.yaml    |  6 ++---
 hieradata/roles/infra/pki/certbot.yaml        |  1 +
 site/profiles/manifests/metrics/grafana.pp    | 15 +++++++++++
 5 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
index 0c7dae0..27f0a1f 100644
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
@@ -9,6 +9,7 @@ profiles::haproxy::dns::vrrp_cnames:
   - nzbget.main.unkin.net
   - git.unkin.net
   - fafflix.unkin.net
+  - grafana.unkin.net
 
 profiles::haproxy::mappings:
   fe_http:
@@ -25,6 +26,7 @@ profiles::haproxy::mappings:
       - 'jellyfin.main.unkin.net be_jellyfin'
       - 'fafflix.unkin.net be_jellyfin'
       - 'git.unkin.net be_gitea'
+      - 'grafana.unkin.net be_grafana'
   fe_https:
     ensure: present
     mappings:
@@ -39,6 +41,7 @@ profiles::haproxy::mappings:
       - 'jellyfin.main.unkin.net be_jellyfin'
       - 'fafflix.unkin.net be_jellyfin'
       - 'git.unkin.net be_gitea'
+      - 'grafana.unkin.net be_grafana'
 
 profiles::haproxy::frontends:
   fe_http:
@@ -58,6 +61,7 @@ profiles::haproxy::frontends:
         - 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
         - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
         - 'acl_gitea req.hdr(host) -i git.unkin.net'
+        - 'acl_grafana req.hdr(host) -i grafana.unkin.net'
         - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
       use_backend:
         - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -74,6 +78,7 @@ profiles::haproxy::frontends:
         - 'set-header X-Frame-Options DENY if acl_jellyfin'
         - 'set-header X-Frame-Options DENY if acl_fafflix'
         - 'set-header X-Frame-Options DENY if acl_gitea'
+        - 'set-header X-Frame-Options DENY if acl_grafana'
         - 'set-header X-Content-Type-Options nosniff'
         - 'set-header X-XSS-Protection 1;mode=block'
 
@@ -239,6 +244,24 @@ profiles::haproxy::backends:
       redirect: 'scheme https if !{ ssl_fc }'
       stick-table: 'type ip size 200k expire 30m'
       stick: 'on src'
+  be_grafana:
+    description: Backend for grafana nodes
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+        - http-keep-alive
+        - prefer-last-server
+      cookie: SRVNAME insert indirect nocache
+      http-reuse: always
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 443 }
+      redirect: 'scheme https if !{ ssl_fc }'
+      stick-table: 'type ip size 200k expire 30m'
+      stick: 'on src'
 
 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
@@ -252,6 +275,7 @@ profiles::haproxy::certlist::certificates:
   - /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
   - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
   - /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
   - /etc/pki/tls/vault/certificate.pem
 
 # additional altnames
@@ -278,3 +302,4 @@ certbot::client::domains:
   - nzbget.main.unkin.net
   - fafflix.unkin.net
   - git.unkin.net
+  - grafana.unkin.net
diff --git a/hieradata/roles/infra/auth/glauth.yaml b/hieradata/roles/infra/auth/glauth.yaml
index 242f1b3..b508496 100644
--- a/hieradata/roles/infra/auth/glauth.yaml
+++ b/hieradata/roles/infra/auth/glauth.yaml
@@ -104,6 +104,7 @@ glauth::users:
       - 20013 # lidarr
       - 20014 # readarr
       - 20016 # nzbget
+      - 20027 # grafana user
     loginshell: '/bin/bash'
     homedir: '/home/seablo'
     passsha256: '2db12484b2b5fdae7f3a1f9f870143c363af14bf2c31a415a9a7afcb02520df2'
@@ -121,6 +122,7 @@ glauth::users:
       - 20013 # lidarr
       - 20014 # readarr
       - 20016 # nzbget
+      - 20027 # grafana user
     loginshell: '/bin/bash'
     homedir: '/home/marbal'
     passsha256: 'cc20cee6269b9970a76549c66b51d0c543352796180d4122260a47f0f7a442a9'
@@ -138,6 +140,7 @@ glauth::users:
       - 20013 # lidarr
       - 20014 # readarr
       - 20016 # nzbget
+      - 20027 # grafana user
     loginshell: '/bin/bash'
     homedir: '/home/kelren'
     passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
@@ -155,6 +158,7 @@ glauth::users:
       - 20013 # lidarr
       - 20014 # readarr
       - 20016 # nzbget
+      - 20027 # grafana user
     loginshell: '/bin/bash'
     homedir: '/home/ryadun'
     passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
@@ -172,6 +176,7 @@ glauth::users:
       - 20013 # lidarr
       - 20014 # readarr
       - 20016 # nzbget
+      - 20027 # grafana user
     loginshell: '/bin/bash'
     homedir: '/home/margol'
     passsha256: '31a66085fb7eaeb059e51d1376233db72b54f96a6c45947aafbb350c83e618ef'
@@ -190,6 +195,7 @@ glauth::users:
       - 20014 # readarr
       - 20016 # nzbget
       - 20026 # jupyterhub_user
+      - 20027 # grafana user
     loginshell: '/bin/bash'
     homedir: '/home/sudobo'
     passsha256: 'a326e049c2a615226877946220a978a0a8247c569be1adcd73539b09b14136d0'
diff --git a/hieradata/roles/infra/metrics/grafana.yaml b/hieradata/roles/infra/metrics/grafana.yaml
index 11b1c3c..eae541d 100644
--- a/hieradata/roles/infra/metrics/grafana.yaml
+++ b/hieradata/roles/infra/metrics/grafana.yaml
@@ -14,13 +14,13 @@ profiles::metrics::grafana::pgsql_backend: true
 
 # additional altnames
 profiles::pki::vault::alt_names:
-  - grafana.main.unkin.net
+  - grafana.unkin.net
   - grafana.service.consul
   - grafana.query.consul
   - "grafana.service.%{facts.country}-%{facts.region}.consul"
 
 profiles::ssh::sign::principals:
-  - grafana.main.unkin.net
+  - grafana.unkin.net
   - grafana.service.consul
   - grafana.query.consul
 
@@ -47,7 +47,7 @@ profiles::consul::client::node_rules:
 # manage a simple nginx reverse proxy
 profiles::nginx::simpleproxy::nginx_vhost: 'grafana.query.consul'
 profiles::nginx::simpleproxy::nginx_aliases:
-  - grafana.main.unkin.net
+  - grafana.unkin.net
   - grafana.service.consul
   - grafana.query.consul
   - "grafana.service.%{facts.country}-%{facts.region}.consul"
diff --git a/hieradata/roles/infra/pki/certbot.yaml b/hieradata/roles/infra/pki/certbot.yaml
index b91e40e..5f95c02 100644
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@@ -14,3 +14,4 @@ certbot::domains:
   - nzbget.main.unkin.net
   - fafflix.unkin.net
   - git.unkin.net
+  - grafana.unkin.net
diff --git a/site/profiles/manifests/metrics/grafana.pp b/site/profiles/manifests/metrics/grafana.pp
index c792c4c..6b7a723 100644
--- a/site/profiles/manifests/metrics/grafana.pp
+++ b/site/profiles/manifests/metrics/grafana.pp
@@ -116,4 +116,19 @@ class profiles::metrics::grafana (
     require => Package['grafana'],
     before  => Service['grafana'],
   }
+
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
+    service => 'be_grafana',
+    ports   => [443],
+    options => [
+      "cookie ${facts['networking']['hostname']}",
+      'ssl',
+      'verify none',
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+    ]
+  }
 }