From 781f8447ddbbff5b795f392b2d34d260547cb6ba Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Wed, 21 Oct 2020 12:29:29 +0200
Subject: [PATCH] Add authorisation for influxdb endpoint

---
 files/docker-compose.yml   |  3 +--
 group_vars/prod.yml        |  9 +--------
 playbooks/gitea.yml        | 20 +++++++++++---------
 templates/env              |  1 -
 templates/gitea.conf       |  2 ++
 templates/grafana.conf     |  2 ++
 templates/telegraf.conf.j2 |  2 +-
 7 files changed, 18 insertions(+), 21 deletions(-)

diff --git a/files/docker-compose.yml b/files/docker-compose.yml
index f21eb47..e1bd26c 100644
--- a/files/docker-compose.yml
+++ b/files/docker-compose.yml
@@ -64,8 +64,7 @@ services:
     ports:
       - 127.0.0.1:8086:8086
     environment:
-      - INFLUXDB_WRITE_USER=telegraf
-      - INFLUXDB_WRITE_USER_PASSWORD=${INFLUXDB_WRITE_USER_PASSWORD}
+      - INFLUXDB_REPORTING_DISABLED=true
     volumes:
       - ./volumes/influxdb:/var/lib/influxdb
       - ./influxdb.conf:/etc/influxdb/influxdb.conf:ro
diff --git a/group_vars/prod.yml b/group_vars/prod.yml
index 40008a7..10b2d28 100644
--- a/group_vars/prod.yml
+++ b/group_vars/prod.yml
@@ -6,7 +6,7 @@ letsencrypt_contact_email: !vault |
   36633466366138323334386337383262353934323337343932633837663136616437326331366431
   3261333962353964300a363535383130336164623862326165626466393334666638323964663834
   3635
-influxdb_password: !vault |
+influxdb_auth_password: !vault |
   $ANSIBLE_VAULT;1.1;AES256
   61616638303232373339653737303566613430663763313864633365313166383163323033636364
   3163313737323662343934323866633734633530646638610a666662663761363533373539316631
@@ -27,10 +27,3 @@ weblate_postgres_password: !vault |
   66353238623038366230323239303634613963643635626632353739636564396430386565623466
   6562383763396235340a313463643239333662393430613465363965666466303461663066386533
   61323161323732396533373062663762383031336330653336376533633633393035
-telegraf_influxdb_password: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  61343966363633306163646530646361613833663831623139376135396436623835333363663236
-  3235613761363138313236636164646131383234313532370a626234643530373339646133313332
-  36623563623434323336663262323939326534643834666465333863386231616439636132316436
-  3833303337393633320a313766336236303264376333373535353832646262666634383062303935
-  62393230366331396435313162636136333832623939666663623131343761633031
\ No newline at end of file
diff --git a/playbooks/gitea.yml b/playbooks/gitea.yml
index 6e3dc53..eb04ce5 100644
--- a/playbooks/gitea.yml
+++ b/playbooks/gitea.yml
@@ -41,20 +41,27 @@
 
     - name: install dependencies
       apt:
-        pkg: ['docker-compose', 'docker.io', 'certbot', 'nginx', 'python-certbot-nginx']
+        pkg: ['docker-compose', 'docker.io', 'certbot', 'nginx', 'python-certbot-nginx', 'python-passlib']
 
     - name: enable and start docker service
       systemd:
         name: docker
         enabled: yes
         state: started
-
     - name: start docker-compose
       docker_compose:
         project_src: /gitea/
         state: present
-        stopped: yes
-        services: nginx
+        pull: yes
+
+    - name: Create htpasswd file for influxdb reporting endpoint
+      community.general.htpasswd:
+        path: /gitea/influxdb_htpasswd
+        name: telegraf
+        password: '{{ influxdb_auth_password }}'
+        owner: root
+        group: www-data
+        mode: 0640
 
     - name: request letsencrypt certificates
       shell: |
@@ -62,11 +69,6 @@
         certbot certonly --nginx --agree-tos -d 'weblate.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
         certbot certonly --nginx --agree-tos -d 'grafana.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
 
-    - name: start docker-compose
-      docker_compose:
-        project_src: /gitea/
-        state: present
-        pull: yes
 
     - name: reload nginx config and certs
       shell: nginx -s reload
diff --git a/templates/env b/templates/env
index 45f27b2..df8e19a 100644
--- a/templates/env
+++ b/templates/env
@@ -2,4 +2,3 @@ GITEA_HOSTNAME={{ domain }}
 WEBLATE_HOSTNAME=weblate.{{ domain }}
 WEBLATE_ADMIN_PASSWORD={{ weblate_admin_password }}
 WEBLATE_POSTGRES_PASSWORD={{ weblate_postgres_password }}
-INFLUXDB_WRITE_USER_PASSWORD={{ influxdb_password }}
diff --git a/templates/gitea.conf b/templates/gitea.conf
index 80199e1..f8a82da 100644
--- a/templates/gitea.conf
+++ b/templates/gitea.conf
@@ -4,6 +4,8 @@ geoip_country /usr/share/GeoIP/GeoIP.dat;
 map $geoip_country_code $allowed_country {
     default yes;
     CN no;
+    RU no;
+    IN no;
 }
 
 server {
diff --git a/templates/grafana.conf b/templates/grafana.conf
index 4cc309b..21ae164 100644
--- a/templates/grafana.conf
+++ b/templates/grafana.conf
@@ -48,6 +48,8 @@ server {
     }
 
     location /telegraf-input/ {
+        auth_basic "telegraf input";
+        auth_basic_user_file /gitea/influxdb_htpasswd;
         proxy_pass http://127.0.0.1:8086/;
     }
 }
diff --git a/templates/telegraf.conf.j2 b/templates/telegraf.conf.j2
index 5d70c59..7b2e4e5 100644
--- a/templates/telegraf.conf.j2
+++ b/templates/telegraf.conf.j2
@@ -149,7 +149,7 @@ database = "yerbamate-dev"
 
 ## HTTP Basic Auth
 username = "telegraf"
-password = "{{ telegraf_influxdb_password }}"
+password = "{{ influxdb_auth_password }}"
 
 ## HTTP User-Agent
 # user_agent = "telegraf"