Add authorisation for influxdb endpoint

files/docker-compose.yml

@@ -64,8 +64,7 @@ services:
     ports:
       - 127.0.0.1:8086:8086
     environment:
-      - INFLUXDB_WRITE_USER=telegraf
-      - INFLUXDB_WRITE_USER_PASSWORD=${INFLUXDB_WRITE_USER_PASSWORD}
+      - INFLUXDB_REPORTING_DISABLED=true
     volumes:
       - ./volumes/influxdb:/var/lib/influxdb
       - ./influxdb.conf:/etc/influxdb/influxdb.conf:ro

group_vars/prod.yml

@@ -6,7 +6,7 @@ letsencrypt_contact_email: !vault |
   36633466366138323334386337383262353934323337343932633837663136616437326331366431
   3261333962353964300a363535383130336164623862326165626466393334666638323964663834
   3635
-influxdb_password: !vault |
+influxdb_auth_password: !vault |
   $ANSIBLE_VAULT;1.1;AES256
   61616638303232373339653737303566613430663763313864633365313166383163323033636364
   3163313737323662343934323866633734633530646638610a666662663761363533373539316631
@@ -27,10 +27,3 @@ weblate_postgres_password: !vault |
   66353238623038366230323239303634613963643635626632353739636564396430386565623466
   6562383763396235340a313463643239333662393430613465363965666466303461663066386533
   61323161323732396533373062663762383031336330653336376533633633393035
-telegraf_influxdb_password: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  61343966363633306163646530646361613833663831623139376135396436623835333363663236
-  3235613761363138313236636164646131383234313532370a626234643530373339646133313332
-  36623563623434323336663262323939326534643834666465333863386231616439636132316436
-  3833303337393633320a313766336236303264376333373535353832646262666634383062303935
-  62393230366331396435313162636136333832623939666663623131343761633031

playbooks/gitea.yml

@@ -41,20 +41,27 @@
 
     - name: install dependencies
       apt:
-        pkg: ['docker-compose', 'docker.io', 'certbot', 'nginx', 'python-certbot-nginx']
+        pkg: ['docker-compose', 'docker.io', 'certbot', 'nginx', 'python-certbot-nginx', 'python-passlib']
 
     - name: enable and start docker service
       systemd:
         name: docker
         enabled: yes
         state: started
-
     - name: start docker-compose
       docker_compose:
         project_src: /gitea/
         state: present
-        stopped: yes
-        services: nginx
+        pull: yes
+
+    - name: Create htpasswd file for influxdb reporting endpoint
+      community.general.htpasswd:
+        path: /gitea/influxdb_htpasswd
+        name: telegraf
+        password: '{{ influxdb_auth_password }}'
+        owner: root
+        group: www-data
+        mode: 0640
 
     - name: request letsencrypt certificates
       shell: |
@@ -62,11 +69,6 @@
         certbot certonly --nginx --agree-tos -d 'weblate.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
         certbot certonly --nginx --agree-tos -d 'grafana.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
 
-    - name: start docker-compose
-      docker_compose:
-        project_src: /gitea/
-        state: present
-        pull: yes
 
     - name: reload nginx config and certs
       shell: nginx -s reload

templates/env

@@ -2,4 +2,3 @@ GITEA_HOSTNAME={{ domain }}
 WEBLATE_HOSTNAME=weblate.{{ domain }}
 WEBLATE_ADMIN_PASSWORD={{ weblate_admin_password }}
 WEBLATE_POSTGRES_PASSWORD={{ weblate_postgres_password }}
-INFLUXDB_WRITE_USER_PASSWORD={{ influxdb_password }}

templates/gitea.conf

@@ -4,6 +4,8 @@ geoip_country /usr/share/GeoIP/GeoIP.dat;
 map $geoip_country_code $allowed_country {
     default yes;
     CN no;
+    RU no;
+    IN no;
 }
 
 server {

templates/grafana.conf

@@ -48,6 +48,8 @@ server {
     }
 
     location /telegraf-input/ {
+        auth_basic "telegraf input";
+        auth_basic_user_file /gitea/influxdb_htpasswd;
         proxy_pass http://127.0.0.1:8086/;
     }
 }

templates/telegraf.conf.j2

@@ -149,7 +149,7 @@ database = "yerbamate-dev"
 
 ## HTTP Basic Auth
 username = "telegraf"
-password = "{{ telegraf_influxdb_password }}"
+password = "{{ influxdb_auth_password }}"
 
 ## HTTP User-Agent
 # user_agent = "telegraf"