---
- name: Install gpg (to import Grafana key)
  apt:
    name: gpg
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded
  
- name: Prepare import Grafana GPG signing key
  file:
    path: /etc/apt/keyrings/
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx

- name: Import Grafana GPG signing key
  get_url:
    url: https://apt.grafana.com/gpg.key
    dest: /etc/apt/keyrings/grafana-release-keyring.asc

- name: Add Grafana repository
  deb822_repository:
    name: grafana
    types: deb
    uris: https://apt.grafana.com
    suites: stable
    components: main
    signed_by: /etc/apt/keyrings/grafana-release-keyring.asc

- name: Install Grafana
  apt:
    name: grafana
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded

- name: Configure Grafana
  ini_file:
    path: /etc/grafana/grafana.ini
    section: "{{ item.section }}"
    option: "{{ item.option }}"
    value: "{{ item.value }}"
    mode: 0640
  loop:
    - section: server
      option: root_url
      value: "{{ grafana.root_url }}"
    - section: analytics
      option: reporting_enabled
      value: "false"
    - section: analytics
      option: check_for_updates
      value: "false"
    - section: security
      option: disable_initial_admin_creation
      value: "true"
    - section: security
      option: cookie_secure
      value: "true"
    - section: security
      option: disable_gravatar
      value: "true"
    - section: snapshots
      option: external_enabled
      value: "false"
    - section: users
      option: allow_sign_up
      value: "false"
    - section: users
      option: allow_org_create
      value: "false"
    - section: auth.anonymous
      option: enabled
      value: "false"  # no public access
    - section: auth.anonymous
      option: hide_version
      value: "true"
    - section: auth.basic  # only LDAP auth
      option: enabled
      value: "false"
    - section: auth.ldap
      option: enabled
      value: "true"
    - section: alerting
      option: enabled
      value: "false"
    - section: database
      option: type
      value: "{{ grafana.database.type }}"
    - section: database
      option: host
      value: "{{ grafana.database.host }}"
    - section: database
      option: name
      value: "{{ grafana.database.name }}"
    - section: database
      option: user
      value: "{{ grafana.database.user }}"
    - section: database
      option: password
      value: "{{ grafana.database.password }}"
  notify: Restart grafana

- name: Configure Grafana LDAP
  template:
    src: ldap.toml.j2
    dest: /etc/grafana/ldap.toml
    mode: 0640
  notify: Restart grafana

- name: Enable and start Grafana
  systemd:
    name: grafana-server
    enabled: true
    state: started
    daemon_reload: true