From fe2450d43b01f110677e24cffbf3ccfeaf301045 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Thu, 4 Mar 2021 14:39:40 +0000
Subject: [PATCH] Add grafana docker network and restrict port binds

---
 ansible/galaxy-requirements.yml                       |  1 +
 ansible/host_vars/forrest.yml                         |  2 ++
 .../roles/forrest/files/docker-compose-grafana.yml    | 11 +++++++++--
 .../roles/forrest/files/docker-compose-influxdb.yml   | 11 ++++++++---
 ansible/roles/forrest/tasks/grafana.yml               |  4 ++++
 5 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml
index 4bfbb87..2cfe7f9 100644
--- a/ansible/galaxy-requirements.yml
+++ b/ansible/galaxy-requirements.yml
@@ -1,6 +1,7 @@
 collections:
   - ansible.posix
   - community.general
+  - community.docker
 
 roles:
   - src: geerlingguy.docker
diff --git a/ansible/host_vars/forrest.yml b/ansible/host_vars/forrest.yml
index c6a60bc..a1c3f3d 100644
--- a/ansible/host_vars/forrest.yml
+++ b/ansible/host_vars/forrest.yml
@@ -1 +1,3 @@
 expose_ssh: true
+
+protected_ip: "{{ pve_hosts.forrest.internal_ip }}"
diff --git a/ansible/roles/forrest/files/docker-compose-grafana.yml b/ansible/roles/forrest/files/docker-compose-grafana.yml
index b33e6d0..15f3fa4 100644
--- a/ansible/roles/forrest/files/docker-compose-grafana.yml
+++ b/ansible/roles/forrest/files/docker-compose-grafana.yml
@@ -17,12 +17,14 @@ services:
       - GF_SMTP_PASSWORD={{ grafana_smtp_password }}
       - GF_SMTP_FROM_ADDRESS={{ grafana_from_email }}
       - GF_SMTP_FROM_NAME=grafana
-
     volumes:
       - "{{ app_data_dir }}/grafana:/var/lib/grafana"
+    networks:
+      - default
+      - grafana
     restart: unless-stopped
     ports:
-      - 3000:3000
+      - "{{ protected_ip }}:3000:3000"
     depends_on:
       - db
       - renderer
@@ -41,3 +43,8 @@ services:
     restart: unless-stopped
     environment:
       - BROWSER_TZ={{ TZ }}
+
+
+networks:
+  grafana:
+    external: true
diff --git a/ansible/roles/forrest/files/docker-compose-influxdb.yml b/ansible/roles/forrest/files/docker-compose-influxdb.yml
index 5da1710..0aafbbc 100644
--- a/ansible/roles/forrest/files/docker-compose-influxdb.yml
+++ b/ansible/roles/forrest/files/docker-compose-influxdb.yml
@@ -8,8 +8,9 @@ services:
       - /mnt/tank/dbs/influx/forrest:/var/lib/influxdb
     environment:
       - INFLUXDB_HTTP_AUTH_ENABLED=true
-    ports:
-      - 8086:8086
+    networks:
+      - default
+      - grafana
 
   chronograf:
     image: chronograf:1.8-alpine
@@ -21,4 +22,8 @@ services:
     volumes:
       - ./chronograf:/var/lib/chronograf
     ports:
-      - 8888:8888
+      - "{{ protected_ip }}:8888:8888"
+
+networks:
+  grafana:
+    external: true
diff --git a/ansible/roles/forrest/tasks/grafana.yml b/ansible/roles/forrest/tasks/grafana.yml
index 4640dd8..d4469c1 100644
--- a/ansible/roles/forrest/tasks/grafana.yml
+++ b/ansible/roles/forrest/tasks/grafana.yml
@@ -1,3 +1,7 @@
+- name: Create network
+  docker_network:
+    name: grafana
+
 - name: Create grafana install directory
   file:
     path: /opt/grafana