goals:

  • secure connected grafana dashboard
  • reverse proxy served on port 443 for grafana
  • secure influxdb installation with collectd support
  • privilege seperation for db management

get startet

install grafana

## solve dependencies
>  apt install apt-transport-https software-properties-common gnupg nginx

## add grafana key
> wget -q -O - https://packages.grafana.com/gpg.key | <sudo> apt-key add -

## past grafana repo in /etc/apt/sources.list.d/grafana.list
> echo "deb https://packages.grafana.com/oss/deb stable main" | <sudo> tee -a /etc/apt/sources.list.d/grafana.list 

## refresh repo and install grafana
> apt update ; apt install grafana

## start and enable service
> systemctl enable grafana-server
> systemctl start grafana-server

install influxdb

## add influxdb key
> wget -qO- https://repos.influxdata.com/influxdb.key | <sudo> apt-key add -

## past influxdb repo in /etc/apt/sources.list.d/influxdb.list
> echo "deb https://repos.influxdata.com/debian buster stable" | <sudo> tee -a /etc/apt/sources.list.d/influxdb.list

## refresh repo and install influxdb
> apt update ; apt install influxdb

## generate self signed certificates
> openssl req -x509 -nodes -subj "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=XX" -newkey rsa:4096 -keyout /etc/ssl/influxdb.key -out /etc/ssl/influxdb.crt -days 365
> chown -R influxdb:influxdb /etc/ssl/influxdb.*

## start and enable service
> systemctl enable influxdb
> systemctl start influxdb

reverse proxy

## generate self signed certificates
> openssl req -x509 -nodes -subj "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=XX" -newkey rsa:4096 -keyout /etc/ssl/nginx.key -out /etc/ssl/nginx.crt -days 365

## configure /etc/nginx/sites-available/default
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 ssl;

        server_name example.com;
        ssl_certificate /etc/ssl/nginx.crt;
        ssl_certificate_key /etc/ssl/nginx.key;

        location / {
            proxy_pass http://localhost:3000;
        }
}

## restart nginx
> systemctl restart nginx

setup influxdb incl. collectd

## edit /etc/influxdb/influxdb.conf
[meta]
  dir = "/var/lib/influxdb/meta"
[data]
  dir = "/var/lib/influxdb/data"
  wal-dir = "/var/lib/influxdb/wal"
  series-id-set-cache-size = 100
[coordinator]
[retention]
[shard-precreation]
[monitor]
[http]
  https-enabled = true
  https-certificate = "/etc/ssl/influxdb.crt"
  https-private-key = "/etc/ssl/influxdb.key"
[logging]
[subscriber]
[[graphite]]
[[collectd]]
[[opentsdb]]
[[udp]]
[continuous_queries]
[tls]

## restart service
> systemctl restart influxdb

## check tls connection
> influx -ssl -unsafeSsl -host example.com

## create db admin
CREATE USER <username> WITH PASSWORD '<password>' WITH ALL PRIVILEGES
## create user only for read access
CREATE USER user WITH PASSWORD '<password>'
## create user telegraf
CREATE USER telegraf WITH PASSWORD '<password>'
## create user collectd
CREATE USER collectd WITH PASSWORD '<password>'

## add authentication to /etc/influxdb/influxdb.conf
[http]
  auth-enabled = true # add this
  https-enabled = true
  https-certificate = "/etc/ssl/influxdb.crt"
  https-private-key = "/etc/ssl/influxdb.key"

## restart service
> systemctl restart influxdb

## login with
> influx -ssl -unsafeSsl -host example.com -username user -password <password>

## create telegraf database
CREATE DATABASE telegraf
## add read only user to telegraf database
GRANT READ ON telegraf TO user
## add all allowed user to telegraf database
GRANT ALL ON telegraf TO telegraf

## create collectd database
CREATE DATABASE collectd
## add read only user to collectd database
GRANT READ ON collectd TO user
## add all allowed user to telegraf database
GRANT ALL ON collectd TO collectd

## now we can login to grafana dashbord and connect to influxdb
## setup influxdb data source like:
> URL:
* https://localhost:8086
> Auth:
* Skip TLS Verify = true
> Database
* telegraf
> User
* user # the read only user

## for collectd support edit /etc/influxdb/influxdb.conf
[[collectd]]
  enabled = true
  bind-address = ":25826"
  database = "collectd"
  retention-policy = ""
  batch-size = 5000
  batch-pending = 10
  batch-timeout = "10s"
  read-buffer = 0
  typesdb = "/usr/share/collectd/types.db"
  security-level = "encrypt"
  auth-file = "/etc/collectd/auth_file"
  parse-multivalue-plugin = "split"

## make directorys and download types.db
> mkdir -p /usr/share/collectd/collectd
> wget -P /usr/share/collectd/ https://raw.githubusercontent.com/collectd/collectd/master/src/types.db
> chown -R influxdb:influxdb /usr/share/collectd/
> mkdir -p /etc/collectd/auth_file
> chown influxdb:influxdb /etc/collectd/auth_file

## setup auth_file on /etc/collectd/auth_file
collectd: <password>

## restart service
> systemctl restart influxdb

## wait a second and check if the service still run
> systemctl status influxdb

## now we can log into grafana
## setup influxdb data source like:
> URL:
* https://localhost:8086
> Auth:
* Skip TLS Verify = true
> Database
* collectd
> User
* user # the read only user

## collectd openbsd example file /etc/collectd.conf
Hostname    "example.com"
FQDNLookup   true
BaseDir     "/var/collectd"
PIDFile     "/var/collectd/collectd.pid"
TypesDB     "/usr/local/share/collectd/types.db"
Interval 10.0
# Client
LoadPlugin "network"
LoadPlugin "interface"
LoadPlugin "logfile"
LoadPlugin "cpu"
LoadPlugin "memory"
LoadPlugin "swap"
<Plugin interface>
    Interface "vr0"
    Interface "vr1"
    Interface "vr2"
    IgnoreSelected false
</Plugin>
# Client
<Plugin network>
    <Server "example.com" "25826">
        SecurityLevel Encrypt
        Username "collectd"
        Password "<password>"
        Interface "vio0"
    </Server>
    TimeToLive 128
    MaxPacketSize 1452
</Plugin>

See: TypesDB