Update grafana role

[ph1l]

• use ini_file instead of lineinfile
• handle secret_key setup.
  • if set by `grafana_secret, use that.
  • if not, generate a random one.

[ph1l]

Ahh, I get it... If we blow away the server and reprovision, we've lost the old secret key... hrmpf...

More thought required...

[ph1l]

Okay I think this works...

If you set an explicit grafana_secret, it will persist because that data is stored on the ansible source machine (your checkout of this repository.) If you allow the role to generate a security.secret_key for you, it's ephemeral and will be reset when you re-provision from scratch. This will invalidate any logins or cokie settings stored in your browser, but currently all your influxdb data, dashboards, and other data will be gone too. No harm; no foul.

When a solution for persistent storage across full wipes of the OS partition is created, we can store the automatically generated secret_kay alongside it and persist it.

So, go ahead and review this when you can.

[tkurki]

Is this ready for merging or not? Original description says DO NOT MERGE still.

Having [WIP] in the beginning of the PR title is a pretty good convention.

I tried to wrap my head around this. I find it overengineered - I have my secrets in Ansible Vault and if you want a persistent Grafana secret you can add one there, along with other persistent secrets like Wifi passphrase etc.

Generating a random one instead of using a public, fixed secret is a good idea, but I would just let it disappear upon possible wipe-and-reprovision-from-scratch, as there is a simple persistent mechanism if you want it.

[ph1l]

Sorry, forgot to update the description. This one is ready from my point of view.

[tkurki]

Sorry, closing based on my last comment.