Sharing this, because it took forever to get right, so putting it here for others.
I’d been running the Grafana and InfluxDB community add-ons with great success but have decided that I want to move the InflixDB to run outside Hass.io (mostly so that the large DB file didn’t end up in my snapshots and so that I can move it to an external NAS).
My HA is running as follows: the server hardware runs ESXi 6, which has an Ubuntu VM which runs Docker. Hass.io is installed inside that Docker. The ESXi/VM part shouldn’t matter, the rest of this should work for any install where you are running Hass.io in Docker under Linux, but not under HassOS.
Here’s what I did:
I shut down the InfluxDB add-on, and spun up separate Docker containers with InfluxDB and Chronograf. I used docker-compose with the following docker-compose.yml file: https://pastebin.com/raw/48DHBXcG
Note that it has the containers connect to the hassio Docker Network, same as the other Hass.io containers. Also note that I passed to it some empty volumes to use for data and config, as well as the volume where I’m storing my SSL keys (I’m using the Let’s Encrypt/Duckdns method to expose HA to the outside world).
I downloaded a complete influxdb.conf file from: https://github.com/influxdata/influxdb/blob/1.7/etc/config.sample.toml, which needs to be placed in the volume that /etc/influxdb is pointed at.
I then turned on SSL by editing influxdb.conf and making the following changes:
# Determines whether HTTPS is enabled.
https-enabled = true
# The SSL certificate to use when HTTPS is enabled.
https-certificate = "/etc/ssl/fullchain.pem"
# Use a separate private key location.
https-private-key = "/etc/ssl/privkey.pem"
I then followed the instructions from the InfluxDB Add-on for setting up Chronograf and using it to create a database and users. In my case, Chrongraf is accessible at REDACTED.duckdns.org:8888. The InfluxDB connection has the URL set to https://influxdb:8086 and Unsafe SSL turned on. (I think I can turn it off if I point the URL at https://REDACTED.duckdns.org:8086, but I’ve not tried it.)
I then created a db named homeassistant and three users - one with my name, one named homeassistant and one named grafana. This creates the user accounts on the InfluxDB side.
After this, I again edited influxdb.conf to set:
# Determines whether user authentication is enabled over HTTP/HTTPS.
auth-enabled = true
This forces InfluxDB to require uid/password. Not sure what would have happened if I did this right away, before creating any user accounts - I don’t think there is a default admin account.
I then set up HA to talk to InfluxDB using the following configuration:
influxdb:
host: REDACTED.duckdns.org
port: 8086
database: homeassistant
username: !secret influxdbuid
password: !secret influxdbpass
ssl: true
max_retries: 5
default_measurement: state
include:
domains:
- sensor
- binary_sensor
- climate
The influxdbuid here is the homeassistant account I set up above, with its password.
Running some queries with Chronograf showed that the data was being written.
My biggest difficulty was to get Grafana to speak to InfluxDB. Grafana is running as a Hass-io add-on, using the following configuration:
{
"plugins": [],
"env_vars": [],
"ssl": true,
"certfile": "fullchain.pem",
"keyfile": "privkey.pem",
"grafana_ingress_user": "REDACTED"
}
I feel like I tried every permutation of connection settings in the Data Sources screenbefore I got one to work. Here’s what did:
URL: REDACTED.duckdns.org:8086
Access: Browser
Auth: both Basic auth and With Credentials turned OFF (gray)
InfluxDB details:
Database: homeassistant
User: grafana
HTTP Method: POST
That last seemed to be the key. Default is GET and it would not work.
With this, it’s all working. Main thing left to do is to make Chronograf use SSL.
Hope this helps someone else.