summaryrefslogtreecommitdiff
path: root/roles
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2021-06-03 22:55:21 +0200
committerChristian Pointner <equinox@spreadspace.org>2021-06-20 01:44:16 +0200
commit8bcf938a7b95536c66a34b043915615df489f243 (patch)
treec2418122e3f9def7bd6ed90a4ff6fdbe116cac00 /roles
parentprometheus: add blackbox exporter (diff)
prometheus: fix blackbox exporter icmp probes
Diffstat (limited to 'roles')
-rw-r--r--roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml10
-rw-r--r--roles/monitoring/prometheus/exporter/blackbox/templates/service.j26
-rw-r--r--roles/monitoring/prometheus/server/templates/prometheus.yml.j228
3 files changed, 37 insertions, 7 deletions
diff --git a/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml b/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml
index fcf66555..4e7d8d9a 100644
--- a/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml
+++ b/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml
@@ -1,10 +1,8 @@
---
prometheus_exporter_blackbox_modules:
- icmp:
- prober: icmp
tcp_connect:
prober: tcp
- tcp_tls:
+ tcp_tls_connect:
prober: tcp
tcp:
tls: true
@@ -12,6 +10,12 @@ prometheus_exporter_blackbox_modules:
insecure_skip_verify: true
http_2xx:
prober: http
+ http_tls_2xx:
+ prober: http
+ http:
+ fail_if_not_ssl: true
+ tls_config:
+ insecure_skip_verify: true
ssh_banner:
prober: tcp
tcp:
diff --git a/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 b/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2
index c9c5712c..a8a91d0b 100644
--- a/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2
+++ b/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2
@@ -8,8 +8,13 @@ ExecStart=/usr/bin/prometheus-blackbox-exporter --web.listen-address="127.0.0.1:
ExecReload=/bin/kill -HUP $MAINPID
# systemd hardening-options
+{% if prometheus_exporter_blackbox_modules | combine(prometheus_exporter_blackbox_modules_extra) | dict2items | selectattr('value.prober', 'eq', 'icmp') | length > 0 %}
AmbientCapabilities=CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_RAW
+{% else %}
+AmbientCapabilities=
+CapabilityBoundingSet=
+{% endif %}
DeviceAllow=/dev/null rw
DevicePolicy=strict
LockPersonality=true
@@ -17,7 +22,6 @@ MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
-PrivateUsers=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
index eb77d6d1..5eb7c570 100644
--- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
+++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
@@ -54,12 +54,12 @@ scrape_configs:
- target_label: __address__
replacement: 192.168.32.230:9999
- - job_name: 'tcp_tls'
+ - job_name: 'https'
metrics_path: /proxy
params:
module:
- blackbox
- - tcp_tls
+ - http_tls_2xx
scheme: https
tls_config:
ca_file: /etc/ssl/prometheus/ca-crt.pem
@@ -67,7 +67,7 @@ scrape_configs:
key_file: /etc/ssl/prometheus/server/exporter-key.pem
static_configs:
- targets:
- - web.chaos-at-home.org:443
+ - web.chaos-at-home.org
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
@@ -75,3 +75,25 @@ scrape_configs:
target_label: instance
- target_label: __address__
replacement: 192.168.32.230:9999
+
+ - job_name: 'ssh'
+ metrics_path: /proxy
+ params:
+ module:
+ - blackbox
+ - ssh_banner
+ scheme: https
+ tls_config:
+ ca_file: /etc/ssl/prometheus/ca-crt.pem
+ cert_file: /etc/ssl/prometheus/server/exporter-crt.pem
+ key_file: /etc/ssl/prometheus/server/exporter-key.pem
+ static_configs:
+ - targets:
+ - 192.168.32.230:222
+ relabel_configs:
+ - source_labels: [__address__]
+ target_label: __param_target
+ - target_label: instance
+ replacement: 'ch-mon'
+ - target_label: __address__
+ replacement: 192.168.32.230:9999