diff options
-rw-r--r-- | chaos-at-home/ch-mon.yml | 2 | ||||
-rw-r--r-- | chaos-at-home/host_vars/ch-http-proxy.yml | 42 | ||||
-rw-r--r-- | chaos-at-home/host_vars/ch-mon.yml | 49 | ||||
-rw-r--r-- | inventory/host_vars/ch-http-proxy.yml | 2 | ||||
-rw-r--r-- | inventory/host_vars/ch-mon.yml | 58 | ||||
-rw-r--r-- | roles/monitoring/grafana/defaults/main.yml | 7 | ||||
-rw-r--r-- | roles/monitoring/grafana/tasks/main.yml | 22 | ||||
-rw-r--r-- | roles/monitoring/landingpage/defaults/main.yml | 13 | ||||
-rw-r--r-- | roles/monitoring/landingpage/tasks/main.yml | 17 | ||||
-rw-r--r-- | roles/monitoring/landingpage/templates/index.html.j2 | 2 |
10 files changed, 163 insertions, 51 deletions
diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml index 0e22eb01..5d44104b 100644 --- a/chaos-at-home/ch-mon.yml +++ b/chaos-at-home/ch-mon.yml @@ -14,6 +14,8 @@ - role: storage/lvm/groups - role: nginx/base - role: apt-repo/spreadspace + - role: nginx/auth/whawty-sso/base + - role: nginx/auth/whawty-sso/auth - role: monitoring/prometheus/server - role: monitoring/prometheus/exporter - role: monitoring/prometheus/alertmanager diff --git a/chaos-at-home/host_vars/ch-http-proxy.yml b/chaos-at-home/host_vars/ch-http-proxy.yml index 37bfb8c6..07dc655d 100644 --- a/chaos-at-home/host_vars/ch-http-proxy.yml +++ b/chaos-at-home/host_vars/ch-http-proxy.yml @@ -1,22 +1,22 @@ $ANSIBLE_VAULT;1.2;AES256;chaos-at-home -39653130626231373336313238643865323834663239623964316638646436636531303761356163 -3931636530306337306466383333626530663061326563620a366236373962346564386332626239 -33626334663639363731376161666563646135653735343534306639393136623431636165633333 -3233636565326531630a646639366238343466316131653236306561346538343161386136613736 -32336165353566323266613735356138336261613737653064653866313564626339663262303266 -30323535623965613938383930383938663938363738613636643566323234613433393439366434 -64333738333032316538613538356563333562636436636436326133393434373061373661363565 -38326332343038353365616634306366663264383564383762333230623530343061623439626631 -33646339383532616566376633663430383530663166373163613163303564353062316166383730 -35633461333238333532303434326132656339666232313965316264343739393766323938303062 -62616465613230356465656537613131363135663832346530623232626436646531363931633366 -66396261653130623533616530313161333038653334653039623138353337323631613137383664 -35353563376530373131623739393930613365346230343231636632613234613663366438646236 -37356162323938653734313064393330353437653962316565376233326461636162636163353430 -32333939373864653264316263346434616631373830656530313337626232633432633937316234 -64613131396634613962313766373135383030616137633634326637373966633236643463396265 -62313364313365643939363139366361636137613965616632323734633034633964333032656562 -30663963323038323734633761303632633666373736303263386231653538363933623064303039 -65613466323933386263353335636137316162373563613463636663643761633430333138383931 -35393263383230393333303539663534646465333862616533346161386665333864323937353536 -3438 +63313961666162316532353939366130396166333935653066343665353566323661373639356232 +6431656639646530353438666538373839323661613135300a373662616166643566316437353265 +39386362623134613863616261386565643862343839623630613338326139633031393965356234 +6334646538373032640a636231393932633233663031376463353861316639653733643335393438 +61623161396630633637376261666162633063346266373337393866396366326432633832643530 +33333432643834303634646335356535346538326462663663356431613762643138383635663531 +33323534376534616163313064336361373636653266356430303163363031663438316439306533 +38343333346162303639343937663664633031613638306234373961333762333039313962313232 +31323736633934356637633666363565656532343261353465366633333338363834393738373933 +65623532333363316165643437643935336436313230303366313131393131653636666139303034 +63623231303833356563613538396638653235613430363537316566386466643565316262363739 +63323937383337633039323138626235613130373931636437613836616331356633346566306433 +34333336326634333732643839333634323736633363633365626132633562613730356638336637 +64306463633465363362393635366435353633393836323231326435346163313436333130636639 +64653331356331356464656530626235363965323135323135643239336230656337356362333261 +38356161396334616636323163376463626465393932376662336333373133656361663236346237 +34373439383065313166656439303738383564356361663835633433636432313365336565303036 +39396330323265313665353931383563666439353964346661613964363536613237373663393232 +37303162396133646233646564313263393830353962306232653930393766303830346165613439 +33396666623238636363653066316366393636336232623162303565363563666635333336373335 +36663763323931666362663637663365616236333065383961633933346164333261 diff --git a/chaos-at-home/host_vars/ch-mon.yml b/chaos-at-home/host_vars/ch-mon.yml index 96c4c285..bf25aa19 100644 --- a/chaos-at-home/host_vars/ch-mon.yml +++ b/chaos-at-home/host_vars/ch-mon.yml @@ -1,24 +1,27 @@ $ANSIBLE_VAULT;1.2;AES256;chaos-at-home -65383763373634393962376161393736376237393739343163323137353139623336313561356230 -6631343766386232636464383333623539666465346130640a343235623237623561356664316365 -38613035306664383438376535386437376365623435633638303834653362303935333431633833 -3366646538633830360a666362336161373539366264353733323163386566633163643931386432 -33393135353563343132323931333335613437333330626261616139386433383432363434633033 -61353431366432613164663036643730376663373762643031333435303638653065376165623239 -31643464323531626664316330373130346139623561373539333839646132306161303064356633 -65636135396436663931313637643963636336333132353233626661636564323666636432613666 -61373661306133363765356531373666313836383334616361656131313033326436633036623766 -30373366636563303536303964363538346432353230343037643563656365613330323036353565 -61656537643531373530613035636365306533653462303965353530653838353365393139383632 -38626465326165616433383639623162636331346331393738653464623861646165313431363463 -64663231346261323039353930326234343236313338323561646432613835363334353737306333 -30383035306431336266386535643066313062626333666464313136333363633530663838326664 -65346466616631663138626136626263666637323335323238613232306235363532396638646535 -63323836363735333630663330383537343731333865396337336661356237623737643565373431 -33626633323034663538653837663432386635363734363136303533663964363936353937613235 -36353662383362386633313565643430343764353562373132636638393834356631616664613233 -64363330323564666462343532323335306534643832643930626132303539383635643133633435 -30303664636139316333326164383131306234666230646661616438323432653264313733363237 -61313433386165396466653738393363653365363930353264613061656664393131396363343230 -30353966336662313236396233636436356366636633376437343937333561353661343737343738 -386131363034363236356466313463313635 +31326635666435336464393961346139333735306339373262373262373932363632336230346435 +3836323530613262643763666563336264393539646438310a613461626465313138363231393132 +38643134323531393866383338323064343863636630613263363563303666366664646638636535 +3439613635393937640a613864313338346365323037663066346332313334633461363937363561 +36666238656236666661343739623131646338306534653033376461303631643664633164613361 +64643732663833666166636164626164303636633335393665653062313663383932316431366662 +62616631393065393033613663643133643637653238333932383435303166616366633231666662 +65363038323563396230396337646463663563356437333936643739313565623235636161363330 +31613432303564393134653561376137656562396239363330643132666663346338626433376434 +31303930363366393438636565663431353832663235396139643135343437643434363731356365 +62376263396230336663356433366262656331653932383833376666366533303966316637636166 +30313039393432326239393738313733373632346232363435373830626462313932323836666630 +31343736313737376361313862383230363465393736356461653464363135633632363464326563 +38656330393639313434303964396433656666643064373564613238653765353664663266323137 +33396164386362633962373662666136343735373463393366643062653062313839663030616537 +34323430353934393566373732653138393665313435373030623466396132393833396537356430 +36663762376432303562653930326437333564333932363463363837336263633933343965333362 +37333862326234663064373764383536663064373333393530313535613431306362316662373662 +61373064326265656139636638643036333932653930666465646230313136626532343530386165 +32373661323366386434623432396231653433313963663835386531366566363435346135353739 +38353263646332613262323635356265616333663639353562386134333662366332656636363731 +33316463626439373238656134353531663465353636343665623663346639316664613436376335 +64393235646130616635653732393435333034306266663931373037366362626234663438623935 +62353131356636356531333064643530336234663664363034646437653466623839313866626164 +34346533366336323831616236363163386132343835646233386333373866653830316330333135 +3133366438626634303239393737353532373435626639333531 diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml index 255dbebe..d5f38241 100644 --- a/inventory/host_vars/ch-http-proxy.yml +++ b/inventory/host_vars/ch-http-proxy.yml @@ -55,7 +55,7 @@ whawty_nginx_sso_logins: domain: ".chaos-at-home.org" name: __Secure-chaos-at-home-sso secure: yes - expire: 23h + expire: 167h keys: - name: 2023-11 ed25519: diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index f21bd9b2..cb5bcfed 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -53,9 +53,31 @@ lvm_groups: spreadspace_apt_repo_components: + - main - prometheus +whawty_nginx_sso_backends: + chaos-at-home: + port: 1234 + login_url: https://login.chaos-at-home.org/login + +whawty_nginx_sso_auths: + chaos-at-home: + config: + cookie: + name: __Secure-chaos-at-home-sso + keys: + - name: 2023-11 + ed25519: + public-key: |- + -----BEGIN PUBLIC KEY----- + MCowBQYDK2VwAyEAawvVwThGnYYBDLjQ0Rs71prAmxQ/tfaPUNZvPWS3Z3U= + -----END PUBLIC KEY----- + web: + listen: 127.0.0.1:1234 + + prometheus_server_storage: type: lvm vg: mondata @@ -74,12 +96,12 @@ prometheus_server_alertmanager: username: server password: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}" -prometheus_server_web_external_url: "http://{{ network.primary.address | ansible.utils.ipaddr('address') }}/prometheus/" +prometheus_server_web_external_url: "http://mon.chaos-at-home.org/prometheus/" prometheus_server_auth_users: server: "{{ vault_prometheus_server_auth_user_passwords['server'] }}" grafana: "{{ vault_prometheus_server_auth_user_passwords['grafana'] }}" - admin: "{{ vault_prometheus_server_auth_user_passwords['admin'] }}" + proxy: "{{ vault_prometheus_server_auth_user_passwords['proxy'] }}" prometheus_server_selfscraping_auth: username: server @@ -109,7 +131,7 @@ prometheus_job_multitarget_blackbox__probe: target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner - instance: "https-mon.chaos-at-home.org" - target: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + target: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/healthz" module: http_tls_2xx prometheus_job_multitarget_ssl__probe: @@ -143,11 +165,11 @@ prometheus_alertmanager_smtp: from: "noreply@chaos-at-home.org" require_tls: no -prometheus_alertmanager_web_external_url: "http://{{ network.primary.address | ansible.utils.ipaddr('address') }}/alertmanager/" +prometheus_alertmanager_web_external_url: "http://mon.chaos-at-home.org/alertmanager/" prometheus_alertmanager_auth_users: server: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}" - admin: "{{ vault_prometheus_alertmanager_auth_user_passwords['admin'] }}" + proxy: "{{ vault_prometheus_alertmanager_auth_user_passwords['proxy'] }}" prometheus_alertmanager_route: receiver: empty @@ -168,6 +190,13 @@ prometheus_alertmanager_receivers: grafana_secret_key: "{{ vault_grafana_secret_key }}" +grafana_config_auth: + disable_signout_menu: true + +grafana_config_auth_proxy: + enabled: true + whitelist: 127.0.0.1 + grafana_datasources: - name: "Prometheus" type: "prometheus" @@ -204,6 +233,7 @@ grafana_dashboards: grafana_admin_password: "{{ vault_grafana_admin_password }}" + monitoring_landingpage_hostnames: - "mon.chaos-at-home.org" monitoring_landingpage_title: "chaos@home Monitoring Host" @@ -239,3 +269,21 @@ monitoring_landingpage_tls: not_before: +0h not_after: +365d renew_margin: +70d + +monitoring_landingpage_vhost_extra_directives: | + include snippets/whawty-sso-chaos-at-home.conf; + + location = /healthz { + auth_request off; + return 200; + } + +monitoring_landingpage_service_extra_directives: + prometheus: | + proxy_set_header Authorization "Basic {{ ('proxy:'~prometheus_server_auth_users['proxy']) | b64encode }}"; + alertmanager: | + proxy_set_header Authorization "Basic {{ ('proxy:'~prometheus_alertmanager_auth_users['proxy']) | b64encode }}"; + grafana: | + auth_request_set $username $upstream_http_x_username; + proxy_set_header X-WEBAUTH-USER $username; + proxy_set_header Authorization ""; diff --git a/roles/monitoring/grafana/defaults/main.yml b/roles/monitoring/grafana/defaults/main.yml index 0eaeb061..20b886ca 100644 --- a/roles/monitoring/grafana/defaults/main.yml +++ b/roles/monitoring/grafana/defaults/main.yml @@ -22,6 +22,13 @@ grafana_config_users: allow_sign_up: false allow_org_create: false +grafana_config_auth: {} +# disable_signout_menu: true + +grafana_config_auth_proxy: {} +# enabled: true +# whitelist: 127.0.0.1 + grafana_datasources: [] # - name: "Prometheus" diff --git a/roles/monitoring/grafana/tasks/main.yml b/roles/monitoring/grafana/tasks/main.yml index 1e21ea39..de2857df 100644 --- a/roles/monitoring/grafana/tasks/main.yml +++ b/roles/monitoring/grafana/tasks/main.yml @@ -68,6 +68,28 @@ value: "{{ item.value | string }}" notify: restart grafana +- name: configure grafana auth + loop: "{{ grafana_config_auth | dict2items }}" + loop_control: + label: "{{ item.key }}" + ini_file: + path: /etc/grafana/grafana.ini + section: auth + option: "{{ item.key }}" + value: "{{ item.value | string }}" + notify: restart grafana + +- name: configure grafana auth.proxy + loop: "{{ grafana_config_auth_proxy | dict2items }}" + loop_control: + label: "{{ item.key }}" + ini_file: + path: /etc/grafana/grafana.ini + section: auth.proxy + option: "{{ item.key }}" + value: "{{ item.value | string }}" + notify: restart grafana + - name: install datasources copy: diff --git a/roles/monitoring/landingpage/defaults/main.yml b/roles/monitoring/landingpage/defaults/main.yml index 8cdaba86..8c093099 100644 --- a/roles/monitoring/landingpage/defaults/main.yml +++ b/roles/monitoring/landingpage/defaults/main.yml @@ -11,3 +11,16 @@ monitoring_landingpage_services: - prometheus - alertmanager - grafana + +# monitoring_landingpage_vhost_extra_directives: | +# include snippets/whawty-sso-example.conf; + +monitoring_landingpage_service_extra_directives: {} +# prometheus: | +# proxy_set_header Authorization "Basic {{ 'user:pass' | b64encode }}"; +# alertmanager: | +# proxy_set_header Authorization "Basic {{ 'user:pass' | b64encode }}"; +# grafana: | +# auth_request_set $username $upstream_http_x_username; +# proxy_set_header X-WEBAUTH-USER $username; +# proxy_set_header Authorization ""; diff --git a/roles/monitoring/landingpage/tasks/main.yml b/roles/monitoring/landingpage/tasks/main.yml index 0e24b016..e9512700 100644 --- a/roles/monitoring/landingpage/tasks/main.yml +++ b/roles/monitoring/landingpage/tasks/main.yml @@ -13,6 +13,7 @@ vars: monitoring_landingpage_vhost_base: name: landingpage + mode: "0600" template: generic hostnames: "{{ monitoring_landingpage_hostnames }}" locations: @@ -23,18 +24,34 @@ tls: {{ monitoring_landingpage_tls | to_nice_yaml(indent=2) | indent(2) }} {% endif %} + {% if monitoring_landingpage_vhost_extra_directives is defined %} + extra_directives: | + {{ monitoring_landingpage_vhost_extra_directives | indent(2) }} + {% endif %} locations: {% if 'prometheus' in monitoring_landingpage_services %} '/prometheus/': proxy_pass: "http://{{ prometheus_server_web_listen_address | default('127.0.0.1:9090') }}" + {% if 'prometheus' in monitoring_landingpage_service_extra_directives %} + extra_directives: | + {{ monitoring_landingpage_service_extra_directives['prometheus'] | indent(6) }} + {% endif %} {% endif %} {% if 'alertmanager' in monitoring_landingpage_services %} '/alertmanager/': proxy_pass: "http://{{ prometheus_alertmanager_web_listen_address | default('127.0.0.1:9093') }}" + {% if 'alertmanager' in monitoring_landingpage_service_extra_directives %} + extra_directives: | + {{ monitoring_landingpage_service_extra_directives['alertmanager'] | indent(6) }} + {% endif %} {% endif %} {% if 'grafana' in monitoring_landingpage_services %} '/grafana/': proxy_pass: "http://{{ grafana_config_server.http_addr | default('localhost') }}:{{ grafana_config_server.http_port | default(3000) }}" + {% if 'grafana' in monitoring_landingpage_service_extra_directives %} + extra_directives: | + {{ monitoring_landingpage_service_extra_directives['grafana'] | indent(6) }} + {% endif %} {% endif %} set_fact: monitoring_landingpage_vhost: "{{ monitoring_landingpage_vhost_base | combine(monitoring_landingpage_vhost_override__yaml | from_yaml, recursive=True) }}" diff --git a/roles/monitoring/landingpage/templates/index.html.j2 b/roles/monitoring/landingpage/templates/index.html.j2 index 3c6cbe98..769ba1a2 100644 --- a/roles/monitoring/landingpage/templates/index.html.j2 +++ b/roles/monitoring/landingpage/templates/index.html.j2 @@ -15,7 +15,7 @@ <li><a target='_blank' href='/alertmanager/'>Prometheus Alertmanager</a></li> {% endif %} {% if 'grafana' in monitoring_landingpage_services %} - <li><a target='_blank' href='/grafana/'>Grafana</a></li> + <li><a target='_blank' href='/grafana/dashboards'>Grafana</a></li> {% endif %} </ul> </div> |