diff options
4 files changed, 41 insertions, 7 deletions
diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 6bfa58d4..222b0e08 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -60,3 +60,7 @@ prometheus_server_storage: lv: prometheus size: 30G fs: ext4 + +prometheus_exporter_blackbox_modules_extra: + icmp: + prober: icmp diff --git a/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml b/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml index fcf66555..4e7d8d9a 100644 --- a/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml +++ b/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml @@ -1,10 +1,8 @@ --- prometheus_exporter_blackbox_modules: - icmp: - prober: icmp tcp_connect: prober: tcp - tcp_tls: + tcp_tls_connect: prober: tcp tcp: tls: true @@ -12,6 +10,12 @@ prometheus_exporter_blackbox_modules: insecure_skip_verify: true http_2xx: prober: http + http_tls_2xx: + prober: http + http: + fail_if_not_ssl: true + tls_config: + insecure_skip_verify: true ssh_banner: prober: tcp tcp: diff --git a/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 b/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 index c9c5712c..a8a91d0b 100644 --- a/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 +++ b/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 @@ -8,8 +8,13 @@ ExecStart=/usr/bin/prometheus-blackbox-exporter --web.listen-address="127.0.0.1: ExecReload=/bin/kill -HUP $MAINPID # systemd hardening-options +{% if prometheus_exporter_blackbox_modules | combine(prometheus_exporter_blackbox_modules_extra) | dict2items | selectattr('value.prober', 'eq', 'icmp') | length > 0 %} AmbientCapabilities=CAP_NET_RAW CapabilityBoundingSet=CAP_NET_RAW +{% else %} +AmbientCapabilities= +CapabilityBoundingSet= +{% endif %} DeviceAllow=/dev/null rw DevicePolicy=strict LockPersonality=true @@ -17,7 +22,6 @@ MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=true -PrivateUsers=true ProtectControlGroups=true ProtectHome=true ProtectKernelModules=true diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 index eb77d6d1..5eb7c570 100644 --- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 +++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 @@ -54,12 +54,12 @@ scrape_configs: - target_label: __address__ replacement: 192.168.32.230:9999 - - job_name: 'tcp_tls' + - job_name: 'https' metrics_path: /proxy params: module: - blackbox - - tcp_tls + - http_tls_2xx scheme: https tls_config: ca_file: /etc/ssl/prometheus/ca-crt.pem @@ -67,7 +67,7 @@ scrape_configs: key_file: /etc/ssl/prometheus/server/exporter-key.pem static_configs: - targets: - - web.chaos-at-home.org:443 + - web.chaos-at-home.org relabel_configs: - source_labels: [__address__] target_label: __param_target @@ -75,3 +75,25 @@ scrape_configs: target_label: instance - target_label: __address__ replacement: 192.168.32.230:9999 + + - job_name: 'ssh' + metrics_path: /proxy + params: + module: + - blackbox + - ssh_banner + scheme: https + tls_config: + ca_file: /etc/ssl/prometheus/ca-crt.pem + cert_file: /etc/ssl/prometheus/server/exporter-crt.pem + key_file: /etc/ssl/prometheus/server/exporter-key.pem + static_configs: + - targets: + - 192.168.32.230:222 + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - target_label: instance + replacement: 'ch-mon' + - target_label: __address__ + replacement: 192.168.32.230:9999 |