diff options
8 files changed, 128 insertions, 13 deletions
diff --git a/inventory/group_vars/ele-ups/vars.yml b/inventory/group_vars/ele-ups/vars.yml index 0c4f0086..b19f68e5 100644 --- a/inventory/group_vars/ele-ups/vars.yml +++ b/inventory/group_vars/ele-ups/vars.yml @@ -6,7 +6,7 @@ ssh_users_root: network_mgmt_zone: "{{ network_zones.mgmt }}" openwrt_variant: openwrt -openwrt_release: 19.07.2 +openwrt_release: 19.07.7 openwrt_arch: ramips openwrt_target: mt7620 openwrt_profile: ravpower_wd03 @@ -33,6 +33,10 @@ openwrt_packages_add: - nut-driver-usbhid-ups - nut-upsc - nut-upscmd + - prometheus-node-exporter-lua + - prometheus-node-exporter-lua-nat_traffic + - prometheus-node-exporter-lua-netstat + - prometheus-node-exporter-lua-openwrt openwrt_mixin: @@ -69,13 +73,13 @@ openwrt_mixin: start() { iptables -A INPUT -p tcp --dport 3493 -s 127.0.0.0/8 -j ACCEPT - iptables -A INPUT -p tcp --dport 3493 -s {{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ipaddr('address') }} -j ACCEPT + iptables -A INPUT -p tcp --dport 3493 -s {{ network_mgmt_zone.prefix | ipaddr(network_mgmt_zone.offsets['ele-mon']) | ipaddr('address') }} -j ACCEPT iptables -A INPUT -p tcp --dport 3493 -j DROP } stop() { iptables -D INPUT -p tcp --dport 3493 -j DROP - iptables -D INPUT -p tcp --dport 3493 -s {{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ipaddr('address') }} -j ACCEPT + iptables -D INPUT -p tcp --dport 3493 -s {{ network_mgmt_zone.prefix | ipaddr(network_mgmt_zone.offsets['ele-mon']) | ipaddr('address') }} -j ACCEPT iptables -D INPUT -p tcp --dport 3493 -s 127.0.0.0/8 -j ACCEPT } @@ -127,6 +131,13 @@ openwrt_uci: netmask: "{{ network_mgmt_zone.prefix | ipaddr('netmask') }}" accept_ra: 0 + prometheus-node-exporter-lua: + - name: prometheus-node-exporter-lua 'main' + options: + listen_interface: 'mgmt' + listen_ipv6: '0' + listen_port: '9100' + nut_server: - name: listen_address options: diff --git a/inventory/host_vars/ele-mon.yml b/inventory/host_vars/ele-mon.yml index 967093be..d5aea850 100644 --- a/inventory/host_vars/ele-mon.yml +++ b/inventory/host_vars/ele-mon.yml @@ -62,6 +62,7 @@ prometheus_server_web_external_url: /prometheus/ prometheus_exporters_extra: - blackbox + - nut prometheus_exporter_blackbox_modules_extra: icmp: @@ -78,11 +79,43 @@ prometheus_server_jobs_extra: | - job_name: 'node-openwrt' scheme: http static_configs: - - targets: - - 192.168.42.170:9100 - - 192.168.42.171:9100 - - 192.168.42.172:9100 - - 192.168.42.173:9100 - - 192.168.42.174:9100 - - 192.168.42.175:9100 - - 192.168.42.254:9100 + - targets: + - 192.168.42.170:9100 + - 192.168.42.171:9100 + - 192.168.42.172:9100 + - 192.168.42.173:9100 + - 192.168.42.174:9100 + - 192.168.42.175:9100 + # - 192.168.42.210:9100 + # - 192.168.42.211:9100 + # - 192.168.42.212:9100 + - 192.168.42.213:9100 + - 192.168.42.254:9100 + + - job_name: 'nut' + metrics_path: /proxy + params: + module: + - nut + scheme: https + tls_config: + ca_file: /etc/ssl/prometheus/ca-crt.pem + cert_file: /etc/ssl/prometheus/server/scrape-crt.pem + key_file: /etc/ssl/prometheus/server/scrape-key.pem + static_configs: + - targets: + # - nextlib0@192.168.42.210 + # - nextlib1@192.168.42.211 + # - nextlib2@192.168.42.212 + - nextlib3@192.168.42.213 + relabel_configs: + - source_labels: [__address__] + regex: .*@(.*) + target_label: __param_server + - source_labels: [__address__] + regex: (.*)@.* + target_label: __param_ups + - source_labels: [__param_ups] + target_label: instance + - target_label: __address__ + replacement: 192.168.18.220:9999 diff --git a/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml b/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml index 3b8e997d..7ecd8113 100644 --- a/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml @@ -21,7 +21,7 @@ dest: /etc/systemd/system/prometheus-blackbox-exporter.service notify: restart prometheus-blackbox-exporter -- name: make sure prometheus-exporter-exporter is enabled and started +- name: make sure prometheus-blackbox-exporter is enabled and started systemd: name: prometheus-blackbox-exporter.service daemon_reload: yes diff --git a/roles/monitoring/prometheus/exporter/meta/main.yml b/roles/monitoring/prometheus/exporter/meta/main.yml index d1d3eac7..01e3f7f2 100644 --- a/roles/monitoring/prometheus/exporter/meta/main.yml +++ b/roles/monitoring/prometheus/exporter/meta/main.yml @@ -5,3 +5,5 @@ dependencies: when: "'node' in (prometheus_exporters_default | union(prometheus_exporters_extra))" - role: monitoring/prometheus/exporter/blackbox when: "'blackbox' in (prometheus_exporters_default | union(prometheus_exporters_extra))" + - role: monitoring/prometheus/exporter/nut + when: "'nut' in (prometheus_exporters_default | union(prometheus_exporters_extra))" diff --git a/roles/monitoring/prometheus/exporter/node/tasks/main.yml b/roles/monitoring/prometheus/exporter/node/tasks/main.yml index c8756acf..8392e580 100644 --- a/roles/monitoring/prometheus/exporter/node/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/node/tasks/main.yml @@ -15,7 +15,7 @@ dest: /etc/systemd/system/prometheus-node-exporter.service notify: restart prometheus-node-exporter -- name: make sure prometheus-exporter-exporter is enabled and started +- name: make sure prometheus-node-exporter is enabled and started systemd: name: prometheus-node-exporter.service daemon_reload: yes diff --git a/roles/monitoring/prometheus/exporter/nut/handlers/main.yml b/roles/monitoring/prometheus/exporter/nut/handlers/main.yml new file mode 100644 index 00000000..6e10f43b --- /dev/null +++ b/roles/monitoring/prometheus/exporter/nut/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- name: restart prometheus-nut-exporter + service: + name: prometheus-nut-exporter + state: restarted + +- name: reload prometheus-exporter-exporter + service: + name: prometheus-exporter-exporter + ## TODO: implement reload once exporter_exporter supports this... + state: restarted diff --git a/roles/monitoring/prometheus/exporter/nut/tasks/main.yml b/roles/monitoring/prometheus/exporter/nut/tasks/main.yml new file mode 100644 index 00000000..519ac7a0 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/nut/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: install apt packages + apt: + name: prom-exporter-nut + state: present + +- name: generate systemd service unit + template: + src: service.j2 + dest: /etc/systemd/system/prometheus-nut-exporter.service + notify: restart prometheus-nut-exporter + +- name: make sure prometheus-nut-exporter is enabled and started + systemd: + name: prometheus-nut-exporter.service + daemon_reload: yes + state: started + enabled: yes + +- name: register exporter + copy: + content: | + method: http + http: + port: 9199 + path: /ups_metrics + dest: /etc/prometheus/exporter/enabled/nut.yml + notify: reload prometheus-exporter-exporter diff --git a/roles/monitoring/prometheus/exporter/nut/templates/service.j2 b/roles/monitoring/prometheus/exporter/nut/templates/service.j2 new file mode 100644 index 00000000..ffafcb3c --- /dev/null +++ b/roles/monitoring/prometheus/exporter/nut/templates/service.j2 @@ -0,0 +1,30 @@ +[Unit] +Description=Prometheus nut exporter + +[Service] +Restart=always +User=prometheus-exporter +ExecStart=/usr/bin/prometheus-nut-exporter --web.listen-address="127.0.0.1:9199" + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |