diff options
-rw-r--r-- | chaos-at-home/ch-mon.yml | 12 | ||||
-rw-r--r-- | inventory/group_vars/chaos-at-home/network.yml | 3 | ||||
-rw-r--r-- | inventory/host_vars/ch-mon.yml | 62 | ||||
-rw-r--r-- | inventory/hosts.ini | 2 | ||||
-rw-r--r-- | roles/monitoring/prometheus/server/tasks/main.yml | 48 | ||||
-rw-r--r-- | roles/monitoring/prometheus/server/templates/prometheus.service.j2 | 38 | ||||
-rw-r--r-- | roles/monitoring/prometheus/server/templates/prometheus.yml.j2 | 11 |
7 files changed, 175 insertions, 1 deletions
diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml new file mode 100644 index 00000000..fb0eff53 --- /dev/null +++ b/chaos-at-home/ch-mon.yml @@ -0,0 +1,12 @@ +--- +- name: Basic Setup + hosts: ch-mon + roles: + - role: apt-repo/base + - role: core/base + - role: core/sshd/base + - role: core/zsh + - role: core/ntp + - role: storage/lvm/groups + - role: apt-repo/spreadspace + - role: monitoring/prometheus/server diff --git a/inventory/group_vars/chaos-at-home/network.yml b/inventory/group_vars/chaos-at-home/network.yml index db345b75..fa34a7a0 100644 --- a/inventory/group_vars/chaos-at-home/network.yml +++ b/inventory/group_vars/chaos-at-home/network.yml @@ -41,6 +41,7 @@ network_zones: key: "{{ vault_wifi_keys.iot }}" offsets: ch-wled-test: 1 + ch-mon: 230 ch-iot: 254 svc: @@ -63,6 +64,7 @@ network_zones: ch-nic: 53 __svc_http__: 80 __svc_imap__: 143 + ch-mon: 230 ch-router-obsd: 253 ch-router: 254 ############# @@ -83,6 +85,7 @@ network_zones: ch-sw1: 201 ch-ap0: 220 ch-ap1: 221 + ch-mon: 230 ch-gnocchi: 240 ch-router: 241 diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml new file mode 100644 index 00000000..6bfa58d4 --- /dev/null +++ b/inventory/host_vars/ch-mon.yml @@ -0,0 +1,62 @@ +--- +install_jumphost: ch-jump + +install: + vm: + memory: 8G + numcpus: 8 + autostart: yes + disks: + primary: /dev/sda + scsi: + sda: + type: zfs + name: root + size: 10g + sdb: + type: zfs + name: data + size: 50g + interfaces: + - bridge: br-svc + name: svc0 + - bridge: br-iot + name: iot0 + - bridge: br-mgmt + name: mgmt0 + +network: + nameservers: "{{ network_zones.svc.dns }}" + domain: "{{ host_domain }}" + systemd_link: + interfaces: "{{ install.interfaces }}" + primary: &_network_primary_ + name: svc0 + address: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + gateway: "{{ network_zones.svc.gateway }}" + static_routes: + - destination: "{{ network_zones.lan.prefix }}" + gateway: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ipaddr('address') }}" + interfaces: + - *_network_primary_ + - name: iot0 + address: "{{ network_zones.iot.prefix | ipaddr(network_zones.iot.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + - name: mgmt0 + address: "{{ network_zones.mgmt.prefix | ipaddr(network_zones.mgmt.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + + +lvm_groups: + mondata: + pvs: + - /dev/sdb + + +spreadspace_apt_repo_components: + - prometheus + +prometheus_server_storage: + type: lvm + vg: mondata + lv: prometheus + size: 30G + fs: ext4 diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 871ee575..954e9374 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -30,6 +30,7 @@ ch-prometheus-legacy host_name=prometheus ch-testvm-prometheus host_name=testvm-prometheus ch-iot host_name=iot ch-vpn host_name=vpn +ch-mon host_name=mon ch-epimetheus host_name=epimetheus ch-mc host_name=mc ch-atlas host_name=atlas @@ -324,6 +325,7 @@ ch-prometheus-legacy ch-testvm-prometheus ch-iot ch-vpn +ch-mon ch-k8s-master [vmhost-ch-prometheus] ch-prometheus diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml index ec5bd9a9..ffbc5ffe 100644 --- a/roles/monitoring/prometheus/server/tasks/main.yml +++ b/roles/monitoring/prometheus/server/tasks/main.yml @@ -1,4 +1,11 @@ --- +- name: check if prometheus apt component of spreadspace repo is enabled + assert: + msg: "please enable the 'prometheus' component of spreadspace repo using 'spreadspace_apt_repo_components'" + that: + - spreadspace_apt_repo_components is defined + - "'prometheus' in spreadspace_apt_repo_components" + - name: prepare storage volume for /var/lib/prometheus when: prometheus_server_storage is defined vars: @@ -11,6 +18,45 @@ name: prom-server state: present +- name: create configuration directories + loop: + - rules + - targets + file: + path: "/etc/prometheus/{{ item }}" + state: directory + +- name: generate configuration file + template: + src: prometheus.yml.j2 + dest: /etc/prometheus/prometheus.yml + +- name: add user for server + user: + name: prometheus + system: yes + home: /var/lib/prometheus + create_home: no + +- name: create data directory + file: + path: /var/lib/prometheus/metrics2 + state: directory + owner: prometheus + group: prometheus + ## TODO: -## - systemd service unit ## - create CA and certificate/key + +- name: generate systemd service unit + template: + src: prometheus.service.j2 + dest: /etc/systemd/system/prometheus.service + notify: restart prometheus + +- name: make sure prometheus is enabled and started + systemd: + name: prometheus.service + daemon_reload: yes + state: started + enabled: yes diff --git a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 b/roles/monitoring/prometheus/server/templates/prometheus.service.j2 new file mode 100644 index 00000000..0530e589 --- /dev/null +++ b/roles/monitoring/prometheus/server/templates/prometheus.service.j2 @@ -0,0 +1,38 @@ +[Unit] +Description=Monitoring system and time series database +Documentation=https://prometheus.io/docs/introduction/overview/ man:prometheus(1) +After=time-sync.target + +[Service] +Restart=on-failure +User=prometheus +ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }} +ExecReload=/bin/kill -HUP $MAINPID +TimeoutStopSec=20s +SendSIGKILL=no + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LimitMEMLOCK=0 +LimitNOFILE=8192 +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 new file mode 100644 index 00000000..cadc3ef0 --- /dev/null +++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 @@ -0,0 +1,11 @@ +global: + scrape_interval: 15s + evaluation_interval: 15s + +rule_files: + - /etc/prometheus/rules/*.yml + +scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] |