diff options
Diffstat (limited to 'inventory/host_vars/ch-mon.yml')
| -rw-r--r-- | inventory/host_vars/ch-mon.yml | 67 |
1 files changed, 50 insertions, 17 deletions
diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 7671b155..b93dbd05 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -58,6 +58,30 @@ spreadspace_apt_repo_components: nftables_base_rules: + main: | + table inet global { + chain input_iot { + ip saddr != {{ network_zones.iot.prefix }} drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + } + + chain input_mgmt { + ip saddr != {{ network_zones.mgmt.prefix }} drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + } + + chain input { + type filter hook input priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname vmap { lo: accept, svc0: accept, iot0: jump input_iot, mgmt0: jump input_mgmt } + } + + chain forward { + type filter hook forward priority 0; policy drop; + } + } protect-grafana-auth-proxy: | table inet filter { chain protect-grafana-auth-proxy { @@ -97,8 +121,7 @@ whawty_nginx_sso_auths: prometheus_job_multitarget_whawty_nginx_sso: ch-mon: - - instance: "whawty-nginx-sso-{{ inventory_hostname }}-chaos-at-home" - instance_name: chaos-at-home + - app_instance: chaos-at-home prometheus_server_storage: @@ -118,6 +141,7 @@ prometheus_server_alertmanager: basic_auth: username: server password: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}" + scrape_instance: "{{ inventory_hostname }}" prometheus_server_web_external_url: "http://mon.chaos-at-home.org/prometheus/" @@ -150,18 +174,21 @@ prometheus_exporter_smokeping_targets: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner - - instance: "https-mon.chaos-at-home.org" + - svc_kind: https + svc_instance: "mon.chaos-at-home.org" target: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/healthz" module: http_tls_2xx prometheus_job_multitarget_ssl__probe: ch-mon: - - instance: "sslcert-prometheus-{{ inventory_hostname }}" + - module: file target: "/etc/ssl/prometheus/**/*.pem" - module: file + sslcert_instance: prometheus + prometheus_server_rules_node_extra: - alert: GitFsckMetricsOutdated @@ -234,27 +261,33 @@ grafana_datasources: manageAlerts: no grafana_dashboards: - - file: node-full + - file: sys/node-full + datasource: "Prometheus" + - file: sys/openwrt + datasource: "Prometheus" + - file: sys/ipmi + datasource: "Prometheus" + - file: environment/sensors datasource: "Prometheus" - - file: openwrt + - file: blackbox/ssh datasource: "Prometheus" - - file: chrony + - file: blackbox/https datasource: "Prometheus" - - file: environment-sensors + - file: blackbox/mqtt datasource: "Prometheus" - - file: blackbox + - file: net/chrony datasource: "Prometheus" - - file: smokeping + - file: net/smokeping datasource: "Prometheus" - - file: bind + - file: net/bind datasource: "Prometheus" - - file: ipmi + - file: net/mosquitto datasource: "Prometheus" - - file: standalone-kubelet-overview + - file: net/coredns datasource: "Prometheus" - - file: whawty-nginx-sso + - file: apps/standalone-kubelet-overview datasource: "Prometheus" - - file: mosquitto + - file: apps/whawty-nginx-sso datasource: "Prometheus" grafana_admin_password: "{{ vault_grafana_admin_password }}" |