5 files changed, 102 insertions, 0 deletions

diff --git a/roles/monitoring/prometheus/exporter/ssl/defaults/main.yml b/roles/monitoring/prometheus/exporter/ssl/defaults/main.yml
new file mode 100644
index 00000000..d7edd3f4
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/ssl/defaults/main.yml
@@ -0,0 +1,16 @@
+---
+prometheus_exporter_ssl_modules:
+  tcp:
+    prober: tcp
+  http:
+    prober: https
+  https:
+    prober: https
+  file:
+    prober: file
+  kubernetes:
+    prober: kubernetes
+  kubeconfig:
+    prober: kubeconfig
+
+prometheus_exporter_ssl_modules_extra: {}
diff --git a/roles/monitoring/prometheus/exporter/ssl/handlers/main.yml b/roles/monitoring/prometheus/exporter/ssl/handlers/main.yml
new file mode 100644
index 00000000..2fb43f19
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/ssl/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart prometheus-ssl-exporter
+  service:
+    name: prometheus-ssl-exporter
+    state: restarted
+
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
diff --git a/roles/monitoring/prometheus/exporter/ssl/tasks/main.yml b/roles/monitoring/prometheus/exporter/ssl/tasks/main.yml
new file mode 100644
index 00000000..c57ea0b1
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/ssl/tasks/main.yml
@@ -0,0 +1,42 @@
+---
+  ## TODO: pin version
+- name: install apt packages
+  apt:
+    name: prom-exporter-ssl
+    state: present
+
+- name: create config directory
+  file:
+    path: /etc/prometheus/exporter/ssl
+    state: directory
+
+- name: generate configuration
+  template:
+    src: config.yml.j2
+    dest: /etc/prometheus/exporter/ssl/config.yml
+  notify: restart prometheus-ssl-exporter
+
+- name: generate systemd service unit
+  template:
+    src: service.j2
+    dest: /etc/systemd/system/prometheus-ssl-exporter.service
+  notify: restart prometheus-ssl-exporter
+
+- name: make sure prometheus-ssl-exporter is enabled and started
+  systemd:
+    name: prometheus-ssl-exporter.service
+    daemon_reload: yes
+    state: started
+    enabled: yes
+
+- name: register exporter
+  copy:
+    content: |
+      location = /ssl {
+          proxy_pass http://127.0.0.1:9219/metrics;
+      }
+      location = /ssl/probe {
+          proxy_pass http://127.0.0.1:9219/probe;
+      }
+    dest: /etc/prometheus/exporter/ssl.locations
+  notify: reload nginx
diff --git a/roles/monitoring/prometheus/exporter/ssl/templates/config.yml.j2 b/roles/monitoring/prometheus/exporter/ssl/templates/config.yml.j2
new file mode 100644
index 00000000..1ef84541
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/ssl/templates/config.yml.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+modules:
+  {{ prometheus_exporter_ssl_modules | combine(prometheus_exporter_ssl_modules_extra) | to_nice_yaml(indent=2) | indent(2) }}
diff --git a/roles/monitoring/prometheus/exporter/ssl/templates/service.j2 b/roles/monitoring/prometheus/exporter/ssl/templates/service.j2
new file mode 100644
index 00000000..fdd754a4
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/ssl/templates/service.j2
@@ -0,0 +1,30 @@
+[Unit]
+Description=Prometheus ssl exporter
+
+[Service]
+Restart=always
+ExecStart=/usr/bin/prometheus-ssl-exporter --web.listen-address="127.0.0.1:9219" --config.file=/etc/prometheus/exporter/ssl/config.yml
+ExecReload=/bin/kill -HUP $MAINPID
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target