diff options
Diffstat (limited to 'roles/monitoring/prometheus/exporter')
17 files changed, 391 insertions, 48 deletions
diff --git a/roles/monitoring/prometheus/exporter/TODO b/roles/monitoring/prometheus/exporter/TODO new file mode 100644 index 00000000..c02e5699 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/TODO @@ -0,0 +1,38 @@ +Node Exporter - Text Collector Scripts: + - https://github.com/prometheus-community/node-exporter-textfile-collector-scripts + - https://packages.debian.org/bullseye/prometheus-node-exporter-collectors + +IPMI Exporter: + - https://github.com/soundcloud/ipmi_exporter + - https://packages.debian.org/bullseye/prometheus-ipmi-exporter + +Postfix Exporter: + - https://github.com/kumina/postfix_exporter + - https://packages.debian.org/bullseye/prometheus-postfix-exporter + +NGINX Exporter: + - https://github.com/nginxinc/nginx-prometheus-exporter + - https://packages.debian.org/bullseye/prometheus-nginx-exporter + +Bind Exporter: + - https://github.com/prometheus-community/bind_exporter + - https://packages.debian.org/bullseye/prometheus-bind-exporter + +MySQLd Exporter: + - https://github.com/prometheus/mysqld_exporter + - https://packages.debian.org/bullseye/prometheus-mysqld-exporter + +Postgres Exporter: + - https://github.com/prometheus-community/postgres_exporter + - https://packages.debian.org/bullseye/prometheus-postgres-exporter + +SNMP Exporter: + - https://github.com/prometheus/snmp_exporter + - https://packages.debian.org/bullseye/prometheus-snmp-exporter + +Process Exporter: + - https://github.com/ncabatoff/process-exporter + - https://packages.debian.org/bullseye/prometheus-process-exporter + +SSL Exporter: + - https://github.com/ribbybibby/ssl_exporter diff --git a/roles/monitoring/prometheus/exporter/base/defaults/main.yml b/roles/monitoring/prometheus/exporter/base/defaults/main.yml index 5f8ce103..963763a5 100644 --- a/roles/monitoring/prometheus/exporter/base/defaults/main.yml +++ b/roles/monitoring/prometheus/exporter/base/defaults/main.yml @@ -1,2 +1,2 @@ --- -prometheus_exporter_port: 9000 +prometheus_exporter_listen: ":9999" diff --git a/roles/monitoring/prometheus/exporter/base/handlers/main.yml b/roles/monitoring/prometheus/exporter/base/handlers/main.yml new file mode 100644 index 00000000..ebd760cf --- /dev/null +++ b/roles/monitoring/prometheus/exporter/base/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart prometheus-exporter-exporter + service: + name: prometheus-exporter-exporter + state: restarted diff --git a/roles/monitoring/prometheus/exporter/base/tasks/main.yml b/roles/monitoring/prometheus/exporter/base/tasks/main.yml index c3a04bd9..9a214f39 100644 --- a/roles/monitoring/prometheus/exporter/base/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/base/tasks/main.yml @@ -1,16 +1,40 @@ --- -- name: create main configuration directories - loop: - - exporters-available - - exporters-enabled +- name: check if prometheus apt component of spreadspace repo is enabled + assert: + msg: "please enable the 'prometheus' component of spreadspace repo using 'spreadspace_apt_repo_components'" + that: + - spreadspace_apt_repo_components is defined + - "'prometheus' in spreadspace_apt_repo_components" + +- name: install apt packages + apt: + name: prom-exporter-exporter + state: present + +- name: create configuration directories file: - path: "/etc/prometheus-exporter/{{ item }}" + path: /etc/prometheus/exporter/enabled state: directory -- name: install nginx vhost - vars: - nginx_vhost: - name: prometheus-exporter - content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" - include_role: - name: nginx/vhost +- name: add user for prometheus-exporter + user: + name: prometheus-exporter + system: yes + home: /nonexistent + create_home: no + +- name: create TLS certificate and key + import_tasks: tls.yml + +- name: generate systemd service unit + template: + src: service.j2 + dest: /etc/systemd/system/prometheus-exporter-exporter.service + notify: restart prometheus-exporter-exporter + +- name: make sure prometheus-exporter-exporter is enabled and started + systemd: + name: prometheus-exporter-exporter.service + daemon_reload: yes + state: started + enabled: yes diff --git a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml new file mode 100644 index 00000000..e34025e4 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml @@ -0,0 +1,100 @@ +--- +- name: install python-cryptoraphy + apt: + name: "{{ python_basename }}-cryptography" + state: present + +- name: create base directory + file: + path: /etc/ssl/prometheus + state: directory + +- name: create exporter cert/key directory + file: + path: /etc/ssl/prometheus/exporter + state: directory + owner: root + group: prometheus-exporter + mode: 0750 + +- name: create exporter private key + openssl_privatekey: + path: /etc/ssl/prometheus/exporter/key.pem + type: RSA + size: 4096 + owner: prometheus-exporter + group: prometheus-exporter + mode: 0400 + notify: restart prometheus-exporter-exporter + +- name: create signing request for exporter certificate + openssl_csr: + path: /etc/ssl/prometheus/exporter/csr.pem + privatekey_path: /etc/ssl/prometheus/exporter/key.pem + CN: "{{ inventory_hostname }}" + subject_alt_name: + - "DNS:{{ host_name }}.{{ host_domain }}" + - "IP:{{ ansible_default_ipv4.address }}" + key_usage: + - digitalSignature + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +- name: slurp CSR + slurp: + src: /etc/ssl/prometheus/exporter/csr.pem + register: prometheus_exporter_server_csr + +- name: check if exporter certificate exists + stat: + path: /etc/ssl/prometheus/exporter/crt.pem + register: prometheus_exporter_server_cert + +- name: read exporter client certificate validity + when: prometheus_exporter_server_cert.stat.exists + openssl_certificate_info: + path: /etc/ssl/prometheus/exporter/crt.pem + valid_at: + ten_years: '+3650d' + register: prometheus_exporter_server_cert_info + +- name: slurp existing exporter certificate + when: prometheus_exporter_server_cert.stat.exists + slurp: + src: /etc/ssl/prometheus/exporter/crt.pem + register: prometheus_exporter_server_cert_current + +- name: generate exporter certificate + delegate_to: "{{ prometheus_server }}" + community.crypto.x509_certificate_pipe: + content: "{{ prometheus_exporter_server_cert_current.content | default('') | b64decode }}" + csr_content: "{{ prometheus_exporter_server_csr.content | b64decode }}" + provider: ownca + ownca_path: /etc/ssl/prometheus/ca-crt.pem + ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years + force: "{{ prometheus_exporter_server_cert.stat.exists and (not prometheus_exporter_server_cert_info.valid_at.ten_years) }}" + register: prometheus_exporter_server_cert + +- name: store exporter certificate + copy: + content: "{{ prometheus_exporter_server_cert.certificate }}" + dest: /etc/ssl/prometheus/exporter/crt.pem + notify: restart prometheus-exporter-exporter + +- name: slurp CA certificate + delegate_to: "{{ prometheus_server }}" + slurp: + src: /etc/ssl/prometheus/ca-crt.pem + register: prometheus_exporter_ca_certificate + +- name: install CA certificate + copy: + content: "{{ prometheus_exporter_ca_certificate.content | b64decode }}" + dest: /etc/ssl/prometheus/ca-crt.pem diff --git a/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.conf.j2 b/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.conf.j2 deleted file mode 100644 index e032ca3d..00000000 --- a/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.conf.j2 +++ /dev/null @@ -1,15 +0,0 @@ -server { - listen {{ prometheus_exporter_port }}; - listen [::]:{{ prometheus_exporter_port }}; - server_name _; - - ## TODO: configure ssl - - location / { - return 404 "unknown exporter: $uri\n"; - } - include /etc/prometheus-exporter/exporters-enabled/*; - - access_log /var/log/nginx/access-prometheus-exporter.log; - error_log /var/log/nginx/error-prometheus-exporter.log; -} diff --git a/roles/monitoring/prometheus/exporter/base/templates/service.j2 b/roles/monitoring/prometheus/exporter/base/templates/service.j2 new file mode 100644 index 00000000..c24baf43 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/base/templates/service.j2 @@ -0,0 +1,32 @@ +[Unit] +Description=Prometheus exporter proxy + +[Service] +Restart=always +User=prometheus-exporter +ExecStart=/usr/bin/prometheus-exporter-exporter -config.dirs=/etc/prometheus/exporter/enabled -config.file="" -web.listen-address="" -web.tls.listen-address="{{ prometheus_exporter_listen }}" -web.tls.cert="/etc/ssl/prometheus/exporter/crt.pem" -web.tls.key="/etc/ssl/prometheus/exporter/key.pem" --web.tls.ca="/etc/ssl/prometheus/ca-crt.pem" -web.tls.verify +{# TODO: implement reloading once the exporter_exporter supports this #} + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml b/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml new file mode 100644 index 00000000..4e7d8d9a --- /dev/null +++ b/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml @@ -0,0 +1,26 @@ +--- +prometheus_exporter_blackbox_modules: + tcp_connect: + prober: tcp + tcp_tls_connect: + prober: tcp + tcp: + tls: true + tls_config: + insecure_skip_verify: true + http_2xx: + prober: http + http_tls_2xx: + prober: http + http: + fail_if_not_ssl: true + tls_config: + insecure_skip_verify: true + ssh_banner: + prober: tcp + tcp: + query_response: + - expect: "^SSH-2.0-" + - send: "SSH-2.0-blackbox-ssh-check" + +prometheus_exporter_blackbox_modules_extra: {} diff --git a/roles/monitoring/prometheus/exporter/blackbox/handlers/main.yml b/roles/monitoring/prometheus/exporter/blackbox/handlers/main.yml new file mode 100644 index 00000000..99a416e2 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/blackbox/handlers/main.yml @@ -0,0 +1,16 @@ +--- +- name: restart prometheus-blackbox-exporter + service: + name: prometheus-blackbox-exporter + state: restarted + +- name: reload prometheus-blackbox-exporter + service: + name: prometheus-blackbox-exporter + state: reloaded + +- name: reload prometheus-exporter-exporter + service: + name: prometheus-exporter-exporter + ## TODO: implement reload once exporter_exporter supports this... + state: restarted diff --git a/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml b/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml new file mode 100644 index 00000000..3b8e997d --- /dev/null +++ b/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: install apt packages + apt: + name: prom-exporter-blackbox + state: present + +- name: create config directory + file: + path: /etc/prometheus/exporter/blackbox + state: directory + +- name: generate configuration + template: + src: config.yml.j2 + dest: /etc/prometheus/exporter/blackbox/config.yml + notify: reload prometheus-blackbox-exporter + +- name: generate systemd service unit + template: + src: service.j2 + dest: /etc/systemd/system/prometheus-blackbox-exporter.service + notify: restart prometheus-blackbox-exporter + +- name: make sure prometheus-exporter-exporter is enabled and started + systemd: + name: prometheus-blackbox-exporter.service + daemon_reload: yes + state: started + enabled: yes + +- name: register exporter + copy: + content: | + method: http + http: + port: 9115 + path: '/probe' + dest: /etc/prometheus/exporter/enabled/blackbox.yml + notify: reload prometheus-exporter-exporter diff --git a/roles/monitoring/prometheus/exporter/blackbox/templates/config.yml.j2 b/roles/monitoring/prometheus/exporter/blackbox/templates/config.yml.j2 new file mode 100644 index 00000000..01e3f7a0 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/blackbox/templates/config.yml.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +modules: + {{ prometheus_exporter_blackbox_modules | combine(prometheus_exporter_blackbox_modules_extra) | to_nice_yaml(indent=2) | indent(2)}} diff --git a/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 b/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 new file mode 100644 index 00000000..a8a91d0b --- /dev/null +++ b/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 @@ -0,0 +1,36 @@ +[Unit] +Description=Prometheus blackbox exporter + +[Service] +Restart=always +User=prometheus-exporter +ExecStart=/usr/bin/prometheus-blackbox-exporter --web.listen-address="127.0.0.1:9115" --config.file=/etc/prometheus/exporter/blackbox/config.yml +ExecReload=/bin/kill -HUP $MAINPID + +# systemd hardening-options +{% if prometheus_exporter_blackbox_modules | combine(prometheus_exporter_blackbox_modules_extra) | dict2items | selectattr('value.prober', 'eq', 'icmp') | length > 0 %} +AmbientCapabilities=CAP_NET_RAW +CapabilityBoundingSet=CAP_NET_RAW +{% else %} +AmbientCapabilities= +CapabilityBoundingSet= +{% endif %} +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/roles/monitoring/prometheus/exporter/meta/main.yml b/roles/monitoring/prometheus/exporter/meta/main.yml new file mode 100644 index 00000000..d1d3eac7 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/meta/main.yml @@ -0,0 +1,7 @@ +--- +dependencies: + - role: monitoring/prometheus/exporter/base + - role: monitoring/prometheus/exporter/node + when: "'node' in (prometheus_exporters_default | union(prometheus_exporters_extra))" + - role: monitoring/prometheus/exporter/blackbox + when: "'blackbox' in (prometheus_exporters_default | union(prometheus_exporters_extra))" diff --git a/roles/monitoring/prometheus/exporter/node/defaults/main.yml b/roles/monitoring/prometheus/exporter/node/defaults/main.yml new file mode 100644 index 00000000..56227fbb --- /dev/null +++ b/roles/monitoring/prometheus/exporter/node/defaults/main.yml @@ -0,0 +1,12 @@ +--- +_prometheus_exporter_node_time_collector_map_: + "": timex + systemd-timesyncd: timex + chrony: ntp + openntpd: ntp + +prometheus_exporter_node_timesync_collector: "{{ _prometheus_exporter_node_time_collector_map_[ntp_variant | default('')] }}" + +prometheus_exporter_node_disable_collectors: [] +prometheus_exporter_node_extra_collectors: +- "{{ prometheus_exporter_node_timesync_collector }}" diff --git a/roles/monitoring/prometheus/exporter/node/handlers/main.yml b/roles/monitoring/prometheus/exporter/node/handlers/main.yml index 9c62baf6..3e1b2000 100644 --- a/roles/monitoring/prometheus/exporter/node/handlers/main.yml +++ b/roles/monitoring/prometheus/exporter/node/handlers/main.yml @@ -3,3 +3,9 @@ service: name: prometheus-node-exporter state: restarted + +- name: reload prometheus-exporter-exporter + service: + name: prometheus-exporter-exporter + ## TODO: implement reload once exporter_exporter supports this... + state: restarted diff --git a/roles/monitoring/prometheus/exporter/node/tasks/main.yml b/roles/monitoring/prometheus/exporter/node/tasks/main.yml index 286b6d75..c8756acf 100644 --- a/roles/monitoring/prometheus/exporter/node/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/node/tasks/main.yml @@ -1,29 +1,32 @@ --- - name: install apt packages apt: - name: prometheus-node-exporter + name: prom-exporter-node state: present - ## TODO: add other configs -- name: listen on localhost only - lineinfile: - path: /etc/default/prometheus-node-exporter - regexp: '^ARGS=' - line: 'ARGS="--web.listen-address=127.0.0.1:9100"' +- name: create directory for textfile collector + file: + path: /var/lib/prometheus-node-exporter/textfile-collector + state: directory + +- name: generate systemd service unit + template: + src: service.j2 + dest: /etc/systemd/system/prometheus-node-exporter.service notify: restart prometheus-node-exporter -- name: create nginx snippet +- name: make sure prometheus-exporter-exporter is enabled and started + systemd: + name: prometheus-node-exporter.service + daemon_reload: yes + state: started + enabled: yes + +- name: register exporter copy: content: | - location = /node { - proxy_pass http://127.0.0.1:9100/metrics; - } - dest: /etc/prometheus-exporter/exporters-available/node - # notify: reload nginx - -- name: enable nginx snippet - file: - src: /etc/prometheus-exporter/exporters-available/node - dest: /etc/prometheus-exporter/exporters-enabled/node - state: link - # notify: reload nginx + method: http + http: + port: 9100 + dest: /etc/prometheus/exporter/enabled/node.yml + notify: reload prometheus-exporter-exporter diff --git a/roles/monitoring/prometheus/exporter/node/templates/service.j2 b/roles/monitoring/prometheus/exporter/node/templates/service.j2 new file mode 100644 index 00000000..7aa2834a --- /dev/null +++ b/roles/monitoring/prometheus/exporter/node/templates/service.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Prometheus node exporter + +[Service] +Restart=always +User=prometheus-exporter +ExecStart=/usr/bin/prometheus-node-exporter --web.listen-address="127.0.0.1:9100" --web.disable-exporter-metrics --collector.textfile.directory="/var/lib/prometheus-node-exporter/textfile-collector"{% for collector in prometheus_exporter_node_disable_collectors %} --no-collector.{{ collector }}{% endfor %}{% for collector in prometheus_exporter_node_extra_collectors %} --collector.{{ collector }}{% endfor %}{{ '' }} + +[Install] +WantedBy=multi-user.target |