summaryrefslogtreecommitdiff
path: root/roles/monitoring/prometheus/server/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/monitoring/prometheus/server/tasks')
-rw-r--r--roles/monitoring/prometheus/server/tasks/main.yml90
-rw-r--r--roles/monitoring/prometheus/server/tasks/tls.yml75
2 files changed, 159 insertions, 6 deletions
diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml
index 784e872a..a70bd6fd 100644
--- a/roles/monitoring/prometheus/server/tasks/main.yml
+++ b/roles/monitoring/prometheus/server/tasks/main.yml
@@ -1,4 +1,11 @@
---
+- name: check if prometheus apt component of spreadspace repo is enabled
+ assert:
+ msg: "please enable the 'prometheus' component of spreadspace repo using 'spreadspace_apt_repo_components'"
+ that:
+ - spreadspace_apt_repo_components is defined
+ - "'prometheus' in spreadspace_apt_repo_components"
+
- name: prepare storage volume for /var/lib/prometheus
when: prometheus_server_storage is defined
vars:
@@ -8,12 +15,83 @@
- name: install apt packages
apt:
- name: prometheus
+ name: prom-server
state: present
-- name: listen on localhost only
- lineinfile:
- path: /etc/default/prometheus
- regexp: '^ARGS='
- line: 'ARGS="--web.listen-address=127.0.0.1:9090 --storage.tsdb.retention={{ prometheus_server_retention }}"'
+- name: add user for server
+ user:
+ name: prometheus
+ system: yes
+ home: /var/lib/prometheus
+ create_home: no
+
+- name: create data directory
+ file:
+ path: /var/lib/prometheus/metrics2
+ state: directory
+ owner: prometheus
+ group: prometheus
+
+- name: create TLS CA and certificates
+ import_tasks: tls.yml
+
+- name: create configuration directories
+ loop:
+ - jobs
+ - rules
+ - targets
+ file:
+ path: "/etc/prometheus/{{ item }}"
+ state: directory
+
+- name: create sub-directroy for all exporter types in jobs directory
+ loop: "{{ prometheus_server_jobs }}"
+ file:
+ path: "/etc/prometheus/jobs/{{ item }}"
+ state: directory
+
+- name: generate targets config
+ loop: "{{ prometheus_zone_targets }}"
+ copy:
+ content: |
+ - targets: [ "{{ hostvars[item].prometheus_scrape_endpoint }}" ]
+ labels:
+ instance: "{{ item }}"
+ dest: "/etc/prometheus/targets/{{ item }}.yml"
+
+- name: enable targets for jobs
+ loop: "{{ hostvars | prometheus_job_targets(prometheus_server_jobs, prometheus_zone_targets) }}"
+ loop_control:
+ label: "{{ item.job }} -> {{ item.target }}"
+ file:
+ src: "{{ item.enabled | ternary('/etc/prometheus/targets/' + item.target + '.yml', omit) }}"
+ path: "/etc/prometheus/jobs/{{ item.job }}/{{ item.target }}.yml"
+ state: "{{ item.enabled | ternary('link', 'absent') }}"
+
+- name: generate rules files for all jobs
+ loop: "{{ prometheus_server_jobs | union(['prometheus']) }}"
+ template:
+ src: rules.yml.j2
+ dest: "/etc/prometheus/rules/{{ item }}.yml"
+ validate: "promtool check rules %s"
+ notify: reload prometheus
+
+- name: generate configuration file
+ template:
+ src: prometheus.yml.j2
+ dest: /etc/prometheus/prometheus.yml
+ validate: "promtool check config %s"
+ notify: reload prometheus
+
+- name: generate systemd service unit
+ template:
+ src: prometheus.service.j2
+ dest: /etc/systemd/system/prometheus.service
notify: restart prometheus
+
+- name: make sure prometheus is enabled and started
+ systemd:
+ name: prometheus.service
+ daemon_reload: yes
+ state: started
+ enabled: yes
diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml
new file mode 100644
index 00000000..940c69b1
--- /dev/null
+++ b/roles/monitoring/prometheus/server/tasks/tls.yml
@@ -0,0 +1,75 @@
+---
+- name: install python-cryptoraphy
+ apt:
+ name: "{{ python_basename }}-cryptography"
+ state: present
+
+- name: create base directory
+ file:
+ path: /etc/ssl/prometheus
+ state: directory
+
+- name: create server cert/key directory
+ file:
+ path: /etc/ssl/prometheus/server
+ state: directory
+ owner: root
+ group: prometheus
+ mode: 0750
+
+- name: create private key for scrape-client certificate
+ openssl_privatekey:
+ path: /etc/ssl/prometheus/server/scrape-key.pem
+ type: RSA
+ size: 4096
+ owner: prometheus
+ group: prometheus
+ mode: 0400
+ notify: reload prometheus
+
+- name: create signing request for scrape-client certificate
+ openssl_csr:
+ path: /etc/ssl/prometheus/server/scrape-csr.pem
+ privatekey_path: /etc/ssl/prometheus/server/scrape-key.pem
+ CN: "{{ inventory_hostname }}"
+ subject_alt_name:
+ - "DNS:{{ host_name }}.{{ host_domain }}"
+ - "IP:{{ ansible_default_ipv4.address }}"
+ key_usage:
+ - digitalSignature
+ key_usage_critical: yes
+ extended_key_usage:
+ - clientAuth
+ extended_key_usage_critical: yes
+ basic_constraints:
+ - 'CA:FALSE'
+ basic_constraints_critical: yes
+
+## TODO: install /etc/ssl/prometheus/ca-crt.pem from CA host
+
+- name: check if scrape-client certificate exists
+ stat:
+ path: /etc/ssl/prometheus/server/scrape-crt.pem
+ register: prometheus_server_scrape_client_cert
+
+- name: check scrape-client certificate validity
+ when: prometheus_server_scrape_client_cert.stat.exists
+ openssl_certificate_info:
+ path: /etc/ssl/prometheus/server/scrape-crt.pem
+ valid_at:
+ ten_years: '+3650d'
+ register: prometheus_server_scrape_client_cert_info
+
+## TODO: implement remote signing?
+
+- name: create scrape-client certificate
+ openssl_certificate:
+ path: /etc/ssl/prometheus/server/scrape-crt.pem
+ csr_path: /etc/ssl/prometheus/server/scrape-csr.pem
+ provider: ownca
+ ownca_path: /etc/ssl/prometheus/ca-crt.pem
+ ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem
+ ownca_digest: sha256
+ ownca_not_after: "+18250d" ## 50 years
+ force: "{{ prometheus_server_scrape_client_cert.stat.exists and (not prometheus_server_scrape_client_cert_info.valid_at.ten_years) }}"
+ notify: reload prometheus
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 21:52:06 +0000