3 files changed, 96 insertions, 1 deletions
diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml
index ec5bd9a9..ffbc5ffe 100644
--- a/roles/monitoring/prometheus/server/tasks/main.yml
+++ b/roles/monitoring/prometheus/server/tasks/main.yml
@@ -1,4 +1,11 @@
 ---
+- name: check if prometheus apt component of spreadspace repo is enabled
+  assert:
+    msg: "please enable the 'prometheus' component of spreadspace repo using 'spreadspace_apt_repo_components'"
+    that:
+    - spreadspace_apt_repo_components is defined
+    - "'prometheus' in spreadspace_apt_repo_components"
+
 - name: prepare storage volume for /var/lib/prometheus
   when: prometheus_server_storage is defined
   vars:
@@ -11,6 +18,45 @@
     name: prom-server
     state: present
 
+- name: create configuration directories
+  loop:
+  - rules
+  - targets
+  file:
+    path: "/etc/prometheus/{{ item }}"
+    state: directory
+
+- name: generate configuration file
+  template:
+    src: prometheus.yml.j2
+    dest: /etc/prometheus/prometheus.yml
+
+- name: add user for server
+  user:
+    name: prometheus
+    system: yes
+    home: /var/lib/prometheus
+    create_home: no
+
+- name: create data directory
+  file:
+    path: /var/lib/prometheus/metrics2
+    state: directory
+    owner: prometheus
+    group: prometheus
+
 ## TODO:
-## - systemd service unit
 ## - create CA and certificate/key
+
+- name: generate systemd service unit
+  template:
+    src: prometheus.service.j2
+    dest: /etc/systemd/system/prometheus.service
+  notify: restart prometheus
+
+- name: make sure prometheus is enabled and started
+  systemd:
+    name: prometheus.service
+    daemon_reload: yes
+    state: started
+    enabled: yes
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
new file mode 100644
index 00000000..0530e589
--- /dev/null
+++ b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
@@ -0,0 +1,38 @@
+[Unit]
+Description=Monitoring system and time series database
+Documentation=https://prometheus.io/docs/introduction/overview/ man:prometheus(1)
+After=time-sync.target
+
+[Service]
+Restart=on-failure
+User=prometheus
+ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}
+ExecReload=/bin/kill -HUP $MAINPID
+TimeoutStopSec=20s
+SendSIGKILL=no
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LimitMEMLOCK=0
+LimitNOFILE=8192
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
new file mode 100644
index 00000000..cadc3ef0
--- /dev/null
+++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
@@ -0,0 +1,11 @@
+global:
+  scrape_interval:     15s
+  evaluation_interval: 15s
+
+rule_files:
+  - /etc/prometheus/rules/*.yml
+
+scrape_configs:
+  - job_name: 'prometheus'
+    static_configs:
+      - targets: ['localhost:9090']