From 289bc69e05df16245971db252668b7ba55ee3500 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 15 Nov 2023 19:10:53 +0100 Subject: ch-mon: monitoring services and landingpage now use new sso --- inventory/host_vars/ch-mon.yml | 58 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 53 insertions(+), 5 deletions(-) (limited to 'inventory/host_vars/ch-mon.yml') diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index f21bd9b2..cb5bcfed 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -53,9 +53,31 @@ lvm_groups: spreadspace_apt_repo_components: + - main - prometheus +whawty_nginx_sso_backends: + chaos-at-home: + port: 1234 + login_url: https://login.chaos-at-home.org/login + +whawty_nginx_sso_auths: + chaos-at-home: + config: + cookie: + name: __Secure-chaos-at-home-sso + keys: + - name: 2023-11 + ed25519: + public-key: |- + -----BEGIN PUBLIC KEY----- + MCowBQYDK2VwAyEAawvVwThGnYYBDLjQ0Rs71prAmxQ/tfaPUNZvPWS3Z3U= + -----END PUBLIC KEY----- + web: + listen: 127.0.0.1:1234 + + prometheus_server_storage: type: lvm vg: mondata @@ -74,12 +96,12 @@ prometheus_server_alertmanager: username: server password: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}" -prometheus_server_web_external_url: "http://{{ network.primary.address | ansible.utils.ipaddr('address') }}/prometheus/" +prometheus_server_web_external_url: "http://mon.chaos-at-home.org/prometheus/" prometheus_server_auth_users: server: "{{ vault_prometheus_server_auth_user_passwords['server'] }}" grafana: "{{ vault_prometheus_server_auth_user_passwords['grafana'] }}" - admin: "{{ vault_prometheus_server_auth_user_passwords['admin'] }}" + proxy: "{{ vault_prometheus_server_auth_user_passwords['proxy'] }}" prometheus_server_selfscraping_auth: username: server @@ -109,7 +131,7 @@ prometheus_job_multitarget_blackbox__probe: target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner - instance: "https-mon.chaos-at-home.org" - target: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + target: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/healthz" module: http_tls_2xx prometheus_job_multitarget_ssl__probe: @@ -143,11 +165,11 @@ prometheus_alertmanager_smtp: from: "noreply@chaos-at-home.org" require_tls: no -prometheus_alertmanager_web_external_url: "http://{{ network.primary.address | ansible.utils.ipaddr('address') }}/alertmanager/" +prometheus_alertmanager_web_external_url: "http://mon.chaos-at-home.org/alertmanager/" prometheus_alertmanager_auth_users: server: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}" - admin: "{{ vault_prometheus_alertmanager_auth_user_passwords['admin'] }}" + proxy: "{{ vault_prometheus_alertmanager_auth_user_passwords['proxy'] }}" prometheus_alertmanager_route: receiver: empty @@ -168,6 +190,13 @@ prometheus_alertmanager_receivers: grafana_secret_key: "{{ vault_grafana_secret_key }}" +grafana_config_auth: + disable_signout_menu: true + +grafana_config_auth_proxy: + enabled: true + whitelist: 127.0.0.1 + grafana_datasources: - name: "Prometheus" type: "prometheus" @@ -204,6 +233,7 @@ grafana_dashboards: grafana_admin_password: "{{ vault_grafana_admin_password }}" + monitoring_landingpage_hostnames: - "mon.chaos-at-home.org" monitoring_landingpage_title: "chaos@home Monitoring Host" @@ -239,3 +269,21 @@ monitoring_landingpage_tls: not_before: +0h not_after: +365d renew_margin: +70d + +monitoring_landingpage_vhost_extra_directives: | + include snippets/whawty-sso-chaos-at-home.conf; + + location = /healthz { + auth_request off; + return 200; + } + +monitoring_landingpage_service_extra_directives: + prometheus: | + proxy_set_header Authorization "Basic {{ ('proxy:'~prometheus_server_auth_users['proxy']) | b64encode }}"; + alertmanager: | + proxy_set_header Authorization "Basic {{ ('proxy:'~prometheus_alertmanager_auth_users['proxy']) | b64encode }}"; + grafana: | + auth_request_set $username $upstream_http_x_username; + proxy_set_header X-WEBAUTH-USER $username; + proxy_set_header Authorization ""; -- cgit v1.2.3