From 063bdb70a8e8353908ca9742e05be8fac65a61bf Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 25 Sep 2021 23:36:40 +0200
Subject: move away from exporter-exporter in favor for nginx

---
 .../exporter/base/templates/nginx-vhost.j2         | 19 +++++++++++++
 .../prometheus/exporter/base/templates/service.j2  | 32 ----------------------
 2 files changed, 19 insertions(+), 32 deletions(-)
 create mode 100644 roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.j2
 delete mode 100644 roles/monitoring/prometheus/exporter/base/templates/service.j2

(limited to 'roles/monitoring/prometheus/exporter/base/templates')

diff --git a/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.j2 b/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.j2
new file mode 100644
index 00000000..70e65b29
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.j2
@@ -0,0 +1,19 @@
+server {
+    listen {{ prometheus_exporter_listen }} ssl;
+    server_name _;
+
+    ssl_certificate /etc/ssl/prometheus/exporter/crt.pem;
+    ssl_certificate_key /etc/ssl/prometheus/exporter/key.pem;
+    ssl_client_certificate /etc/ssl/prometheus/ca-crt.pem;
+    ssl_verify_client on;
+
+    root /nonexistent;
+
+    location = / {
+        return 404 'please specify the exporter you want to reach!';
+    }
+
+    include snippets/proxy-nobuff.conf;
+
+    include /etc/prometheus/exporter/*.locations;
+}
diff --git a/roles/monitoring/prometheus/exporter/base/templates/service.j2 b/roles/monitoring/prometheus/exporter/base/templates/service.j2
deleted file mode 100644
index 3d44744a..00000000
--- a/roles/monitoring/prometheus/exporter/base/templates/service.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-[Unit]
-Description=Prometheus exporter proxy
-
-[Service]
-Restart=always
-User=prometheus-exporter
-ExecStart=/usr/bin/prometheus-exporter-exporter -config.dirs=/etc/prometheus/exporter/exporter -config.file="" -web.listen-address="" -web.tls.listen-address="{{ prometheus_exporter_listen }}" -web.tls.cert="/etc/ssl/prometheus/exporter/crt.pem" -web.tls.key="/etc/ssl/prometheus/exporter/key.pem" --web.tls.ca="/etc/ssl/prometheus/ca-crt.pem" -web.tls.verify
-{# TODO: implement reloading once the exporter_exporter supports this #}
-
-# systemd hardening-options
-AmbientCapabilities=
-CapabilityBoundingSet=
-DeviceAllow=/dev/null rw
-DevicePolicy=strict
-LockPersonality=true
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-PrivateDevices=true
-PrivateTmp=true
-PrivateUsers=true
-ProtectControlGroups=true
-ProtectHome=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-ProtectSystem=strict
-RemoveIPC=true
-RestrictNamespaces=true
-RestrictRealtime=true
-SystemCallArchitectures=native
-
-[Install]
-WantedBy=multi-user.target
-- 
cgit v1.2.3