From e29ce4fdbe2ce669c62777fffa18ae8557e54a73 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 30 May 2021 22:28:46 +0200
Subject: prometheus: initial simple server role

---
 .../server/templates/prometheus.service.j2         | 38 ++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 roles/monitoring/prometheus/server/templates/prometheus.service.j2

(limited to 'roles/monitoring/prometheus/server/templates/prometheus.service.j2')

diff --git a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
new file mode 100644
index 00000000..0530e589
--- /dev/null
+++ b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
@@ -0,0 +1,38 @@
+[Unit]
+Description=Monitoring system and time series database
+Documentation=https://prometheus.io/docs/introduction/overview/ man:prometheus(1)
+After=time-sync.target
+
+[Service]
+Restart=on-failure
+User=prometheus
+ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}
+ExecReload=/bin/kill -HUP $MAINPID
+TimeoutStopSec=20s
+SendSIGKILL=no
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LimitMEMLOCK=0
+LimitNOFILE=8192
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
-- 
cgit v1.2.3


From 6c990fd148f8813dcbafbf2e27fa5ecbe88af5dc Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 24 Jun 2021 22:29:26 +0200
Subject: move monitoring web interfaces into common nginx vhost

---
 chaos-at-home/ch-mon.yml                                  | 13 +++++++++++++
 inventory/host_vars/ch-mon.yml                            |  7 +++++++
 roles/monitoring/grafana/tasks/main.yml                   | 15 ---------------
 .../monitoring/prometheus/alertmanager/defaults/main.yml  |  3 +++
 .../templates/prometheus-alertmanager.service.j2          |  2 +-
 roles/monitoring/prometheus/server/defaults/main/main.yml |  4 ++++
 .../prometheus/server/templates/prometheus.service.j2     |  2 +-
 .../prometheus/server/templates/prometheus.yml.j2         |  9 +++++++++
 8 files changed, 38 insertions(+), 17 deletions(-)

(limited to 'roles/monitoring/prometheus/server/templates/prometheus.service.j2')

diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml
index 906e8adc..bb20677f 100644
--- a/chaos-at-home/ch-mon.yml
+++ b/chaos-at-home/ch-mon.yml
@@ -15,3 +15,16 @@
   - role: monitoring/prometheus/alertmanager
   - role: monitoring/prometheus/server
   - role: monitoring/grafana
+  - role: nginx/vhost
+    nginx_vhost:
+      name: monitoring
+      template: generic-proxy-no-buffering
+      hostnames:
+      - "_"
+      locations:
+        '/grafana/':
+          proxy_pass: "http://127.0.0.1:3000"
+        '/prometheus/':
+          proxy_pass: "http://127.0.0.1:9090"
+        '/alertmanager/':
+          proxy_pass: "http://127.0.0.1:9093"
diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml
index 111ffb55..118e7f0b 100644
--- a/inventory/host_vars/ch-mon.yml
+++ b/inventory/host_vars/ch-mon.yml
@@ -63,6 +63,9 @@ prometheus_server_storage:
 
 prometheus_server_alertmanager:
   url: "127.0.0.1:9093"
+  path_prefix: "/alertmanager/"
+
+prometheus_server_web_external_url: /prometheus/
 
 
 prometheus_exporters_extra:
@@ -72,11 +75,15 @@ prometheus_exporter_blackbox_modules_extra:
   icmp:
     prober: icmp
 
+
 promethues_alertmanager_smtp:
   smarthost: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ipaddr('address') }}:25"
   from: "noreply@chaos-at-home.org"
   require_tls: no
 
+prometheus_alertmanager_web_route_prefix: /alertmanager/
+
+
 grafana_secret_key: "{{ vault_grafana_secret_key }}"
 
 grafana_config_smtp:
diff --git a/roles/monitoring/grafana/tasks/main.yml b/roles/monitoring/grafana/tasks/main.yml
index 55cce412..8698c036 100644
--- a/roles/monitoring/grafana/tasks/main.yml
+++ b/roles/monitoring/grafana/tasks/main.yml
@@ -79,18 +79,3 @@
     name: grafana-server
     state: started
     enabled: yes
-
-- name: configure nginx vhost
-  vars:
-    nginx_vhost:
-      name: grafana
-      template: generic-proxy-no-buffering
-      hostnames:
-      - "_"
-      locations:
-        '/':
-          proxy_pass: "http://127.0.0.1:{{ grafana_config_server.http_port | default(3000) }}"
-          extra_directives: |-
-            client_max_body_size 0;
-  include_role:
-    name: nginx/vhost
diff --git a/roles/monitoring/prometheus/alertmanager/defaults/main.yml b/roles/monitoring/prometheus/alertmanager/defaults/main.yml
index 34b03df0..62663ab8 100644
--- a/roles/monitoring/prometheus/alertmanager/defaults/main.yml
+++ b/roles/monitoring/prometheus/alertmanager/defaults/main.yml
@@ -3,3 +3,6 @@ promethues_alertmanager_smtp:
   smarthost: "127.0.0.1:25"
   from: "noreply@example.com"
   require_tls: no
+
+prometheus_alertmanager_web_listen_address: 127.0.0.1:9093
+# prometheus_alertmanager_web_route_prefix: /alertmanager/
diff --git a/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2
index f290dca8..e548607d 100644
--- a/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2
+++ b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2
@@ -5,7 +5,7 @@ Documentation=https://prometheus.io/docs/alerting/alertmanager/
 [Service]
 Restart=on-failure
 User=prometheus-alertmanager
-ExecStart=/usr/bin/prometheus-alertmanager --config.file=/etc/prometheus/alertmanager.yml --cluster.listen-address= --storage.path="/var/lib/prometheus/alertmanager"
+ExecStart=/usr/bin/prometheus-alertmanager --config.file=/etc/prometheus/alertmanager.yml --cluster.listen-address= --storage.path="/var/lib/prometheus/alertmanager"{% if prometheus_alertmanager_web_route_prefix is defined %} --web.route-prefix={{ prometheus_alertmanager_web_route_prefix }}{% endif %} --web.listen-address={{ prometheus_alertmanager_web_listen_address }}
 ExecReload=/bin/kill -HUP $MAINPID
 TimeoutStopSec=20s
 SendSIGKILL=no
diff --git a/roles/monitoring/prometheus/server/defaults/main/main.yml b/roles/monitoring/prometheus/server/defaults/main/main.yml
index 8e7fea4b..c9291172 100644
--- a/roles/monitoring/prometheus/server/defaults/main/main.yml
+++ b/roles/monitoring/prometheus/server/defaults/main/main.yml
@@ -14,3 +14,7 @@ prometheus_server_rules:
 
 # prometheus_server_alertmanager:
 #   url: "127.0.0.1:9093"
+#   path_prefix: /
+
+prometheus_server_web_listen_address: 127.0.0.1:9090
+# prometheus_server_web_external_url: /prometheus/
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
index 0530e589..3a366a61 100644
--- a/roles/monitoring/prometheus/server/templates/prometheus.service.j2
+++ b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
@@ -6,7 +6,7 @@ After=time-sync.target
 [Service]
 Restart=on-failure
 User=prometheus
-ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}
+ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }}
 ExecReload=/bin/kill -HUP $MAINPID
 TimeoutStopSec=20s
 SendSIGKILL=no
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
index c76990f4..69d5bcdc 100644
--- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
+++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
@@ -12,10 +12,16 @@ alerting:
   alertmanagers:
   - static_configs:
     - targets: ['{{ prometheus_server_alertmanager.url }}']
+{%   if 'path_prefix' in prometheus_server_alertmanager %}
+    path_prefix: '{{ prometheus_server_alertmanager.path_prefix }}'
+{%   endif %}
 {% endif %}
 
 scrape_configs:
   - job_name: 'prometheus'
+{% if prometheus_server_web_external_url is defined %}
+    metrics_path: '{{ (prometheus_server_web_external_url | urlsplit('path'), 'metrics') | path_join }}'
+{% endif %}
     static_configs:
     - targets: ['localhost:9090']
       labels:
@@ -23,6 +29,9 @@ scrape_configs:
 {% if prometheus_server_alertmanager is defined %}
 
   - job_name: 'alertmanager'
+{%   if 'path_prefix' in prometheus_server_alertmanager %}
+    metrics_path: '{{ (prometheus_server_alertmanager.path_prefix, 'metrics') | path_join }}'
+{%   endif %}
     static_configs:
     - targets: ['{{ prometheus_server_alertmanager.url }}']
 {% endif %}
-- 
cgit v1.2.3