From 063bdb70a8e8353908ca9742e05be8fac65a61bf Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 25 Sep 2021 23:36:40 +0200
Subject: move away from exporter-exporter in favor for nginx

---
 .../prometheus/exporter/base/defaults/main.yml     |  2 +-
 .../prometheus/exporter/base/handlers/main.yml     |  6 ++--
 .../prometheus/exporter/base/tasks/main.yml        | 30 +++++---------------
 .../exporter/base/templates/nginx-vhost.j2         | 19 +++++++++++++
 .../prometheus/exporter/base/templates/service.j2  | 32 ----------------------
 .../prometheus/exporter/blackbox/handlers/main.yml |  7 ++---
 .../prometheus/exporter/blackbox/tasks/main.yml    | 11 ++++----
 .../prometheus/exporter/ipmi/handlers/main.yml     |  7 ++---
 .../prometheus/exporter/ipmi/tasks/main.yml        | 21 ++++++--------
 roles/monitoring/prometheus/exporter/meta/main.yml | 10 ++++---
 .../prometheus/exporter/mikrotik/handlers/main.yml |  7 ++---
 .../prometheus/exporter/mikrotik/tasks/main.yml    | 10 +++----
 .../prometheus/exporter/node/handlers/main.yml     |  7 ++---
 .../prometheus/exporter/node/tasks/main.yml        | 10 +++----
 .../prometheus/exporter/nut/handlers/main.yml      |  7 ++---
 .../prometheus/exporter/nut/tasks/main.yml         | 14 ++++++----
 .../server/templates/jobs/blackbox/https.j2        |  3 +-
 .../server/templates/jobs/blackbox/ping.j2         |  3 +-
 .../server/templates/jobs/blackbox/ssh.j2          |  3 +-
 .../prometheus/server/templates/jobs/generic.j2    |  5 +---
 .../prometheus/server/templates/jobs/node.j2       |  5 +---
 .../prometheus/server/templates/jobs/nut/ups.j2    |  5 +---
 22 files changed, 88 insertions(+), 136 deletions(-)
 create mode 100644 roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.j2
 delete mode 100644 roles/monitoring/prometheus/exporter/base/templates/service.j2

(limited to 'roles/monitoring')

diff --git a/roles/monitoring/prometheus/exporter/base/defaults/main.yml b/roles/monitoring/prometheus/exporter/base/defaults/main.yml
index 963763a5..613943d8 100644
--- a/roles/monitoring/prometheus/exporter/base/defaults/main.yml
+++ b/roles/monitoring/prometheus/exporter/base/defaults/main.yml
@@ -1,2 +1,2 @@
 ---
-prometheus_exporter_listen: ":9999"
+prometheus_exporter_listen: "9999"
diff --git a/roles/monitoring/prometheus/exporter/base/handlers/main.yml b/roles/monitoring/prometheus/exporter/base/handlers/main.yml
index ebd760cf..d4e42ca0 100644
--- a/roles/monitoring/prometheus/exporter/base/handlers/main.yml
+++ b/roles/monitoring/prometheus/exporter/base/handlers/main.yml
@@ -1,5 +1,5 @@
 ---
-- name: restart prometheus-exporter-exporter
+- name: reload nginx
   service:
-    name: prometheus-exporter-exporter
-    state: restarted
+    name: nginx
+    state: reloaded
diff --git a/roles/monitoring/prometheus/exporter/base/tasks/main.yml b/roles/monitoring/prometheus/exporter/base/tasks/main.yml
index eeb2a23d..5f42867d 100644
--- a/roles/monitoring/prometheus/exporter/base/tasks/main.yml
+++ b/roles/monitoring/prometheus/exporter/base/tasks/main.yml
@@ -6,17 +6,6 @@
     - spreadspace_apt_repo_components is defined
     - "'prometheus' in spreadspace_apt_repo_components"
 
-  ## TODO: pin version
-- name: install apt packages
-  apt:
-    name: prom-exporter-exporter
-    state: present
-
-- name: create configuration directories
-  file:
-    path: /etc/prometheus/exporter/exporter
-    state: directory
-
 - name: add user for prometheus-exporter
   user:
     name: prometheus-exporter
@@ -27,15 +16,10 @@
 - name: create TLS certificate and key
   import_tasks: tls.yml
 
-- name: generate systemd service unit
-  template:
-    src: service.j2
-    dest: /etc/systemd/system/prometheus-exporter-exporter.service
-  notify: restart prometheus-exporter-exporter
-
-- name: make sure prometheus-exporter-exporter is enabled and started
-  systemd:
-    name: prometheus-exporter-exporter.service
-    daemon_reload: yes
-    state: started
-    enabled: yes
+- name: configure nginx vhost
+  import_role:
+    name: nginx/vhost
+  vars:
+    nginx_vhost:
+      name: prometheus-exporter
+      content: "{{ lookup('template', 'nginx-vhost.j2') }}"
diff --git a/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.j2 b/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.j2
new file mode 100644
index 00000000..70e65b29
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.j2
@@ -0,0 +1,19 @@
+server {
+    listen {{ prometheus_exporter_listen }} ssl;
+    server_name _;
+
+    ssl_certificate /etc/ssl/prometheus/exporter/crt.pem;
+    ssl_certificate_key /etc/ssl/prometheus/exporter/key.pem;
+    ssl_client_certificate /etc/ssl/prometheus/ca-crt.pem;
+    ssl_verify_client on;
+
+    root /nonexistent;
+
+    location = / {
+        return 404 'please specify the exporter you want to reach!';
+    }
+
+    include snippets/proxy-nobuff.conf;
+
+    include /etc/prometheus/exporter/*.locations;
+}
diff --git a/roles/monitoring/prometheus/exporter/base/templates/service.j2 b/roles/monitoring/prometheus/exporter/base/templates/service.j2
deleted file mode 100644
index 3d44744a..00000000
--- a/roles/monitoring/prometheus/exporter/base/templates/service.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-[Unit]
-Description=Prometheus exporter proxy
-
-[Service]
-Restart=always
-User=prometheus-exporter
-ExecStart=/usr/bin/prometheus-exporter-exporter -config.dirs=/etc/prometheus/exporter/exporter -config.file="" -web.listen-address="" -web.tls.listen-address="{{ prometheus_exporter_listen }}" -web.tls.cert="/etc/ssl/prometheus/exporter/crt.pem" -web.tls.key="/etc/ssl/prometheus/exporter/key.pem" --web.tls.ca="/etc/ssl/prometheus/ca-crt.pem" -web.tls.verify
-{# TODO: implement reloading once the exporter_exporter supports this #}
-
-# systemd hardening-options
-AmbientCapabilities=
-CapabilityBoundingSet=
-DeviceAllow=/dev/null rw
-DevicePolicy=strict
-LockPersonality=true
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-PrivateDevices=true
-PrivateTmp=true
-PrivateUsers=true
-ProtectControlGroups=true
-ProtectHome=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-ProtectSystem=strict
-RemoveIPC=true
-RestrictNamespaces=true
-RestrictRealtime=true
-SystemCallArchitectures=native
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/monitoring/prometheus/exporter/blackbox/handlers/main.yml b/roles/monitoring/prometheus/exporter/blackbox/handlers/main.yml
index 99a416e2..12250769 100644
--- a/roles/monitoring/prometheus/exporter/blackbox/handlers/main.yml
+++ b/roles/monitoring/prometheus/exporter/blackbox/handlers/main.yml
@@ -9,8 +9,7 @@
     name: prometheus-blackbox-exporter
     state: reloaded
 
-- name: reload prometheus-exporter-exporter
+- name: reload nginx
   service:
-    name: prometheus-exporter-exporter
-    ## TODO: implement reload once exporter_exporter supports this...
-    state: restarted
+    name: nginx
+    state: reloaded
diff --git a/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml b/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml
index 782c3561..f9793df6 100644
--- a/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml
+++ b/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml
@@ -32,9 +32,8 @@
 - name: register exporter
   copy:
     content: |
-      method: http
-      http:
-        port: 9115
-        path: /probe
-    dest: /etc/prometheus/exporter/exporter/blackbox.yml
-  notify: reload prometheus-exporter-exporter
+      location = /blackbox {
+          proxy_pass http://127.0.0.1:9115/probe;
+      }
+    dest: /etc/prometheus/exporter/blackbox.locations
+  notify: reload nginx
diff --git a/roles/monitoring/prometheus/exporter/ipmi/handlers/main.yml b/roles/monitoring/prometheus/exporter/ipmi/handlers/main.yml
index 40a945ae..a8eb55b3 100644
--- a/roles/monitoring/prometheus/exporter/ipmi/handlers/main.yml
+++ b/roles/monitoring/prometheus/exporter/ipmi/handlers/main.yml
@@ -9,8 +9,7 @@
     name: prometheus-ipmi-exporter
     state: reloaded
 
-- name: reload prometheus-exporter-exporter
+- name: reload nginx
   service:
-    name: prometheus-exporter-exporter
-    ## TODO: implement reload once exporter_exporter supports this...
-    state: restarted
+    name: nginx
+    state: reloaded
diff --git a/roles/monitoring/prometheus/exporter/ipmi/tasks/main.yml b/roles/monitoring/prometheus/exporter/ipmi/tasks/main.yml
index 9e63f692..91318f16 100644
--- a/roles/monitoring/prometheus/exporter/ipmi/tasks/main.yml
+++ b/roles/monitoring/prometheus/exporter/ipmi/tasks/main.yml
@@ -30,18 +30,13 @@
     enabled: yes
 
 - name: register exporter
-  loop:
-  - name: local
-    path: /metrics
-  - name: remote
-    path: /ipmi
-  loop_control:
-    label: "{{ item.name }}"
   copy:
     content: |
-      method: http
-      http:
-        port: 9290
-        path: {{ item.path }}
-    dest: "/etc/prometheus/exporter/exporter/ipmi-{{ item.name }}.yml"
-  notify: reload prometheus-exporter-exporter
+      location = /ipmi {
+          proxy_pass http://127.0.0.1:9290/metrics;
+      }
+      location = /ipmi/remote {
+          proxy_pass http://127.0.0.1:9290/ipmi;
+      }
+    dest: /etc/prometheus/exporter/ipmi.locations
+  notify: reload nginx
diff --git a/roles/monitoring/prometheus/exporter/meta/main.yml b/roles/monitoring/prometheus/exporter/meta/main.yml
index 22131422..68fce6cb 100644
--- a/roles/monitoring/prometheus/exporter/meta/main.yml
+++ b/roles/monitoring/prometheus/exporter/meta/main.yml
@@ -1,11 +1,13 @@
 ---
 dependencies:
   - role: monitoring/prometheus/exporter/base
-  - role: monitoring/prometheus/exporter/node
-    when: "'node' in (prometheus_exporters_default | union(prometheus_exporters_extra))"
   - role: monitoring/prometheus/exporter/blackbox
     when: "'blackbox' in (prometheus_exporters_default | union(prometheus_exporters_extra))"
-  - role: monitoring/prometheus/exporter/nut
-    when: "'nut' in (prometheus_exporters_default | union(prometheus_exporters_extra))"
+  - role: monitoring/prometheus/exporter/ipmi
+    when: "'ipmi' in (prometheus_exporters_default | union(prometheus_exporters_extra))"
   - role: monitoring/prometheus/exporter/mikrotik
     when: "'mikrotik' in (prometheus_exporters_default | union(prometheus_exporters_extra))"
+  - role: monitoring/prometheus/exporter/node
+    when: "'node' in (prometheus_exporters_default | union(prometheus_exporters_extra))"
+  - role: monitoring/prometheus/exporter/nut
+    when: "'nut' in (prometheus_exporters_default | union(prometheus_exporters_extra))"
diff --git a/roles/monitoring/prometheus/exporter/mikrotik/handlers/main.yml b/roles/monitoring/prometheus/exporter/mikrotik/handlers/main.yml
index cb85d0d9..c5844220 100644
--- a/roles/monitoring/prometheus/exporter/mikrotik/handlers/main.yml
+++ b/roles/monitoring/prometheus/exporter/mikrotik/handlers/main.yml
@@ -4,8 +4,7 @@
     name: prometheus-mikrotik-exporter
     state: restarted
 
-- name: reload prometheus-exporter-exporter
+- name: reload nginx
   service:
-    name: prometheus-exporter-exporter
-    ## TODO: implement reload once exporter_exporter supports this...
-    state: restarted
+    name: nginx
+    state: reloaded
diff --git a/roles/monitoring/prometheus/exporter/mikrotik/tasks/main.yml b/roles/monitoring/prometheus/exporter/mikrotik/tasks/main.yml
index 07219c68..72c78e4a 100644
--- a/roles/monitoring/prometheus/exporter/mikrotik/tasks/main.yml
+++ b/roles/monitoring/prometheus/exporter/mikrotik/tasks/main.yml
@@ -35,8 +35,8 @@
 - name: register exporter
   copy:
     content: |
-      method: http
-      http:
-        port: 9436
-    dest: /etc/prometheus/exporter/exporter/mikrotik.yml
-  notify: reload prometheus-exporter-exporter
+      location = /mikrotik {
+          proxy_pass http://127.0.0.1:9436/metrics;
+      }
+    dest: /etc/prometheus/exporter/mikrotik.locations
+  notify: reload nginx
diff --git a/roles/monitoring/prometheus/exporter/node/handlers/main.yml b/roles/monitoring/prometheus/exporter/node/handlers/main.yml
index 3e1b2000..56056ea6 100644
--- a/roles/monitoring/prometheus/exporter/node/handlers/main.yml
+++ b/roles/monitoring/prometheus/exporter/node/handlers/main.yml
@@ -4,8 +4,7 @@
     name: prometheus-node-exporter
     state: restarted
 
-- name: reload prometheus-exporter-exporter
+- name: reload nginx
   service:
-    name: prometheus-exporter-exporter
-    ## TODO: implement reload once exporter_exporter supports this...
-    state: restarted
+    name: nginx
+    state: reloaded
diff --git a/roles/monitoring/prometheus/exporter/node/tasks/main.yml b/roles/monitoring/prometheus/exporter/node/tasks/main.yml
index 56903a33..2811c759 100644
--- a/roles/monitoring/prometheus/exporter/node/tasks/main.yml
+++ b/roles/monitoring/prometheus/exporter/node/tasks/main.yml
@@ -28,11 +28,11 @@
 - name: register exporter
   copy:
     content: |
-      method: http
-      http:
-        port: 9100
-    dest: /etc/prometheus/exporter/exporter/node.yml
-  notify: reload prometheus-exporter-exporter
+      location = /node {
+          proxy_pass http://127.0.0.1:9100/metrics;
+      }
+    dest: /etc/prometheus/exporter/node.locations
+  notify: reload nginx
 
 - name: create directory for textfile collector scripts
   file:
diff --git a/roles/monitoring/prometheus/exporter/nut/handlers/main.yml b/roles/monitoring/prometheus/exporter/nut/handlers/main.yml
index 6e10f43b..edd87ed5 100644
--- a/roles/monitoring/prometheus/exporter/nut/handlers/main.yml
+++ b/roles/monitoring/prometheus/exporter/nut/handlers/main.yml
@@ -4,8 +4,7 @@
     name: prometheus-nut-exporter
     state: restarted
 
-- name: reload prometheus-exporter-exporter
+- name: reload ngnix
   service:
-    name: prometheus-exporter-exporter
-    ## TODO: implement reload once exporter_exporter supports this...
-    state: restarted
+    name: nginx
+    state: reloaded
diff --git a/roles/monitoring/prometheus/exporter/nut/tasks/main.yml b/roles/monitoring/prometheus/exporter/nut/tasks/main.yml
index 8245feae..f602472d 100644
--- a/roles/monitoring/prometheus/exporter/nut/tasks/main.yml
+++ b/roles/monitoring/prometheus/exporter/nut/tasks/main.yml
@@ -21,9 +21,11 @@
 - name: register exporter
   copy:
     content: |
-      method: http
-      http:
-        port: 9199
-        path: /ups_metrics
-    dest: /etc/prometheus/exporter/exporter/nut.yml
-  notify: reload prometheus-exporter-exporter
+      location = /nut {
+          proxy_pass http://127.0.0.1:9199/metrics;
+      }
+      location = /nut/ups {
+          proxy_pass http://127.0.0.1:9199/ups_metrics;
+      }
+    dest: /etc/prometheus/exporter/nut.locations
+  notify: reload nginx
diff --git a/roles/monitoring/prometheus/server/templates/jobs/blackbox/https.j2 b/roles/monitoring/prometheus/server/templates/jobs/blackbox/https.j2
index 98a64121..86ff88dd 100644
--- a/roles/monitoring/prometheus/server/templates/jobs/blackbox/https.j2
+++ b/roles/monitoring/prometheus/server/templates/jobs/blackbox/https.j2
@@ -1,8 +1,7 @@
   - job_name: '{{ job }}'
-    metrics_path: /proxy
+    metrics_path: /blackbox
     params:
       module:
-      - blackbox
       - http_tls_2xx
     scheme: https
     tls_config:
diff --git a/roles/monitoring/prometheus/server/templates/jobs/blackbox/ping.j2 b/roles/monitoring/prometheus/server/templates/jobs/blackbox/ping.j2
index 736ffec1..2d3889d2 100644
--- a/roles/monitoring/prometheus/server/templates/jobs/blackbox/ping.j2
+++ b/roles/monitoring/prometheus/server/templates/jobs/blackbox/ping.j2
@@ -1,8 +1,7 @@
   - job_name: '{{ job }}'
-    metrics_path: /proxy
+    metrics_path: /blackbox
     params:
       module:
-      - blackbox
       - icmp
     scheme: https
     tls_config:
diff --git a/roles/monitoring/prometheus/server/templates/jobs/blackbox/ssh.j2 b/roles/monitoring/prometheus/server/templates/jobs/blackbox/ssh.j2
index 166f37ad..97565673 100644
--- a/roles/monitoring/prometheus/server/templates/jobs/blackbox/ssh.j2
+++ b/roles/monitoring/prometheus/server/templates/jobs/blackbox/ssh.j2
@@ -1,8 +1,7 @@
   - job_name: '{{ job }}'
-    metrics_path: /proxy
+    metrics_path: /blackbox
     params:
       module:
-      - blackbox
       - ssh_banner
     scheme: https
     tls_config:
diff --git a/roles/monitoring/prometheus/server/templates/jobs/generic.j2 b/roles/monitoring/prometheus/server/templates/jobs/generic.j2
index b155c5f7..65a95007 100644
--- a/roles/monitoring/prometheus/server/templates/jobs/generic.j2
+++ b/roles/monitoring/prometheus/server/templates/jobs/generic.j2
@@ -1,8 +1,5 @@
   - job_name: '{{ job }}'
-    metrics_path: /proxy
-    params:
-      module:
-      - {{ job }}
+    metrics_path: /{{ job }}
     scheme: https
     tls_config:
       ca_file: /etc/ssl/prometheus/ca-crt.pem
diff --git a/roles/monitoring/prometheus/server/templates/jobs/node.j2 b/roles/monitoring/prometheus/server/templates/jobs/node.j2
index ba9eab31..1b14e1f6 100644
--- a/roles/monitoring/prometheus/server/templates/jobs/node.j2
+++ b/roles/monitoring/prometheus/server/templates/jobs/node.j2
@@ -1,8 +1,5 @@
   - job_name: '{{ job }}'
-    metrics_path: /proxy
-    params:
-      module:
-      - {{ job }}
+    metrics_path: /{{ job }}
     scheme: https
     tls_config:
       ca_file: /etc/ssl/prometheus/ca-crt.pem
diff --git a/roles/monitoring/prometheus/server/templates/jobs/nut/ups.j2 b/roles/monitoring/prometheus/server/templates/jobs/nut/ups.j2
index 3a2c5c62..0cf4ae4e 100644
--- a/roles/monitoring/prometheus/server/templates/jobs/nut/ups.j2
+++ b/roles/monitoring/prometheus/server/templates/jobs/nut/ups.j2
@@ -1,8 +1,5 @@
   - job_name: '{{ job }}'
-    metrics_path: /proxy
-    params:
-      module:
-      - nut
+    metrics_path: /nut/ups
     scheme: https
     tls_config:
       ca_file: /etc/ssl/prometheus/ca-crt.pem
-- 
cgit v1.2.3