From 24b9016dc29c284d38893097d15ac6672334ad78 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Mon, 6 Sep 2021 00:24:56 +0200 Subject: [PATCH] restrict the exporter to local ip --- books/monitoring.yml | 2 +- host_vars/azerty/networking.yml | 2 + host_vars/hellman/networking.yml | 2 + host_vars/hindley/networking.yml | 2 + host_vars/matrix_server/networking.yml | 2 + host_vars/rossum/networking.yml | 2 + host_vars/vm1/ansible.yml | 2 - host_vars/vm1/networking.yml | 24 --- host_vars/vm1/vpn.yml | 13 -- host_vars/vm2/ansible.yml | 2 - host_vars/vm2/networking.yml | 11 -- host_vars/vm2/vpn.yml | 13 -- host_vars/vm3/ansible.yml | 2 - host_vars/vm3/networking.yml | 14 -- host_vars/vm3/vpn.yml | 13 -- host_vars/vm4/ansible.yml | 2 - host_vars/vm4/networking.yml | 14 -- host_vars/vm4/vpn.yml | 13 -- host_vars/vm5/ansible.yml | 2 - host_vars/vm5/networking.yml | 15 -- hosts | 16 +- .../handlers/main.yml | 5 + roles/prometheus-node-exporter/tasks/main.yml | 16 +- .../templates/prometheus-node-exporter | 138 ++++++++++++++++++ 24 files changed, 170 insertions(+), 157 deletions(-) delete mode 100644 host_vars/vm1/ansible.yml delete mode 100644 host_vars/vm1/networking.yml delete mode 100644 host_vars/vm1/vpn.yml delete mode 100644 host_vars/vm2/ansible.yml delete mode 100644 host_vars/vm2/networking.yml delete mode 100644 host_vars/vm2/vpn.yml delete mode 100644 host_vars/vm3/ansible.yml delete mode 100644 host_vars/vm3/networking.yml delete mode 100644 host_vars/vm3/vpn.yml delete mode 100644 host_vars/vm4/ansible.yml delete mode 100644 host_vars/vm4/networking.yml delete mode 100644 host_vars/vm4/vpn.yml delete mode 100644 host_vars/vm5/ansible.yml delete mode 100644 host_vars/vm5/networking.yml create mode 100644 roles/prometheus-node-exporter/handlers/main.yml create mode 100644 roles/prometheus-node-exporter/templates/prometheus-node-exporter diff --git a/books/monitoring.yml b/books/monitoring.yml index c344359..5b27479 100644 --- a/books/monitoring.yml +++ b/books/monitoring.yml @@ -1,6 +1,6 @@ #!/usr/bin/env ansible-playbook --- -- hosts: prometheus-server +- hosts: prometheus_server roles: - prometheus diff --git a/host_vars/azerty/networking.yml b/host_vars/azerty/networking.yml index 04d24d7..52a91b9 100644 --- a/host_vars/azerty/networking.yml +++ b/host_vars/azerty/networking.yml @@ -12,3 +12,5 @@ interfaces: ipv4_forwarding: false ipv6_forwarding: false + +lan_address: "{{ intranet.subnets.physical.subnets.azerty.ipv4 }}" diff --git a/host_vars/hellman/networking.yml b/host_vars/hellman/networking.yml index 17eeafe..c4a499e 100644 --- a/host_vars/hellman/networking.yml +++ b/host_vars/hellman/networking.yml @@ -22,3 +22,5 @@ interfaces: ipv4_forwarding: true ipv6_forwarding: false + +lan_address: "{{ intranet.subnets.physical.subnets.hellman.ipv4 }}" diff --git a/host_vars/hindley/networking.yml b/host_vars/hindley/networking.yml index 6826896..efdd3e5 100644 --- a/host_vars/hindley/networking.yml +++ b/host_vars/hindley/networking.yml @@ -10,3 +10,5 @@ interfaces: ipv4_forwarding: true ipv6_forwarding: false + +lan_address: "{{ intranet.subnets.physical.subnets.hindley.ipv4 }}" diff --git a/host_vars/matrix_server/networking.yml b/host_vars/matrix_server/networking.yml index 3da7101..de2694d 100644 --- a/host_vars/matrix_server/networking.yml +++ b/host_vars/matrix_server/networking.yml @@ -9,3 +9,5 @@ interfaces: ipv4_forwarding: false ipv6_forwarding: false + +lan_address: "{{ intranet.subnets.physical.subnets.matrix.ipv4 }}" diff --git a/host_vars/rossum/networking.yml b/host_vars/rossum/networking.yml index 6bcc4ed..fe3abce 100644 --- a/host_vars/rossum/networking.yml +++ b/host_vars/rossum/networking.yml @@ -12,3 +12,5 @@ interfaces: ipv4_forwarding: false ipv6_forwarding: false + +lan_address: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}" diff --git a/host_vars/vm1/ansible.yml b/host_vars/vm1/ansible.yml deleted file mode 100644 index 7827357..0000000 --- a/host_vars/vm1/ansible.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -ansible_host: "vm1" diff --git a/host_vars/vm1/networking.yml b/host_vars/vm1/networking.yml deleted file mode 100644 index 3ac5ae7..0000000 --- a/host_vars/vm1/networking.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -interfaces: - enp0s3: - type: void - br0: - ipv4: 10.0.2.5 - netmaskv4: 24 - type: static - bridge: true - gateway: 10.0.2.1 - interfaces: - - enp0s3 - br1: - type: manual - bridge: true - interfaces: - - enp0s3.42 - wg0: - ipv4: "{{ intranet.subnets.test.subnets.vm1.ipv4 }}" - netmaskv4: "{{ intranet.netmaskv4 }}" - type: wireguard - -ipv4_forwarding: false -ipv6_forwarding: false diff --git a/host_vars/vm1/vpn.yml b/host_vars/vm1/vpn.yml deleted file mode 100644 index 349ec5a..0000000 --- a/host_vars/vm1/vpn.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -vpn_interfaces: - wg0: - ip: "{{ interfaces.wg0.ipv4 }}" - private_key: "{{ vpn_vault_vm1_key }}" - public_key: "uccS/p19vinH/S2GpVarDTYah4oRiSIABue8uEqKzRs=" - keepalive: true - peers: - - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}" - public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}" - allowed_ips: - - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}" - comment: "hindley" diff --git a/host_vars/vm2/ansible.yml b/host_vars/vm2/ansible.yml deleted file mode 100644 index da11026..0000000 --- a/host_vars/vm2/ansible.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -ansible_host: "vm2" diff --git a/host_vars/vm2/networking.yml b/host_vars/vm2/networking.yml deleted file mode 100644 index f05677f..0000000 --- a/host_vars/vm2/networking.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -interfaces: - enp0s3: - type: dhcp - wg0: - ipv4: "{{ intranet.subnets.test.subnets.vm2.ipv4 }}" - netmaskv4: "{{ intranet.netmaskv4 }}" - type: wireguard - -ipv4_forwarding: false -ipv6_forwarding: false diff --git a/host_vars/vm2/vpn.yml b/host_vars/vm2/vpn.yml deleted file mode 100644 index cce5491..0000000 --- a/host_vars/vm2/vpn.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -vpn_interfaces: - wg0: - ip: "{{ interfaces.wg0.ipv4 }}" - private_key: "{{ vpn_vault_vm2_key }}" - public_key: "pxsYnL8N3VVVLlkXA8NOkqWsrSMrgdL1vj/VnZfKdRo=" - keepalive: true - peers: - - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}" - public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}" - allowed_ips: - - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}" - comment: "hindley" diff --git a/host_vars/vm3/ansible.yml b/host_vars/vm3/ansible.yml deleted file mode 100644 index bd11ecb..0000000 --- a/host_vars/vm3/ansible.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -ansible_host: "vm3" diff --git a/host_vars/vm3/networking.yml b/host_vars/vm3/networking.yml deleted file mode 100644 index 71acd30..0000000 --- a/host_vars/vm3/networking.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -interfaces: - enp0s3: - ipv4: 10.0.2.7 - netmaskv4: 24 - type: static - gateway: 10.0.2.1 - wg0: - ipv4: "{{ intranet.subnets.test.subnets.vm3.ipv4 }}" - netmaskv4: "{{ intranet.netmaskv4 }}" - type: wireguard - -ipv4_forwarding: false -ipv6_forwarding: false diff --git a/host_vars/vm3/vpn.yml b/host_vars/vm3/vpn.yml deleted file mode 100644 index f6cf0a9..0000000 --- a/host_vars/vm3/vpn.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -vpn_interfaces: - wg0: - ip: "{{ interfaces.wg0.ipv4 }}" - private_key: "{{ vpn_vault_vm3_key }}" - public_key: "Cj3HAjXXr9DcmJoOkQkHvLWujZm8h6tBt2d54g0pqEg=" - keepalive: true - peers: - - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}" - public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}" - allowed_ips: - - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}" - comment: "hindley" diff --git a/host_vars/vm4/ansible.yml b/host_vars/vm4/ansible.yml deleted file mode 100644 index 131eced..0000000 --- a/host_vars/vm4/ansible.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -ansible_host: "vm4" diff --git a/host_vars/vm4/networking.yml b/host_vars/vm4/networking.yml deleted file mode 100644 index 1e9e9b4..0000000 --- a/host_vars/vm4/networking.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -interfaces: - enp0s3: - ipv4: 10.0.2.8 - netmaskv4: 24 - type: static - gateway: 10.0.2.1 - wg0: - ipv4: "{{ intranet.subnets.test.subnets.vm4.ipv4 }}" - netmaskv4: "{{ intranet.netmaskv4 }}" - type: wireguard - -ipv4_forwarding: false -ipv6_forwarding: false diff --git a/host_vars/vm4/vpn.yml b/host_vars/vm4/vpn.yml deleted file mode 100644 index ccd2acb..0000000 --- a/host_vars/vm4/vpn.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -vpn_interfaces: - wg0: - ip: "{{ interfaces.wg0.ipv4 }}" - private_key: "{{ vpn_vault_vm4_key }}" - public_key: "5M84IO6uobYkMPupCI9h9y3iJXVIXAyDY8wkrMPcaRw=" - keepalive: true - peers: - - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}" - public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}" - allowed_ips: - - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}" - comment: "hindley" diff --git a/host_vars/vm5/ansible.yml b/host_vars/vm5/ansible.yml deleted file mode 100644 index 30c6274..0000000 --- a/host_vars/vm5/ansible.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -ansible_host: "vm5" diff --git a/host_vars/vm5/networking.yml b/host_vars/vm5/networking.yml deleted file mode 100644 index 5753321..0000000 --- a/host_vars/vm5/networking.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -interfaces: - enp0s3: - type: void - br0: - ipv4: 10.0.2.9 - netmaskv4: 24 - type: static - bridge: true - gateway: 10.0.2.1 - interfaces: - - enp0s3 - -ipv4_forwarding: false -ipv6_forwarding: false diff --git a/hosts b/hosts index f9973e1..2b5c2c9 100644 --- a/hosts +++ b/hosts @@ -4,17 +4,12 @@ all: ubuntu: hosts: hindley: - vm5: debian_buster: hosts: azerty: - vm1: - vm2: - vm3: debian_bullseye: hosts: matrix_server: - vm4: proxmox_buster: hosts: hellman: @@ -34,11 +29,6 @@ all: server_hostname: azerty.fil.sand.auro.re tests: hosts: - vm1: - vm2: - vm3: - vm4: - vm5: rossum: vpn: hosts: @@ -46,15 +36,11 @@ all: hindley: hellman: rossum: - vm1: - vm2: - vm3: - vm4: matrix_server: apt_proxies: hosts: hindley: - prometheus-server: + prometheus_server: hosts: hindley: matrix: diff --git a/roles/prometheus-node-exporter/handlers/main.yml b/roles/prometheus-node-exporter/handlers/main.yml new file mode 100644 index 0000000..f55aedb --- /dev/null +++ b/roles/prometheus-node-exporter/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart prometheus-node-exporter + systemd: + name: prometheus-node-exporter + state: restarted diff --git a/roles/prometheus-node-exporter/tasks/main.yml b/roles/prometheus-node-exporter/tasks/main.yml index a58aa28..0a1b4fd 100644 --- a/roles/prometheus-node-exporter/tasks/main.yml +++ b/roles/prometheus-node-exporter/tasks/main.yml @@ -14,4 +14,18 @@ # Create the file --web.config=/etc/node_exporter/config.yaml # and add --web.config=/etc/node_exporter/config.yaml to # the args in /etc/default/prometheus-node-exporter -# + +- name: Setup the arguments for node-exporter + template: + src: prometheus-node-exporter + dest: /etc/default/prometheus-node-exporter + owner: root + group: root + mode: '0644' + notify: Restart prometheus-node-exporter + vars: + args: + - name: web.listen-address + value: "{{ lan_address }}:9100" +# - name: web.config +# value: /etc/node_exporter/config.yaml diff --git a/roles/prometheus-node-exporter/templates/prometheus-node-exporter b/roles/prometheus-node-exporter/templates/prometheus-node-exporter new file mode 100644 index 0000000..a42b81f --- /dev/null +++ b/roles/prometheus-node-exporter/templates/prometheus-node-exporter @@ -0,0 +1,138 @@ +{{ ansible_managed | comment }} + +# Set the command-line arguments to pass to the server. +# Due to shell scaping, to pass backslashes for regexes, you need to double +# them (\\d for \d). If running under systemd, you need to double them again +# (\\\\d to mean \d), and escape newlines too. +{% if not args %} +ARGS="" +{% else %} +ARGS="\ +{% for arg in args %} + --{{ arg.name }}={{ arg.value }} \ +{% endfor %} +" +{% endif %} + +# Prometheus-node-exporter supports the following options: +# +# --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$" +# Regexp of devices to ignore for diskstats. +# --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)" +# Regexp of mount points to ignore for filesystem +# collector. +# --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$" +# Regexp of filesystem types to ignore for +# filesystem collector. +# --collector.netdev.ignored-devices="^lo$" +# Regexp of net devices to ignore for netdev +# collector. +# --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$" +# Regexp of fields to return for netstat +# collector. +# --collector.ntp.server="127.0.0.1" +# NTP server to use for ntp collector +# --collector.ntp.protocol-version=4 +# NTP protocol version +# --collector.ntp.server-is-local +# Certify that collector.ntp.server address is the +# same local host as this collector. +# --collector.ntp.ip-ttl=1 IP TTL to use while sending NTP query +# --collector.ntp.max-distance=3.46608s +# Max accumulated distance to the root +# --collector.ntp.local-offset-tolerance=1ms +# Offset between local clock and local ntpd time +# to tolerate +# --path.procfs="/proc" procfs mountpoint. +# --path.sysfs="/sys" sysfs mountpoint. +# --collector.qdisc.fixtures="" +# test fixtures to use for qdisc collector +# end-to-end testing +# --collector.runit.servicedir="/etc/service" +# Path to runit service directory. +# --collector.supervisord.url="http://localhost:9001/RPC2" +# XML RPC endpoint. +# --collector.systemd.unit-whitelist=".+" +# Regexp of systemd units to whitelist. Units must +# both match whitelist and not match blacklist to +# be included. +# --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)" +# Regexp of systemd units to blacklist. Units must +# both match whitelist and not match blacklist to +# be included. +# --collector.systemd.private +# Establish a private, direct connection to +# systemd without dbus. +# --collector.textfile.directory="/var/lib/prometheus/node-exporter" +# Directory to read text files with metrics from. +# --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*" +# Regexp of fields to return for vmstat collector. +# --collector.wifi.fixtures="" +# test fixtures to use for wifi collector metrics +# --collector.arp Enable the arp collector (default: enabled). +# --collector.bcache Enable the bcache collector (default: enabled). +# --collector.bonding Enable the bonding collector (default: enabled). +# --collector.buddyinfo Enable the buddyinfo collector (default: +# disabled). +# --collector.conntrack Enable the conntrack collector (default: +# enabled). +# --collector.cpu Enable the cpu collector (default: enabled). +# --collector.diskstats Enable the diskstats collector (default: +# enabled). +# --collector.drbd Enable the drbd collector (default: disabled). +# --collector.edac Enable the edac collector (default: enabled). +# --collector.entropy Enable the entropy collector (default: enabled). +# --collector.filefd Enable the filefd collector (default: enabled). +# --collector.filesystem Enable the filesystem collector (default: +# enabled). +# --collector.hwmon Enable the hwmon collector (default: enabled). +# --collector.infiniband Enable the infiniband collector (default: +# enabled). +# --collector.interrupts Enable the interrupts collector (default: +# disabled). +# --collector.ipvs Enable the ipvs collector (default: enabled). +# --collector.ksmd Enable the ksmd collector (default: disabled). +# --collector.loadavg Enable the loadavg collector (default: enabled). +# --collector.logind Enable the logind collector (default: disabled). +# --collector.mdadm Enable the mdadm collector (default: enabled). +# --collector.meminfo Enable the meminfo collector (default: enabled). +# --collector.meminfo_numa Enable the meminfo_numa collector (default: +# disabled). +# --collector.mountstats Enable the mountstats collector (default: +# disabled). +# --collector.netdev Enable the netdev collector (default: enabled). +# --collector.netstat Enable the netstat collector (default: enabled). +# --collector.nfs Enable the nfs collector (default: enabled). +# --collector.nfsd Enable the nfsd collector (default: enabled). +# --collector.ntp Enable the ntp collector (default: disabled). +# --collector.qdisc Enable the qdisc collector (default: disabled). +# --collector.runit Enable the runit collector (default: disabled). +# --collector.sockstat Enable the sockstat collector (default: +# enabled). +# --collector.stat Enable the stat collector (default: enabled). +# --collector.supervisord Enable the supervisord collector (default: +# disabled). +# --collector.systemd Enable the systemd collector (default: enabled). +# --collector.tcpstat Enable the tcpstat collector (default: +# disabled). +# --collector.textfile Enable the textfile collector (default: +# enabled). +# --collector.time Enable the time collector (default: enabled). +# --collector.uname Enable the uname collector (default: enabled). +# --collector.vmstat Enable the vmstat collector (default: enabled). +# --collector.wifi Enable the wifi collector (default: enabled). +# --collector.xfs Enable the xfs collector (default: enabled). +# --collector.zfs Enable the zfs collector (default: enabled). +# --collector.timex Enable the timex collector (default: enabled). +# --web.listen-address=":9100" +# Address on which to expose metrics and web +# interface. +# --web.telemetry-path="/metrics" +# Path under which to expose metrics. +# --log.level="info" Only log messages with the given severity or +# above. Valid levels: [debug, info, warn, error, +# fatal] +# --log.format="logger:stderr" +# Set the log target and format. Example: +# "logger:syslog?appname=bob&local=7" or +# "logger:stdout?json=true"