Pains-Perdus/ansible
3
1
Fork 0
Code Issues Pull requests 1 Releases Wiki Activity

restrict the exporter to local ip

Browse source
This commit is contained in:
histausse 2021-09-06 00:24:56 +02:00
parent 037ef8db77
commit 24b9016dc2
Signed by: histausse
GPG key ID: 67486F107F62E9E9
24 changed files with 170 additions and 157 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
books/monitoring.yml
View file

@ -1,6 +1,6 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
- hosts: prometheus-server - hosts: prometheus_server
roles: roles:
- prometheus - prometheus

2
host_vars/azerty/networking.yml
View file

@ -12,3 +12,5 @@ interfaces:
ipv4_forwarding: false ipv4_forwarding: false
ipv6_forwarding: false ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.azerty.ipv4 }}"

2
host_vars/hellman/networking.yml
View file

@ -22,3 +22,5 @@ interfaces:
ipv4_forwarding: true ipv4_forwarding: true
ipv6_forwarding: false ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.hellman.ipv4 }}"

2
host_vars/hindley/networking.yml
View file

@ -10,3 +10,5 @@ interfaces:
ipv4_forwarding: true ipv4_forwarding: true
ipv6_forwarding: false ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.hindley.ipv4 }}"

2
host_vars/matrix_server/networking.yml
View file

@ -9,3 +9,5 @@ interfaces:
ipv4_forwarding: false ipv4_forwarding: false
ipv6_forwarding: false ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.matrix.ipv4 }}"

2
host_vars/rossum/networking.yml
View file

@ -12,3 +12,5 @@ interfaces:
ipv4_forwarding: false ipv4_forwarding: false
ipv6_forwarding: false ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}"

2
host_vars/vm1/ansible.yml
View file

@ -1,2 +0,0 @@
---
ansible_host: "vm1"

24
host_vars/vm1/networking.yml
View file

@ -1,24 +0,0 @@
---
interfaces:
enp0s3:
type: void
br0:
ipv4: 10.0.2.5
netmaskv4: 24
type: static
bridge: true
gateway: 10.0.2.1
interfaces:
- enp0s3
br1:
type: manual
bridge: true
interfaces:
- enp0s3.42
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm1.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

13
host_vars/vm1/vpn.yml
View file

@ -1,13 +0,0 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm1_key }}"
public_key: "uccS/p19vinH/S2GpVarDTYah4oRiSIABue8uEqKzRs="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

2
host_vars/vm2/ansible.yml
View file

@ -1,2 +0,0 @@
---
ansible_host: "vm2"

11
host_vars/vm2/networking.yml
View file

@ -1,11 +0,0 @@
---
interfaces:
enp0s3:
type: dhcp
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm2.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

13
host_vars/vm2/vpn.yml
View file

@ -1,13 +0,0 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm2_key }}"
public_key: "pxsYnL8N3VVVLlkXA8NOkqWsrSMrgdL1vj/VnZfKdRo="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

2
host_vars/vm3/ansible.yml
View file

@ -1,2 +0,0 @@
---
ansible_host: "vm3"

14
host_vars/vm3/networking.yml
View file

@ -1,14 +0,0 @@
---
interfaces:
enp0s3:
ipv4: 10.0.2.7
netmaskv4: 24
type: static
gateway: 10.0.2.1
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm3.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

13
host_vars/vm3/vpn.yml
View file

@ -1,13 +0,0 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm3_key }}"
public_key: "Cj3HAjXXr9DcmJoOkQkHvLWujZm8h6tBt2d54g0pqEg="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

2
host_vars/vm4/ansible.yml
View file

@ -1,2 +0,0 @@
---
ansible_host: "vm4"

14
host_vars/vm4/networking.yml
View file

@ -1,14 +0,0 @@
---
interfaces:
enp0s3:
ipv4: 10.0.2.8
netmaskv4: 24
type: static
gateway: 10.0.2.1
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm4.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

13
host_vars/vm4/vpn.yml
View file

@ -1,13 +0,0 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm4_key }}"
public_key: "5M84IO6uobYkMPupCI9h9y3iJXVIXAyDY8wkrMPcaRw="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

2
host_vars/vm5/ansible.yml
View file

@ -1,2 +0,0 @@
---
ansible_host: "vm5"

15
host_vars/vm5/networking.yml
View file

@ -1,15 +0,0 @@
---
interfaces:
enp0s3:
type: void
br0:
ipv4: 10.0.2.9
netmaskv4: 24
type: static
bridge: true
gateway: 10.0.2.1
interfaces:
- enp0s3
ipv4_forwarding: false
ipv6_forwarding: false

16
hosts
View file

@ -4,17 +4,12 @@ all:
ubuntu: ubuntu:
hosts: hosts:
hindley: hindley:
vm5:
debian_buster: debian_buster:
hosts: hosts:
azerty: azerty:
vm1:
vm2:
vm3:
debian_bullseye: debian_bullseye:
hosts: hosts:
matrix_server: matrix_server:
vm4:
proxmox_buster: proxmox_buster:
hosts: hosts:
hellman: hellman:
@ -34,11 +29,6 @@ all:
server_hostname: azerty.fil.sand.auro.re server_hostname: azerty.fil.sand.auro.re
tests: tests:
hosts: hosts:
vm1:
vm2:
vm3:
vm4:
vm5:
rossum: rossum:
vpn: vpn:
hosts: hosts:
@ -46,15 +36,11 @@ all:
hindley: hindley:
hellman: hellman:
rossum: rossum:
vm1:
vm2:
vm3:
vm4:
matrix_server: matrix_server:
apt_proxies: apt_proxies:
hosts: hosts:
hindley: hindley:
prometheus-server: prometheus_server:
hosts: hosts:
hindley: hindley:
matrix: matrix:

5
roles/prometheus-node-exporter/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: Restart prometheus-node-exporter
systemd:
name: prometheus-node-exporter
state: restarted

16
roles/prometheus-node-exporter/tasks/main.yml
View file

@ -14,4 +14,18 @@
# Create the file --web.config=/etc/node_exporter/config.yaml # Create the file --web.config=/etc/node_exporter/config.yaml
# and add --web.config=/etc/node_exporter/config.yaml to # and add --web.config=/etc/node_exporter/config.yaml to
# the args in /etc/default/prometheus-node-exporter # the args in /etc/default/prometheus-node-exporter
#
- name: Setup the arguments for node-exporter
template:
src: prometheus-node-exporter
dest: /etc/default/prometheus-node-exporter
owner: root
group: root
mode: '0644'
notify: Restart prometheus-node-exporter
vars:
args:
- name: web.listen-address
value: "{{ lan_address }}:9100"
# - name: web.config
# value: /etc/node_exporter/config.yaml

138
roles/prometheus-node-exporter/templates/prometheus-node-exporter Normal file
View file

@ -0,0 +1,138 @@
{{ ansible_managed | comment }}
# Set the command-line arguments to pass to the server.
# Due to shell scaping, to pass backslashes for regexes, you need to double
# them (\\d for \d). If running under systemd, you need to double them again
# (\\\\d to mean \d), and escape newlines too.
{% if not args %}
ARGS=""
{% else %}
ARGS="\
{% for arg in args %}
--{{ arg.name }}={{ arg.value }} \
{% endfor %}
"
{% endif %}
# Prometheus-node-exporter supports the following options:
#
# --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$"
# Regexp of devices to ignore for diskstats.
# --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)"
# Regexp of mount points to ignore for filesystem
# collector.
# --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$"
# Regexp of filesystem types to ignore for
# filesystem collector.
# --collector.netdev.ignored-devices="^lo$"
# Regexp of net devices to ignore for netdev
# collector.
# --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$"
# Regexp of fields to return for netstat
# collector.
# --collector.ntp.server="127.0.0.1"
# NTP server to use for ntp collector
# --collector.ntp.protocol-version=4
# NTP protocol version
# --collector.ntp.server-is-local
# Certify that collector.ntp.server address is the
# same local host as this collector.
# --collector.ntp.ip-ttl=1 IP TTL to use while sending NTP query
# --collector.ntp.max-distance=3.46608s
# Max accumulated distance to the root
# --collector.ntp.local-offset-tolerance=1ms
# Offset between local clock and local ntpd time
# to tolerate
# --path.procfs="/proc" procfs mountpoint.
# --path.sysfs="/sys" sysfs mountpoint.
# --collector.qdisc.fixtures=""
# test fixtures to use for qdisc collector
# end-to-end testing
# --collector.runit.servicedir="/etc/service"
# Path to runit service directory.
# --collector.supervisord.url="http://localhost:9001/RPC2"
# XML RPC endpoint.
# --collector.systemd.unit-whitelist=".+"
# Regexp of systemd units to whitelist. Units must
# both match whitelist and not match blacklist to
# be included.
# --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)"
# Regexp of systemd units to blacklist. Units must
# both match whitelist and not match blacklist to
# be included.
# --collector.systemd.private
# Establish a private, direct connection to
# systemd without dbus.
# --collector.textfile.directory="/var/lib/prometheus/node-exporter"
# Directory to read text files with metrics from.
# --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*"
# Regexp of fields to return for vmstat collector.
# --collector.wifi.fixtures=""
# test fixtures to use for wifi collector metrics
# --collector.arp Enable the arp collector (default: enabled).
# --collector.bcache Enable the bcache collector (default: enabled).
# --collector.bonding Enable the bonding collector (default: enabled).
# --collector.buddyinfo Enable the buddyinfo collector (default:
# disabled).
# --collector.conntrack Enable the conntrack collector (default:
# enabled).
# --collector.cpu Enable the cpu collector (default: enabled).
# --collector.diskstats Enable the diskstats collector (default:
# enabled).
# --collector.drbd Enable the drbd collector (default: disabled).
# --collector.edac Enable the edac collector (default: enabled).
# --collector.entropy Enable the entropy collector (default: enabled).
# --collector.filefd Enable the filefd collector (default: enabled).
# --collector.filesystem Enable the filesystem collector (default:
# enabled).
# --collector.hwmon Enable the hwmon collector (default: enabled).
# --collector.infiniband Enable the infiniband collector (default:
# enabled).
# --collector.interrupts Enable the interrupts collector (default:
# disabled).
# --collector.ipvs Enable the ipvs collector (default: enabled).
# --collector.ksmd Enable the ksmd collector (default: disabled).
# --collector.loadavg Enable the loadavg collector (default: enabled).
# --collector.logind Enable the logind collector (default: disabled).
# --collector.mdadm Enable the mdadm collector (default: enabled).
# --collector.meminfo Enable the meminfo collector (default: enabled).
# --collector.meminfo_numa Enable the meminfo_numa collector (default:
# disabled).
# --collector.mountstats Enable the mountstats collector (default:
# disabled).
# --collector.netdev Enable the netdev collector (default: enabled).
# --collector.netstat Enable the netstat collector (default: enabled).
# --collector.nfs Enable the nfs collector (default: enabled).
# --collector.nfsd Enable the nfsd collector (default: enabled).
# --collector.ntp Enable the ntp collector (default: disabled).
# --collector.qdisc Enable the qdisc collector (default: disabled).
# --collector.runit Enable the runit collector (default: disabled).
# --collector.sockstat Enable the sockstat collector (default:
# enabled).
# --collector.stat Enable the stat collector (default: enabled).
# --collector.supervisord Enable the supervisord collector (default:
# disabled).
# --collector.systemd Enable the systemd collector (default: enabled).
# --collector.tcpstat Enable the tcpstat collector (default:
# disabled).
# --collector.textfile Enable the textfile collector (default:
# enabled).
# --collector.time Enable the time collector (default: enabled).
# --collector.uname Enable the uname collector (default: enabled).
# --collector.vmstat Enable the vmstat collector (default: enabled).
# --collector.wifi Enable the wifi collector (default: enabled).
# --collector.xfs Enable the xfs collector (default: enabled).
# --collector.zfs Enable the zfs collector (default: enabled).
# --collector.timex Enable the timex collector (default: enabled).
# --web.listen-address=":9100"
# Address on which to expose metrics and web
# interface.
# --web.telemetry-path="/metrics"
# Path under which to expose metrics.
# --log.level="info" Only log messages with the given severity or
# above. Valid levels: [debug, info, warn, error,
# fatal]
# --log.format="logger:stderr"
# Set the log target and format. Example:
# "logger:syslog?appname=bob&local=7" or
# "logger:stdout?json=true"