Merge branch 'monitoring'
This commit is contained in:
commit
48ef4bd112
76 changed files with 3400 additions and 238 deletions
|
@ -9,6 +9,7 @@
|
|||
roles:
|
||||
- networking
|
||||
- base_config
|
||||
- prometheus-node-exporter
|
||||
|
||||
- hosts: all, !tests, !no_user,
|
||||
roles:
|
||||
|
|
12
books/monitoring.yml
Normal file
12
books/monitoring.yml
Normal file
|
@ -0,0 +1,12 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts: prometheus_servers
|
||||
roles:
|
||||
- prometheus
|
||||
- prometheus-alert-manager
|
||||
- grafana
|
||||
- prometheus-blackbox-exporter
|
||||
|
||||
- hosts: all, !tests,
|
||||
roles:
|
||||
- prometheus-node-exporter
|
57
group_vars/all/ca.yml
Normal file
57
group_vars/all/ca.yml
Normal file
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
ca_passphrase: "{{ vault_ca_passphrase }}"
|
||||
ca_key: "{{ vault_ca_key }}"
|
||||
ca_cert: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFhzCCA2+gAwIBAgIUP+ptXLNUBVsZm5oYpynQd5mhB60wDQYJKoZIhvcNAQEL
|
||||
BQAwUzELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxFTATBgNVBAoM
|
||||
DFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0EgUGFpbnMtUGVyZHVzMB4XDTIxMDky
|
||||
MTE0NDUxNloXDTMxMDkxOTE0NDUxNlowUzELMAkGA1UEBhMCRlIxEzARBgNVBAgM
|
||||
ClNvbWUtU3RhdGUxFTATBgNVBAoMDFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0Eg
|
||||
UGFpbnMtUGVyZHVzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4jG+
|
||||
8N5YN91KghYjYTOBQ+lRYJ45X5S9mfcwwf8OIMGe+NyNkXx2GX4uYpZOitYOApI4
|
||||
rGnAjhll7tdZevzfdqpUDCYUDT6iR4BzL32k22mIN+iW6zQPaZetOU7VIA9V5TsM
|
||||
WbDsftqh6fj3N4SwVMpHiuiajMkX8CIELxoXDAJULvwyreWOONlwDMObtVCHBIhM
|
||||
uf1Jbx2DfRNS/w6lbHPCrZefMCea1FrSaotOANXxNgQfptX3fLZbhH5RiZQLDU8k
|
||||
ZChAUoW9hE4+uiSOUMd2hl9XgCWHcGEMcKyWG+/lx8UUw3Zl+oOrfb+IWo5IByVZ
|
||||
8nV5aiTMCuRlcTcMHUuedRaPcWfl5ZaEOVzhYXIYM4Oa8ShqXuWqW0WZ8oIhI2ya
|
||||
hTE03mIPV1nX3ucE9GsDZpnrj7t+qd8etiZXFGVihKEqVFfhzKRsPh4wgUKH/gwG
|
||||
AJshPA9NyJ0JpzUaWQ2acUjo3Hg9WPSTaMb46FS7hUdZUcZZiwSq9JjHDNAUKjNY
|
||||
zudKjTyqJXkqwhNvMfKWFIGYjldvZgQXzuT8XmSHYSKuLfH9Ko28FX0Aujye1TTH
|
||||
MPljXruyO04Q7NUg/jqtxdsWRpH/qCt12PmRuIiXsNCAeLjSuc75H+AOPbNudJLT
|
||||
w2AUTkfn3mw/XTwEBfemHAo6GAdtCDKo6GxBqvcCAwEAAaNTMFEwHQYDVR0OBBYE
|
||||
FIh4sxxlmesmbVKPWKo81BXMFVqVMB8GA1UdIwQYMBaAFIh4sxxlmesmbVKPWKo8
|
||||
1BXMFVqVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKipx6Nu
|
||||
QwnYmwYPd3kUVBOj9ia0PVeE4LoUSRapzRTF2HilSIo9Sa7qD1HVxbWrghUPLjW/
|
||||
Ru04k82hxvAm26gc1XeqIBzpgZmxwF0QibCeuj1vDXsndACXVHd6Atvnl0rW4bEI
|
||||
pVCqerXNu0T4STk2V/xNqndGMRp/vZX67BlyHAHD4el957R9RYlyxW6fADrHDKqk
|
||||
tC1eTeQtEi5W7v9X3dNGdtFS+exDrYpUTHPDwM81u25oCGUFGsH3RlG7LUEQ5mYW
|
||||
SsJ3EKpIkMxSZB3/GqttCIHi+yEMtwDDL3dN8UnVaTkRjVNQxraOUwe66QByGqnJ
|
||||
9YeQNpUfZxWFW/GW2fBAvD/RaLrLZ4ywhUze38ks4jsLnAIduawjQ8GlNg9i2MqD
|
||||
zvDat41LWSCDjRUOfCp7fc9lMlI5blTafozrAddMV8YUs3bQ6XD0H31pP59jb7nc
|
||||
5kmwqH6RivbFZZYBquQVujiiI7d+9m+X9OfTZJTCpRPCGYZcLuqH7txyPhixxrZd
|
||||
a8lWJ+5jHOdncV/ZWSB5JnjKbaMMEPcaTo3puEPt/yl74CR7UOJXr5oM0bVFKjas
|
||||
90hY5U+jPAcneCk2oc44R4NWuQ7qbsjPRfcxxi27DoLbhlmPp9jQwYQEqmdflcZ0
|
||||
zCTEq81KO2mAbJgTc/ahhcvAV/huJ5d8c9R1
|
||||
-----END CERTIFICATE-----
|
||||
crl_distribution_points:
|
||||
- full_name: "URI:https://ca.deso-palaiseau.fr/revocations.crl"
|
||||
reasons:
|
||||
- key_compromise
|
||||
- ca_compromise
|
||||
- affiliation_changed
|
||||
- superseded
|
||||
- cessation_of_operation
|
||||
- certificate_hold
|
||||
- privilege_withdrawn
|
||||
- aa_compromise
|
||||
- full_name: "URI:https://ca-pains-perdus.intra/revocations.crl"
|
||||
reasons:
|
||||
- key_compromise
|
||||
- ca_compromise
|
||||
- affiliation_changed
|
||||
- superseded
|
||||
- cessation_of_operation
|
||||
- certificate_hold
|
||||
- privilege_withdrawn
|
||||
- aa_compromise
|
9
group_vars/all/revers_proxy.yml
Normal file
9
group_vars/all/revers_proxy.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
|
||||
reverse_proxy_sites:
|
||||
- {from: wiki.pains-perdus.fr, to: "https://azerty.fil.sand.auro.re:2443"}
|
||||
- {from: hindley.pains-perdus.fr, to: "http://127.0.0.1:5000"}
|
||||
- {from: "{{ grafana_domain_name }}", to: "http://127.0.0.1:3000"}
|
||||
|
||||
sharing_sites:
|
||||
- {from: share.deso-palaiseau.fr, folder: "/home/histausse/www", user: histausse, group: histausse}
|
|
@ -2,3 +2,14 @@
|
|||
# Use python 3
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
dns_resolve_server: 1.1.1.1
|
||||
|
||||
# Default prometheus serveur, to overide in host_vars or something
|
||||
appointed_prometheus_server: hindley
|
||||
|
||||
grafana_admin_password: "{{ vault_grafana_admin_password }}"
|
||||
grafana_domain_name: monitoring.deso-palaiseau.fr
|
||||
|
||||
kassandra_username: cassandre
|
||||
kassandra_password: "{{ vault_kassandra_password }}"
|
||||
alert_rooms:
|
||||
- "#monitoring:pains-perdus.fr"
|
||||
|
|
|
@ -1,81 +1,272 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
38386365383032383336346430353334613639636464383235646565306161323463363466383934
|
||||
3636386138346634386634373266643937356339373734370a366435343137643330393939353664
|
||||
39386432396430306339326435323862373135323263663139373032646136333064373365313161
|
||||
6130343436313762620a633064326538393135626536343062383862366536646239656133366133
|
||||
38616531393837313365643734303062353030333763303132646231376363386239336631643231
|
||||
38303230643135653238333132633739363333656534643765623836333936363062613132316339
|
||||
31646365623030343433623264633665353432623839393638643039653561623361366630393631
|
||||
38333636316432323165316261323337306238633237653733376539323136663231376462623035
|
||||
30336463353738373061346431333435626362383134306661343562633437656462333430653663
|
||||
30396231336336353535373337343434366536333865623065653238333637383332613338613361
|
||||
61653566303962626534636530313238363662316163336532353738313962623835343032643930
|
||||
37333864366539363131333538643963353531663132353964306263316437323866666664633435
|
||||
39636663383831393534623639343839343931363834383839363837623636643838623536396563
|
||||
35396663326661386532303238353461636435366564366534393162663834363539363335393336
|
||||
62636465666665643165653130326437393162616433386637613430623466666364333334663132
|
||||
35356364646263653131363863303532633562306661636530313766636262386361623630326633
|
||||
62653866383864366666663963643138363264363965346538306135386633626439313961623735
|
||||
62363864373266333038333430613535633636343631316439353837376331666336326432663135
|
||||
33356630353862386166306536643538643163346532663439303764396565323661373136366133
|
||||
32373765376331323431386464396137666431613365363866323438663062386365326131616264
|
||||
39616632613565323238323133343061303433653539653833653264383165333364323239643466
|
||||
32613731393065323066396563363530393264323930653839396438356164356333333137656236
|
||||
31346133343336666337633637613064666533613631313335616637653735363462663864636330
|
||||
63646163383337323933323664303961346461613065356332383531333336326632316634656231
|
||||
64346565363636363066646533303238633465653830613264663963326630366564336330343236
|
||||
32623438306238396166666539363539646137643363666332366563663231326632363230666465
|
||||
36656662313335656462386463366432656230616232663637303235646664343066363563666261
|
||||
32393536666265663038353439623536633363386335326138383565643337353031356432396339
|
||||
31323464353338326237646263366262346265643363343761313436396332646237346339346333
|
||||
66323636336537303839653962306531643762366230303963636535633537613062366236613131
|
||||
39376162363134376135656463626366343537626438656362343838323435316266656637636161
|
||||
38623134386532383862303234666338306234646538623464613362623331396339613931653262
|
||||
62633364363230353666343562343661316431333664646161616632643736646664396532303633
|
||||
62336233316435626230386565383264313062646637313234626135626566343932343563653130
|
||||
38313137306331636436633536396539373032393135393336303731633030393139616136366536
|
||||
31633936613663303837306632643730613062663262616239343263636463386230313336363237
|
||||
31626531303639666464376335366135623063343266663265393635316338306633363561376234
|
||||
63653039313532376230626533353136666262663761376432633763636131653162386131366366
|
||||
36396534303230353133306331626539623832323462393237633233393865363864656531646632
|
||||
36613137366262393163386465656233373365636437616133393862663632636131393563613763
|
||||
62376133356430303838386634363963653865336138303831636164626538633066316637643732
|
||||
30363561393862623037616232653135663765336134383037346439373335393466646530616166
|
||||
33646462313463346535346236363830643130313632366162633866373362653162623035306366
|
||||
39623734306636356135393965646534313961306632623531303830343564393361343464653961
|
||||
31623562396435616466653232623163393161336434623631313233353736303834333935626138
|
||||
35613764633564313961316236623265353037636635656331363937356363323630646537393335
|
||||
36396632383865336639393033653738323739396236383535333332396361306131303864616130
|
||||
33613762643438393261353335383565316231623963386536653334666634623136343833613137
|
||||
37396261623035353038636337323536346334613837343935386132656338633335643265616138
|
||||
36663937376231333233646466633162346630653532336536373262313337373261656130643632
|
||||
66613534363130313230323665613163356366386664653436363132356664306231356135383266
|
||||
66376336323062323863616434323465356439343434646531373365313039303639343735323836
|
||||
35613234343563356162326466366638343439333464656434643332663432393730643130623032
|
||||
65663237333338323939616565333738306634383038643630376164306530623733623933333064
|
||||
62623131323736643832616334383338383634393664653338663436626434306631643966613031
|
||||
33616362313039666130613538306561343135626235343765396335396339373630373135313832
|
||||
38383062366262663832343563613334623336343639316435386664353636643162636634653535
|
||||
39623039643336393733626634363466353437353533373764313565653766663630386234626661
|
||||
61393161383565386131636563323038373236663861363339333361646464613836623139366435
|
||||
35363463623431343634653565363066623464653961313661343963363464386361306137393763
|
||||
64616135633935393566356561363038613134363964356136643734366232366166643564653264
|
||||
36613066366266646434323862643735643333613163666334363337643263626639623433663733
|
||||
39383562363531656433633033313961303837643765626530383665316433353634396463333662
|
||||
38353936633034636461303863356564653939393239316538663838643336346331363230616630
|
||||
62353237353733326132646138373737306135653634383032363433663063613430373935653131
|
||||
38646664393133363365303130623532373438313831643230396431363333386463643031653262
|
||||
64396261303235326530636565353764316236643466623666623165383536333565633064333262
|
||||
37316237643863626561613036303061346265613730626137316136623338626564666464333862
|
||||
35393831656533616365316334633538626166616263306636313231313234306532636633646665
|
||||
33336138333632396530333363613866376535316430656134613339626262666133666264376439
|
||||
64303964633165333161613663343438393539643839366331303563613436613730383837356165
|
||||
32363231653233346438313262393462313135636566343063626436326166373866356434656561
|
||||
65386562666331316232336463373336623733393161666430616165306238616531306266626363
|
||||
66636234333231666637616163353361306331393562393938353733303139393930633965373638
|
||||
36336266343231366662643134613662643037373638316362653030383866373636386339346466
|
||||
64396639353266316264653264343036616634343964646237363036313937323833633863316231
|
||||
35363964393863346132373830383032646536356261616265353439316637396563336536373363
|
||||
37313936393662353665653134613535393865333362636262656439326331336366303139653034
|
||||
35626566333965616162663465613335316462326130396330383236396133383039636335343565
|
||||
65386630653033376163
|
||||
66653939356531646231633866643664343439626466393835366664643239356166353639656466
|
||||
3731653736323063643664616534393834666637623438610a653265313233663738326166366234
|
||||
64393862363239636533343139663166643331363133343230633032656633663033313032353630
|
||||
3666666439346332350a323239376135383262376661366632363963303433666362316535323664
|
||||
31336635356137646565396131396461653630363362356638346266316231383036323632653366
|
||||
33323430663863346664653562326330376639623131323936386639303065313738356665613535
|
||||
64633663393963666363336265383661366264643931313939666561646134303130353034376530
|
||||
63383064373633326263383332303632316135353862333365326439636131366165663636626337
|
||||
63383566653331346536626138653733613666356162336163643566623737653337396436313134
|
||||
36343535363331366463306335386465643464336339663933323733396437663332303231363237
|
||||
39313663656136336466393737323965336430306437336530306361343631396132653230353137
|
||||
64316538373532333332643638613736393661336565346364313961613736383063316433623634
|
||||
62373137326336663236323463313462313739666162386333653235373763356335393039356638
|
||||
64646131313930313438613264303535633137663662613163653165393835303032366462326564
|
||||
33386134636231353762363563313137626134393563383838313834396235346364303731653136
|
||||
34363964386165323561633138306137613632616437643632656334653138373330346434386262
|
||||
65383662366135613939393266633062663665303935663634313735663361333862356565393265
|
||||
33373036623232663830623962363139626436616339393863326130333163353038373530643566
|
||||
33393733623635333931363932376663613364393832646231616133366264646230633033643062
|
||||
37336335383732613837303035376563653638306437393336383565623264316166653437386432
|
||||
61336433316531346636356262313534653037336139633839613163356365643466636662616462
|
||||
35323135636337353930636463613437326538303736643262663262633330396663303064313933
|
||||
32346437643938303265353363353735373862383761326333306138386266363566386336366436
|
||||
32386436323564323964346332313363373534626162613033363564646264376662323366353939
|
||||
64303663383031613634333333353563333761363134393637633031306561373339663031366466
|
||||
63396634396535366461396262663739383861656461383435323936636166623862663130356630
|
||||
33646365343564633662663438613338356131383638363930626338393739326336396361356232
|
||||
34366363646432316431656439656136633838663066626436383238323165393836386636373039
|
||||
64653930666334326237363261666364663531623535373265623638396334636439346465313238
|
||||
64356335313731353939313364363534393762616634326262653366303234633338626661663165
|
||||
36346430326431656639346161363861396438626661663930396334646339663333366535303438
|
||||
65346136396334376530366438613737386535353431396531316265393036623430383735623237
|
||||
64663634666564656633643462653962386332623539623933653966323066376536386463336361
|
||||
32353732663366643438343862613863373564383638336332353039643833653563396136626131
|
||||
63306635386163313131623738363533313131613537363735333337323334353462383039336433
|
||||
66636137356462383538303336363439313938666165366434333030396561613833613539383737
|
||||
33613332633763343865363034653730336364653461666331353837653637663139306366313663
|
||||
61633133633563353132643066366633626435303363616661353138343363363139386232386464
|
||||
33636432306366313234373861633762646661333836386462383761643865383231656664646265
|
||||
38653266613365366435643934623139336666343265363632386166336433626634656238366663
|
||||
32663664336162386336326566396336653831373364383033643331623834643838336635656438
|
||||
64393936366238616666333565353530643563656338323763336436636461353963343130666634
|
||||
65386430313463623539616537333134323134373836663036663830353435393365653136363566
|
||||
66356431663466666562653338623839363438396530653031373538663039353638623838633831
|
||||
64636534343263356166373561373864643736653530323530323833356539316232363564616135
|
||||
32643138313537356565306433326137623535373963353361393439383030646262393538626636
|
||||
37373336313132396465343561363635643633363638356365363935653931316263323261356531
|
||||
36636239323362663935356464663737386462306162373336333264333963653537353563383361
|
||||
34663030386331643361353033613564363236303364646430313866323836383238366535376230
|
||||
38616165626535343939323162303735656630666262336536626334313834333730626433643835
|
||||
39353963323364386430366339393162303031643865333839326533333961393036636365353637
|
||||
31353863633065306230353665623335353331366333323039646435613537336436373962626137
|
||||
39393461373938613432303565323763653130313334313637306534666235643337383333333837
|
||||
39353834373666646561626535386239303030633062633565356332653664343337636263363631
|
||||
32636264353165343637633436373564313065643236396631366334633365386234636261383066
|
||||
35373433353539626661336430663037303839353134613230633363373664363962316630386265
|
||||
35663535353466613265616637646130316531643461393965643232366432313561303238393432
|
||||
32353266336533633064363039343431333331646132363833303433363632613632646461666366
|
||||
31613764313237636236303432613864336532323537333062363066633463393666366331653936
|
||||
31653133313862356632383066353361636334303138666361333939646536333137343734343731
|
||||
31636130623666386236393462646236393933383235313036383932336665616430333330316634
|
||||
62623631373631383434333363376331643664336536636430393962626165646662636637313633
|
||||
37316166343834373865353730343733613736643038366233623661636237633136356338356564
|
||||
31363139666630656530616334386362393638343331396436633862393031343331613438373236
|
||||
66336338623264306237333334623063626431326366643835373832383165663864613530386639
|
||||
37303064643034376135303066396164623237623239663962636563353130626332316333396331
|
||||
36646238386634623761643135353132326438303566316232653630353332363262643964666561
|
||||
32363534653261396136643765613237633761353337376338666238663039656666386137633538
|
||||
39373662336231613364393238663566303662643333633532613866643036356163313033313933
|
||||
62346532393032323432316361633162373664393363306239366433333766396438633730353533
|
||||
39306338303238356638336636306565366339336630643934323665363261303930313435633735
|
||||
65363732623666306631613465633034393536326237346639356566643736303937333239626531
|
||||
62313061383266316361326339623436373262633238366234353461306432396133383330616432
|
||||
30666235646238663631326636396364313565393966373533323464356337326138363233346430
|
||||
61393438383737393839653039633762613137353932323730613537653939613861346636653738
|
||||
39336331333237613838656531363766343235383938353165653662653439643861323436393833
|
||||
65303565356330633764663633613231336166323134653937636133343031343938366639656161
|
||||
38666136633564646131333038326237393861326564623338333438313063303661303132323938
|
||||
37303162316236666162396363626133306365666533306639383139336330616130313635353034
|
||||
65623934323930383763383466323338373561643538343564303331653961653230643863323937
|
||||
35306636376530356631303362396439643963363937633266313935343262396565383163353630
|
||||
32396132316239366231303532306436623330643732393737343636646234656662646366376265
|
||||
36343034396562633634633663623133396636643634663932393739306435653034333164656336
|
||||
62373633333938356261663261356161663937366239356464383335613431396339333761323062
|
||||
32616333656533653939336338393431366439346433396232373934353235653730616230633762
|
||||
35656533326163316132373038306239663966366465393231646331646333383932336461306438
|
||||
65636434333433366637663139656630363464663564303166393931363032323633336661326164
|
||||
36633132363161616466333134343730636166653962623632366535663366653139343230363363
|
||||
66373432343961393437663466363063333561353637316438653961383966623134336537376130
|
||||
61353031386435336236346564643064613433666137633437376362626661653733343734346438
|
||||
35646332643462643631323835376231656464626536393562616466636363386339336564613539
|
||||
33316637313862356131633636626238633961363065323964353634633462663132653864373365
|
||||
61306163396532656636346532326131633134346139323566326361323664376633636339643539
|
||||
64323939336264346638653365663162356365653536333738383064326463313662356266373239
|
||||
39613439313866333735366639306166336261643938313133633633303432396662373862653736
|
||||
62313438633063343938313965616337363961303730386432333862383265653061333832306565
|
||||
66373663643435613639623735373066616236353739333538616535616435643964653936356431
|
||||
30363364323434376365393639643731663866396163636665626537343433663863363130303866
|
||||
38356565613334613931343431663862346263643330646263613166636561303038376238656430
|
||||
66316330326662616634396561366563316632663166383564343935633532633034333138653665
|
||||
37613964616162373262383338613434663166613862653963636135616265613634323438613463
|
||||
61393730396164643730393636646630386561303534363731623433363631666561313065373163
|
||||
63663164383335613565666262383162363732616534363637323566353064343162383231303064
|
||||
35373765376533383339353339636432633562333730386463633534353639656634636438303163
|
||||
36653061303036653535643933663131616166666631393836383531643165363265626562623533
|
||||
65363739663461356565313136663763333630643035383132323335333931333661376166326531
|
||||
34316166623630386365386632373433383735313563643463333662366335616237303633653763
|
||||
39633465353166313930353731376639336634633463346334643330646430313039613461333766
|
||||
65633965613962376637353131373966383034333536616361326364633532353138326535663866
|
||||
31336664333936393834346138653531313862323938373736383162386633383061373561306338
|
||||
39626634653338356330373338376332623638336537373932653539353734636336616232306132
|
||||
33323338653265666262383039393935616366623661653530623662373637356339653565323962
|
||||
63626461396264356564363238663331653662613337343236333763363461623865636564373037
|
||||
62376633616131313439343866336363653135363035386534386665323433653366653630646138
|
||||
30666330363835303664336162343432653235386631616433613262646336626331336532393438
|
||||
63313737353531316261353437663163383964663561313235393338306362376137383330656162
|
||||
32373363643466336231633136323264383934666634363933393137323032366564313137356262
|
||||
62333533363638616639633863663931376364373061323732343934643337383239303631626537
|
||||
37393032656231303366396233396162626236663230383966306361633233633430623135376132
|
||||
66393765363931386662326236393865353161633036666465653236393366363534343764316565
|
||||
66646166656437373231623133303662393461323830363261373566646163626334306265356436
|
||||
64353930303966303364396166663535336265383536373139396137396130333138393561616632
|
||||
36393732326136396534366630353731653331636333663965323433643931653033383039363638
|
||||
66373161326430363831343238656632626564306338636361363530663463363232373139366537
|
||||
37393162666464353662383564383665343334363463626231316535353738373333313738316138
|
||||
66383537663363633161346630323330653933356565616639353536386136666265383432646233
|
||||
65303163393635616539323762633962633165323661663561313061616239373834633937623064
|
||||
37373864303336323437303563656163303137656230336562336431623665323731326565626238
|
||||
64656232663363663065636239313030656132396333623332333637303537653534356662353838
|
||||
34303364636537623735656537613735393334616661373532363935363534356466663134613138
|
||||
38373437646135356165333336636639313134636136313637333364396335636335313361353265
|
||||
32396236643133396663383165653131316339616330373034393331373831626339313466363132
|
||||
34386266363637363562663764393133653732623039663034393539363061633237363737613336
|
||||
61323538633263666431346532346564353235643037383535373366613831373066636138626366
|
||||
36356563663339646534353962376436613566666165346135333264373334626530616332333961
|
||||
34386536666338306632306362343435346666303737613238373863366331646438386538373861
|
||||
63626361623932326334626630663336323439643666623332613262346535663462643834353231
|
||||
38303766366461323532356139306264326264343536386535303331376262376431666538626464
|
||||
61666235643939643334646463623337316565346263613862616263333335613736303366613430
|
||||
38303461366438363534633036373264303633613964363561346336653136353132666663376363
|
||||
38633235316666356464636538636337323432643037613762303735333836643861363464366337
|
||||
33366138396262623530663138353963306164306163303663623438353130646566656332373938
|
||||
61336337316334303135646461373463643365623235343834636164396366636639633933366561
|
||||
31386533336261326439386661326462353831393733643065316266376230383839333733396233
|
||||
63393935306331376336393937616336326263643631353764386164363639626334663032613133
|
||||
33633436376534373138316466353838663835336634306538313334643036333537653864323162
|
||||
39663565376331346532656130306632393638663139626334323261643733376636623961323533
|
||||
32653066326235346130333732396231346136336134383863383864613830313031646664386234
|
||||
30656333303234663630633237633161393966623562633964393161336335616362323535656136
|
||||
38666162306162366461303663346562306638353334383630306231346234396566343162323135
|
||||
35376136346138626130323765626464613537623530616235353537373932626535316566363332
|
||||
38336533333162643666376232646330613166633535383961666264373530313563386535353434
|
||||
38333062376634323933336239656138393961633863633537396364333039333262616166613832
|
||||
30373632333062663730343731663162376238313930376631643163353063663838326434633435
|
||||
65323465343839616166386435636233306136306563666535633164633430386332323266323038
|
||||
63653061396662336362646331353062326261376161363662346639373965356266333239613137
|
||||
35393665636238663262646130356664343033633363303536663538306139336139383864636236
|
||||
38313834393733316636313862383930343839653662623335393637396363333434646262383465
|
||||
38313231353862373935316236383135396639643761623035313834353730396330613237316465
|
||||
66646131326462383662303563646366333630343934376339323936363966393939623031343833
|
||||
63366333623332623666643932343739363735326361636536656164303365363163633934633730
|
||||
31306264656535396665386133353366653064363036656135663135373931636566646638356662
|
||||
39393433363633613437346637383837663864643734643332393833363830616536623933623239
|
||||
35366530636235643333336261633661636330633535393030313134633834633261363635376234
|
||||
63643139306632613330346264656434326238383061633837653064663334323762613636353339
|
||||
38363861356131376230613032353738356134316261613030353932303635383564333664386338
|
||||
63363033613232386431633531356532653035343466616664626363643734306233393566356663
|
||||
31643039336332636461366266343865383666356166333566386531626134373038663362306533
|
||||
34306534623166393561633266333366653261653365326337613436633137373234366234326564
|
||||
30316231636339366434396131623064353961336666626563613234303034376537646130323637
|
||||
33386532393339646437366337626463393066653831646337346463356437386333656464393233
|
||||
64333036663330373662646534653239303831323536346138393939383861303331336630353738
|
||||
33383838663939393038386438636135396361316438363234313864343731616363336533393738
|
||||
65343166343335623665653936396362363861636231643432313962333034383337656634666633
|
||||
61333161643464323562343539633130373065666363393337636664376662313834656232616164
|
||||
37613062346439326665633236323661646331336333313034306133353732336163656339373335
|
||||
65303662633039316439343363306637303530323235663261386162363930623233616639333264
|
||||
62303965636463303166323461376531393031343464663562353537613034613033346336393638
|
||||
63373165663931346566626437393166626539393866646535393330323335333737353633633764
|
||||
36643132336430303264633032316634663531666165613037313264303962663337653233346561
|
||||
63646162343930356464623431333031613464323333323162323265633637313538363963633338
|
||||
64393566643131666333333263626435613465303862663166303034313430616165656666646432
|
||||
63363634366434666461613337353765663466396330613230663737613030323531663432363465
|
||||
61623661666664366664303434373362303431623234393862633639336332316333303664323937
|
||||
31653462326432633966353138626333306136623735633932323666656632383034633662333635
|
||||
36303437343361343437643963663536646636626232633063636332353037396264366361336631
|
||||
39353638643930326166393666663262336232663661383862363731393733336665326637653434
|
||||
38343362386430363666666239623333623339623862613630663762353835303837663061303432
|
||||
39366138383263653338393131393532663965666164353963373461373263616565373166303530
|
||||
64306333343764363264363934393739316133313536353065326632316365396132326235626232
|
||||
37353562363139386633656437623165623530636138313139643764613230633133386666366437
|
||||
62333634356362343633643235643537383837343731303036396566396238623939643466373630
|
||||
64633161636638393732656534346139343230313132613737313565393665613265353562313037
|
||||
62313362363362623934663564626265363463396366336633313839643134653962656332653639
|
||||
36353238353264326139386438363438363066396537633963343839616462373838393232333932
|
||||
63353566663363373636336665393763323237383337343137623063653265393264396361383166
|
||||
34666332616164633639626537393234316530626461653161393036386161396666386538316366
|
||||
39393762626663373430646666653233376134343838313034313136303837333233353761353530
|
||||
31623364333033643035363735396562623965636437613661663736376665393037363966633430
|
||||
31376334333139613466613238303938663337313239643066353532383132336539353861396538
|
||||
33333664393764666635326461383737653661643731323935353531653735613263383435366533
|
||||
61333436386335383634376366666233633833643738646436373664306338643366643035613138
|
||||
66643661336633666333366438303136316332616638336261353162383266623933316631396232
|
||||
35306437643133346538323364616638636464613536323334646637333061343332376433346634
|
||||
31356333633832636437316466343034633266613263336132383336326532363137303861656138
|
||||
35356635343232313631613638366164303164623530663862653138633065306163343132626430
|
||||
31633739653666646564323365663961396562333336366130636530393463383461623934343164
|
||||
36316264363065343563636331373635343638373864646465306566646234643732306530353636
|
||||
38316437393264643533623338656663343633646265613531623933666432663334646136356265
|
||||
32326530343938653761333734323563643532363330326531313335323764653239626137613164
|
||||
61306437663537303561393039623330626530393363653165366236343737653137616539646332
|
||||
32656363383631393438336434323032343632393736376132656439663962323232336630623466
|
||||
64373939323832373934373531363838333565396236383661633134303338373030313436303130
|
||||
37663438336262346164633632653739613766343938303138653330656431396336376461633339
|
||||
66396565646661346461643035646432643432343435333861366531316265306530653034386265
|
||||
39303239366633613431333863663034633864373439646236633434333738383662643063373835
|
||||
31626134323462353965653131656336316265376364636533333631373966306631613566663133
|
||||
30616162636138303139306436653834366233616631303037393538633735323133346562383736
|
||||
66306265346266393566613137326132366132366463353330306539653732393963366165353139
|
||||
66643663643339666137343930633637396263346264643561383162666461346431346532353733
|
||||
38303863303537646130363066303439623664316666373039613639653133666635356165303831
|
||||
66653238643265386161393062393763383263656161666162633833336166333538386566323732
|
||||
63303962313365363939323630386532373938313630633532613331306164356338633137346262
|
||||
37376665373131316338383265363335646463663534623334303839383965376362643061376133
|
||||
36323830323938636636356561616238636134616263323633626662396239373531646363336566
|
||||
65383938656530396361663631613532316262396562323034663763653230646336633263336538
|
||||
34333866306564313562303930616330653638313031656138343565653161323931356561633264
|
||||
33313066643461343636623235376636646537663263313234356133376532663439386364326264
|
||||
30356238613761363638376431623431366131373230373239643066343035356462326533613533
|
||||
64623438363138636435333963376366656232313435373131313235636265323062333562323436
|
||||
66313532616131623836373134363033646238313861616334313033326330616631633439613332
|
||||
32393134643464363337653138336332353531316261316562393532346365666261346534653037
|
||||
33363363393563636638343265393135663838393263623364366561623934316439306663396665
|
||||
34323838366463653032303337323434643461323732623464373564613365663037383834353266
|
||||
66376537623464653433393638623337353233363932656637363661323862663930633931626138
|
||||
32613436303533353261666131636231353835666138663235386430323161623565333934383364
|
||||
65393730636438306132663464313331663966346330346437383231646439366631323865376530
|
||||
37343534616239373739353930313331303537303131653433393338396136313161306432303937
|
||||
31333535623562656662613762626365306632626461333835346431343766393135653536356536
|
||||
34653137303162656164373738373264613536663831363662373964306231343239656533353832
|
||||
32643232333339316539323132663239613731393939316466653464373835303632313436323163
|
||||
61383338333739363730633162373530626563393938323131323538326430323431623931393030
|
||||
63353264626465323061663531656131633834353233643962666333383530376233636166636666
|
||||
30393534613466623031346236643333316336333633646630643164653834353536333461353537
|
||||
62613038323730363638616437393536636333323237626633343165386230393064666638396332
|
||||
62653736353238653235356462656266616635613861623762336139656139363966386237393538
|
||||
62616661613537633232636134373763376465386361313266663133643364356231636232386261
|
||||
38653935663231323833626635663730623438306134636363633062373738396334393435373632
|
||||
39343862646464633934643735363332353064396464663761393836353137313536383930653765
|
||||
64643766616139306335313965376434643637613836373663663131663065663961376661363239
|
||||
39373563313737396131323465333462346138316131303663336638303838346565633136343964
|
||||
63633161326361303232613163316434343565623863363662623765376365663337653239376263
|
||||
61336566336239643033666566316232623966643662386233396438343366303838363661653364
|
||||
64323065396531363363393433316538386366623839626639373266393432313730646261333830
|
||||
38383964633036333139383131326361353461346337353436333730656161326361306330373636
|
||||
31303438356633363332633839616237383334396137623263363030373361623032663363656330
|
||||
31653464353737336333356635326366316533663839366636393263343963356530663135366435
|
||||
66656365396565306635656663666434646632353035653138616161383434316232386333623162
|
||||
30363964666239373361656437363263646239366362316331313234623562363434613137326536
|
||||
30356436356436333263656338303566356133383034353161383663356236353361623539653466
|
||||
63663033393733366630356432613238633936306537333136366430303033336532306239336133
|
||||
35343432633663396165663466626263316434646265363363316436636433656165333839356433
|
||||
33313838313833333565653233623732316161316566343135323065313166376466613264616163
|
||||
61383062346235643033363866643838626537363534383162353435343835643563316535663533
|
||||
33623630383835353339656430633135393364346432663662663934393534366534326137666236
|
||||
62356136346333653538626433333139353566313831643063626165343437333265633537313261
|
||||
39613933653362353731353261373230313432303536316664636663396238643665633937623837
|
||||
38373761663538653232646365333331396565343831343534383230323032373166663033333837
|
||||
36353163353732313735663065663531646366326332663831623039366566386237333134616638
|
||||
32323639326431303335396265333539643935613062326438343834376365313565666262623465
|
||||
363230303264613965363966303463356363
|
||||
|
|
|
@ -12,3 +12,5 @@ interfaces:
|
|||
|
||||
ipv4_forwarding: false
|
||||
ipv6_forwarding: false
|
||||
|
||||
lan_address: "{{ intranet.subnets.physical.subnets.azerty.ipv4 }}"
|
||||
|
|
|
@ -22,3 +22,5 @@ interfaces:
|
|||
|
||||
ipv4_forwarding: true
|
||||
ipv6_forwarding: false
|
||||
|
||||
lan_address: "{{ intranet.subnets.physical.subnets.hellman.ipv4 }}"
|
||||
|
|
|
@ -10,3 +10,5 @@ interfaces:
|
|||
|
||||
ipv4_forwarding: true
|
||||
ipv6_forwarding: false
|
||||
|
||||
lan_address: "{{ intranet.subnets.physical.subnets.hindley.ipv4 }}"
|
||||
|
|
|
@ -9,3 +9,5 @@ interfaces:
|
|||
|
||||
ipv4_forwarding: false
|
||||
ipv6_forwarding: false
|
||||
|
||||
lan_address: "{{ intranet.subnets.physical.subnets.matrix.ipv4 }}"
|
||||
|
|
|
@ -1,10 +1,7 @@
|
|||
---
|
||||
interfaces:
|
||||
eth0:
|
||||
ipv4: 192.168.0.50
|
||||
netmaskv4: 24
|
||||
type: static
|
||||
gateway: 192.168.0.1
|
||||
type: dhcp
|
||||
wg0:
|
||||
ipv4: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}"
|
||||
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||
|
@ -12,3 +9,5 @@ interfaces:
|
|||
|
||||
ipv4_forwarding: false
|
||||
ipv6_forwarding: false
|
||||
|
||||
lan_address: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}"
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
---
|
||||
ansible_host: "vm1"
|
|
@ -1,24 +0,0 @@
|
|||
---
|
||||
interfaces:
|
||||
enp0s3:
|
||||
type: void
|
||||
br0:
|
||||
ipv4: 10.0.2.5
|
||||
netmaskv4: 24
|
||||
type: static
|
||||
bridge: true
|
||||
gateway: 10.0.2.1
|
||||
interfaces:
|
||||
- enp0s3
|
||||
br1:
|
||||
type: manual
|
||||
bridge: true
|
||||
interfaces:
|
||||
- enp0s3.42
|
||||
wg0:
|
||||
ipv4: "{{ intranet.subnets.test.subnets.vm1.ipv4 }}"
|
||||
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||
type: wireguard
|
||||
|
||||
ipv4_forwarding: false
|
||||
ipv6_forwarding: false
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
vpn_interfaces:
|
||||
wg0:
|
||||
ip: "{{ interfaces.wg0.ipv4 }}"
|
||||
private_key: "{{ vpn_vault_vm1_key }}"
|
||||
public_key: "uccS/p19vinH/S2GpVarDTYah4oRiSIABue8uEqKzRs="
|
||||
keepalive: true
|
||||
peers:
|
||||
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
||||
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
|
||||
allowed_ips:
|
||||
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
|
||||
comment: "hindley"
|
|
@ -1,2 +0,0 @@
|
|||
---
|
||||
ansible_host: "vm2"
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
interfaces:
|
||||
enp0s3:
|
||||
type: dhcp
|
||||
wg0:
|
||||
ipv4: "{{ intranet.subnets.test.subnets.vm2.ipv4 }}"
|
||||
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||
type: wireguard
|
||||
|
||||
ipv4_forwarding: false
|
||||
ipv6_forwarding: false
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
vpn_interfaces:
|
||||
wg0:
|
||||
ip: "{{ interfaces.wg0.ipv4 }}"
|
||||
private_key: "{{ vpn_vault_vm2_key }}"
|
||||
public_key: "pxsYnL8N3VVVLlkXA8NOkqWsrSMrgdL1vj/VnZfKdRo="
|
||||
keepalive: true
|
||||
peers:
|
||||
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
||||
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
|
||||
allowed_ips:
|
||||
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
|
||||
comment: "hindley"
|
|
@ -1,2 +0,0 @@
|
|||
---
|
||||
ansible_host: "vm3"
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
interfaces:
|
||||
enp0s3:
|
||||
ipv4: 10.0.2.7
|
||||
netmaskv4: 24
|
||||
type: static
|
||||
gateway: 10.0.2.1
|
||||
wg0:
|
||||
ipv4: "{{ intranet.subnets.test.subnets.vm3.ipv4 }}"
|
||||
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||
type: wireguard
|
||||
|
||||
ipv4_forwarding: false
|
||||
ipv6_forwarding: false
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
vpn_interfaces:
|
||||
wg0:
|
||||
ip: "{{ interfaces.wg0.ipv4 }}"
|
||||
private_key: "{{ vpn_vault_vm3_key }}"
|
||||
public_key: "Cj3HAjXXr9DcmJoOkQkHvLWujZm8h6tBt2d54g0pqEg="
|
||||
keepalive: true
|
||||
peers:
|
||||
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
||||
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
|
||||
allowed_ips:
|
||||
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
|
||||
comment: "hindley"
|
|
@ -1,2 +0,0 @@
|
|||
---
|
||||
ansible_host: "vm4"
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
interfaces:
|
||||
enp0s3:
|
||||
ipv4: 10.0.2.8
|
||||
netmaskv4: 24
|
||||
type: static
|
||||
gateway: 10.0.2.1
|
||||
wg0:
|
||||
ipv4: "{{ intranet.subnets.test.subnets.vm4.ipv4 }}"
|
||||
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||
type: wireguard
|
||||
|
||||
ipv4_forwarding: false
|
||||
ipv6_forwarding: false
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
vpn_interfaces:
|
||||
wg0:
|
||||
ip: "{{ interfaces.wg0.ipv4 }}"
|
||||
private_key: "{{ vpn_vault_vm4_key }}"
|
||||
public_key: "5M84IO6uobYkMPupCI9h9y3iJXVIXAyDY8wkrMPcaRw="
|
||||
keepalive: true
|
||||
peers:
|
||||
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
||||
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
|
||||
allowed_ips:
|
||||
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
|
||||
comment: "hindley"
|
|
@ -1,2 +0,0 @@
|
|||
---
|
||||
ansible_host: "vm5"
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
interfaces:
|
||||
enp0s3:
|
||||
type: void
|
||||
br0:
|
||||
ipv4: 10.0.2.9
|
||||
netmaskv4: 24
|
||||
type: static
|
||||
bridge: true
|
||||
gateway: 10.0.2.1
|
||||
interfaces:
|
||||
- enp0s3
|
||||
|
||||
ipv4_forwarding: false
|
||||
ipv6_forwarding: false
|
19
hosts
19
hosts
|
@ -4,17 +4,12 @@ all:
|
|||
ubuntu:
|
||||
hosts:
|
||||
hindley:
|
||||
vm5:
|
||||
debian_buster:
|
||||
hosts:
|
||||
azerty:
|
||||
vm1:
|
||||
vm2:
|
||||
vm3:
|
||||
debian_bullseye:
|
||||
hosts:
|
||||
matrix_server:
|
||||
vm4:
|
||||
proxmox_buster:
|
||||
hosts:
|
||||
hellman:
|
||||
|
@ -34,26 +29,22 @@ all:
|
|||
server_hostname: azerty.fil.sand.auro.re
|
||||
tests:
|
||||
hosts:
|
||||
vm1:
|
||||
vm2:
|
||||
vm3:
|
||||
vm4:
|
||||
vm5:
|
||||
rossum:
|
||||
azerty:
|
||||
hellman:
|
||||
vpn:
|
||||
hosts:
|
||||
azerty:
|
||||
hindley:
|
||||
hellman:
|
||||
rossum:
|
||||
vm1:
|
||||
vm2:
|
||||
vm3:
|
||||
vm4:
|
||||
matrix_server:
|
||||
apt_proxies:
|
||||
hosts:
|
||||
hindley:
|
||||
prometheus_servers:
|
||||
hosts:
|
||||
hindley:
|
||||
matrix:
|
||||
hosts:
|
||||
matrix_server:
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
- unzip
|
||||
- tcpdump
|
||||
- net-tools
|
||||
- acl
|
||||
state: latest
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
|
|
167
roles/generate-cert/LICENSE
Normal file
167
roles/generate-cert/LICENSE
Normal file
|
@ -0,0 +1,167 @@
|
|||
GNU LESSER GENERAL PUBLIC LICENSE
|
||||
Version 3, 29 June 2007
|
||||
|
||||
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
|
||||
This version of the GNU Lesser General Public License incorporates
|
||||
the terms and conditions of version 3 of the GNU General Public
|
||||
License, supplemented by the additional permissions listed below.
|
||||
|
||||
0. Additional Definitions.
|
||||
|
||||
As used herein, "this License" refers to version 3 of the GNU Lesser
|
||||
General Public License, and the "GNU GPL" refers to version 3 of the GNU
|
||||
General Public License.
|
||||
|
||||
"The Library" refers to a covered work governed by this License,
|
||||
other than an Application or a Combined Work as defined below.
|
||||
|
||||
An "Application" is any work that makes use of an interface provided
|
||||
by the Library, but which is not otherwise based on the Library.
|
||||
Defining a subclass of a class defined by the Library is deemed a mode
|
||||
of using an interface provided by the Library.
|
||||
|
||||
A "Combined Work" is a work produced by combining or linking an
|
||||
Application with the Library. The particular version of the Library
|
||||
with which the Combined Work was made is also called the "Linked
|
||||
Version".
|
||||
|
||||
The "Minimal Corresponding Source" for a Combined Work means the
|
||||
Corresponding Source for the Combined Work, excluding any source code
|
||||
for portions of the Combined Work that, considered in isolation, are
|
||||
based on the Application, and not on the Linked Version.
|
||||
|
||||
The "Corresponding Application Code" for a Combined Work means the
|
||||
object code and/or source code for the Application, including any data
|
||||
and utility programs needed for reproducing the Combined Work from the
|
||||
Application, but excluding the System Libraries of the Combined Work.
|
||||
|
||||
1. Exception to Section 3 of the GNU GPL.
|
||||
|
||||
You may convey a covered work under sections 3 and 4 of this License
|
||||
without being bound by section 3 of the GNU GPL.
|
||||
|
||||
2. Conveying Modified Versions.
|
||||
|
||||
If you modify a copy of the Library, and, in your modifications, a
|
||||
facility refers to a function or data to be supplied by an Application
|
||||
that uses the facility (other than as an argument passed when the
|
||||
facility is invoked), then you may convey a copy of the modified
|
||||
version:
|
||||
|
||||
a) under this License, provided that you make a good faith effort to
|
||||
ensure that, in the event an Application does not supply the
|
||||
function or data, the facility still operates, and performs
|
||||
whatever part of its purpose remains meaningful, or
|
||||
|
||||
b) under the GNU GPL, with none of the additional permissions of
|
||||
this License applicable to that copy.
|
||||
|
||||
3. Object Code Incorporating Material from Library Header Files.
|
||||
|
||||
The object code form of an Application may incorporate material from
|
||||
a header file that is part of the Library. You may convey such object
|
||||
code under terms of your choice, provided that, if the incorporated
|
||||
material is not limited to numerical parameters, data structure
|
||||
layouts and accessors, or small macros, inline functions and templates
|
||||
(ten or fewer lines in length), you do both of the following:
|
||||
|
||||
a) Give prominent notice with each copy of the object code that the
|
||||
Library is used in it and that the Library and its use are
|
||||
covered by this License.
|
||||
|
||||
b) Accompany the object code with a copy of the GNU GPL and this license
|
||||
document.
|
||||
|
||||
4. Combined Works.
|
||||
|
||||
You may convey a Combined Work under terms of your choice that,
|
||||
taken together, effectively do not restrict modification of the
|
||||
portions of the Library contained in the Combined Work and reverse
|
||||
engineering for debugging such modifications, if you also do each of
|
||||
the following:
|
||||
|
||||
a) Give prominent notice with each copy of the Combined Work that
|
||||
the Library is used in it and that the Library and its use are
|
||||
covered by this License.
|
||||
|
||||
b) Accompany the Combined Work with a copy of the GNU GPL and this license
|
||||
document.
|
||||
|
||||
c) For a Combined Work that displays copyright notices during
|
||||
execution, include the copyright notice for the Library among
|
||||
these notices, as well as a reference directing the user to the
|
||||
copies of the GNU GPL and this license document.
|
||||
|
||||
d) Do one of the following:
|
||||
|
||||
0) Convey the Minimal Corresponding Source under the terms of this
|
||||
License, and the Corresponding Application Code in a form
|
||||
suitable for, and under terms that permit, the user to
|
||||
recombine or relink the Application with a modified version of
|
||||
the Linked Version to produce a modified Combined Work, in the
|
||||
manner specified by section 6 of the GNU GPL for conveying
|
||||
Corresponding Source.
|
||||
|
||||
1) Use a suitable shared library mechanism for linking with the
|
||||
Library. A suitable mechanism is one that (a) uses at run time
|
||||
a copy of the Library already present on the user's computer
|
||||
system, and (b) will operate properly with a modified version
|
||||
of the Library that is interface-compatible with the Linked
|
||||
Version.
|
||||
|
||||
e) Provide Installation Information, but only if you would otherwise
|
||||
be required to provide such information under section 6 of the
|
||||
GNU GPL, and only to the extent that such information is
|
||||
necessary to install and execute a modified version of the
|
||||
Combined Work produced by recombining or relinking the
|
||||
Application with a modified version of the Linked Version. (If
|
||||
you use option 4d0, the Installation Information must accompany
|
||||
the Minimal Corresponding Source and Corresponding Application
|
||||
Code. If you use option 4d1, you must provide the Installation
|
||||
Information in the manner specified by section 6 of the GNU GPL
|
||||
for conveying Corresponding Source.)
|
||||
|
||||
5. Combined Libraries.
|
||||
|
||||
You may place library facilities that are a work based on the
|
||||
Library side by side in a single library together with other library
|
||||
facilities that are not Applications and are not covered by this
|
||||
License, and convey such a combined library under terms of your
|
||||
choice, if you do both of the following:
|
||||
|
||||
a) Accompany the combined library with a copy of the same work based
|
||||
on the Library, uncombined with any other library facilities,
|
||||
conveyed under the terms of this License.
|
||||
|
||||
b) Give prominent notice with the combined library that part of it
|
||||
is a work based on the Library, and explaining where to find the
|
||||
accompanying uncombined form of the same work.
|
||||
|
||||
6. Revised Versions of the GNU Lesser General Public License.
|
||||
|
||||
The Free Software Foundation may publish revised and/or new versions
|
||||
of the GNU Lesser General Public License from time to time. Such new
|
||||
versions will be similar in spirit to the present version, but may
|
||||
differ in detail to address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the
|
||||
Library as you received it specifies that a certain numbered version
|
||||
of the GNU Lesser General Public License "or any later version"
|
||||
applies to it, you have the option of following the terms and
|
||||
conditions either of that published version or of any later version
|
||||
published by the Free Software Foundation. If the Library as you
|
||||
received it does not specify a version number of the GNU Lesser
|
||||
General Public License, you may choose any version of the GNU Lesser
|
||||
General Public License ever published by the Free Software Foundation.
|
||||
|
||||
If the Library as you received it specifies that a proxy can decide
|
||||
whether future versions of the GNU Lesser General Public License shall
|
||||
apply, that proxy's public statement of acceptance of any version is
|
||||
permanent authorization for you to choose that version for the
|
||||
Library.
|
||||
|
||||
|
9
roles/generate-cert/README.md
Normal file
9
roles/generate-cert/README.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
# generate-cert
|
||||
|
||||
This role is part of the project [Ansible Hacky PKI](https://gitea.auro.re/histausse/ansible_hacky_pki) licenced under the LGPL 3.
|
||||
|
||||
You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**.
|
||||
In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability,
|
||||
please contact me to see if we can find a patch.
|
||||
|
||||
Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>
|
8
roles/generate-cert/defaults/main.yml
Normal file
8
roles/generate-cert/defaults/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
key_usage:
|
||||
- digitalSignature
|
||||
- keyEncipherment
|
||||
validity_duration: "+365d"
|
||||
time_before_expiration_for_renewal: "+30d" # need a better name
|
||||
force_renewal: no
|
||||
store_directory: /etc/hackypky
|
165
roles/generate-cert/tasks/main.yml
Normal file
165
roles/generate-cert/tasks/main.yml
Normal file
|
@ -0,0 +1,165 @@
|
|||
---
|
||||
- name: Ensure the directories used to store certs exist
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
group: root
|
||||
owner: root
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
loop:
|
||||
- "{{ store_directory }}"
|
||||
- "{{ store_directory }}/crts"
|
||||
- "{{ store_directory }}/keys"
|
||||
|
||||
- name: Ensure the directory containing the cert exist
|
||||
file:
|
||||
path: "{{ directory }}"
|
||||
state: directory
|
||||
|
||||
- name: Test if the key already exist
|
||||
stat:
|
||||
path: "{{ store_directory}}/keys/{{ cname }}.key"
|
||||
register: key_file
|
||||
|
||||
- name: Test if the cert already exist
|
||||
stat:
|
||||
path: "{{ store_directory}}/crts/{{ cname }}.crt"
|
||||
register: cert_file
|
||||
|
||||
- name: Test if we need to renew the certificate
|
||||
openssl_certificate_info:
|
||||
path: "{{ store_directory }}/crts/{{ cname }}.crt"
|
||||
valid_at:
|
||||
renewal: "{{ time_before_expiration_for_renewal }}"
|
||||
register: validity
|
||||
when: cert_file.stat.exists
|
||||
|
||||
- name: Generate the certificate
|
||||
block:
|
||||
- name: Generate private key
|
||||
become: false
|
||||
openssl_privatekey:
|
||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
||||
mode: u=rw,g=,o=
|
||||
size: "{{ key_size | default(omit) }}"
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Generate a Certificate Signing Request
|
||||
become: false
|
||||
openssl_csr:
|
||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
|
||||
privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
||||
common_name: "{{ cname }}"
|
||||
country_name: "{{ country_name | default(omit) }}"
|
||||
locality_name: "{{ locality_name | default(omit) }}"
|
||||
state_or_province_name: "{{ state_or_province_name | default(omit) }}"
|
||||
organization_name: "{{ organization_name | default(omit) }}"
|
||||
organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
|
||||
email_address: "{{ email_address | default(omit) }}"
|
||||
basic_constraints:
|
||||
- CA:FALSE # syntax?
|
||||
basic_constraints_critical: yes
|
||||
key_usage: "{{ key_usage }}"
|
||||
key_usage_critical: yes
|
||||
subject_alt_name: "{{ subject_alt_name | default(omit) }}"
|
||||
crl_distribution_points: "{{ crl_distribution_points | default(omit) }}"
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Put the CA in a file
|
||||
become: false
|
||||
copy:
|
||||
content: "{{ ca_cert }}"
|
||||
dest: "/tmp/ansible_hacky_pki_ca.crt"
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Put the CA key in a file
|
||||
become: false
|
||||
copy:
|
||||
content: "{{ ca_key }}"
|
||||
dest: "/tmp/ansible_hacky_pki_ca.key"
|
||||
mode: u=rw,g=,o=
|
||||
delegate_to: localhost
|
||||
no_log: yes
|
||||
|
||||
- name: Sign the certificate
|
||||
become: false
|
||||
openssl_certificate:
|
||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
|
||||
csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
|
||||
ownca_not_after: "{{ validity_duration }}"
|
||||
ownca_path: /tmp/ansible_hacky_pki_ca.crt
|
||||
ownca_privatekey_passphrase: "{{ ca_passphrase }}"
|
||||
ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
|
||||
provider: ownca
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Send private key to the server
|
||||
copy:
|
||||
src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
||||
dest: "{{ store_directory }}/keys/{{ cname }}.key"
|
||||
owner: "{{ owner | default('root') }}"
|
||||
group: "{{ group | default('root') }}"
|
||||
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
|
||||
no_log: yes
|
||||
|
||||
- name: Send certificate to the server
|
||||
copy:
|
||||
src: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
|
||||
dest: "{{ store_directory }}/crts/{{ cname }}.crt"
|
||||
owner: "{{ owner | default('root') }}"
|
||||
group: "{{ group | default('root') }}"
|
||||
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
|
||||
|
||||
# Clean up
|
||||
- name: Remove the local cert key
|
||||
become: false
|
||||
file:
|
||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
||||
state: absent
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Remove the CSR
|
||||
become: false
|
||||
file:
|
||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
|
||||
state: absent
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Remove the local certificate
|
||||
become: false
|
||||
file:
|
||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
|
||||
state: absent
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Remove the CA certificate
|
||||
become: false
|
||||
file:
|
||||
path: /tmp/ansible_hacky_pki_ca.crt
|
||||
state: absent
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Remove the CA key
|
||||
become: false
|
||||
file:
|
||||
path: /tmp/ansible_hacky_pki_ca.key
|
||||
state: absent
|
||||
delegate_to: localhost
|
||||
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||
|
||||
- name: Create the link to cert
|
||||
file:
|
||||
src: "{{ store_directory }}/crts/{{ cname }}.crt"
|
||||
dest: "{{ directory }}/{{ cname }}.crt"
|
||||
owner: "{{ owner | default('root') }}"
|
||||
group: "{{ group | default('root') }}"
|
||||
state: link
|
||||
|
||||
- name: Create the link to key
|
||||
file:
|
||||
src: "{{ store_directory }}/keys/{{ cname }}.key"
|
||||
dest: "{{ directory }}/{{ cname }}.key"
|
||||
owner: "{{ owner | default('root') }}"
|
||||
group: "{{ group | default('root') }}"
|
||||
state: link
|
||||
|
5
roles/grafana/handlers/main.yml
Normal file
5
roles/grafana/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: Restart Grafana
|
||||
systemd:
|
||||
name: grafana-server
|
||||
state: restarted
|
79
roles/grafana/tasks/main.yml
Normal file
79
roles/grafana/tasks/main.yml
Normal file
|
@ -0,0 +1,79 @@
|
|||
---
|
||||
- name: Install apt transport https
|
||||
apt:
|
||||
name:
|
||||
- apt-transport-https
|
||||
state: latest
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Add Graphana Repo Key
|
||||
apt_key:
|
||||
url: https://packages.grafana.com/gpg.key
|
||||
state: present
|
||||
|
||||
- name: Add Grafana Repository
|
||||
apt_repository:
|
||||
repo: deb https://packages.grafana.com/oss/deb stable main
|
||||
state: present
|
||||
|
||||
- name: Install Grafana
|
||||
apt:
|
||||
name:
|
||||
- grafana
|
||||
state: latest
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Configure Grafana
|
||||
template:
|
||||
src: grafana.ini
|
||||
dest: /etc/grafana/grafana.ini
|
||||
owner: grafana
|
||||
group: grafana
|
||||
mode: u=rw,g=r,o=
|
||||
no_log: true
|
||||
notify: Restart Grafana
|
||||
|
||||
- name: Copy the CA cert
|
||||
copy:
|
||||
content: "{{ ca_cert }}"
|
||||
dest: /etc/grafana/ca.crt
|
||||
notify: Restart prometheus
|
||||
|
||||
- name: Generate certificate
|
||||
include_role:
|
||||
name: generate-cert
|
||||
vars:
|
||||
directory: /etc/grafana/
|
||||
cname: "grafana-{{ lan_address }}"
|
||||
owner: grafana
|
||||
group: grafana
|
||||
key_mode: u=rw,g=,o=
|
||||
subject_alt_name: "IP:{{ lan_address }}"
|
||||
# Need an equivalent to notify here
|
||||
|
||||
## THIS CERT CANNOT BE MONITORED BECAUSE IT IS A CLIENT CERT :'(
|
||||
#- name: Ensured the certificate is monitored
|
||||
# import_tasks: register-cert-to-monitoring.yml
|
||||
# vars:
|
||||
# target: "{{ lan_address }}:<PORT>|grafana-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
||||
|
||||
- name: Add Prometheus data source
|
||||
template:
|
||||
src: prometheus_datasource.yaml
|
||||
dest: /etc/grafana/provisioning/datasources/prometheus_datasource.yaml
|
||||
owner: grafana
|
||||
group: grafana
|
||||
mode: u=rw,g=r,o=
|
||||
notify: Restart Grafana
|
||||
|
||||
- name: Enable Grafana
|
||||
systemd:
|
||||
name: grafana-server
|
||||
enabled: true
|
||||
state: started
|
23
roles/grafana/tasks/register-cert-to-monitoring.yml
Normal file
23
roles/grafana/tasks/register-cert-to-monitoring.yml
Normal file
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
- name: Get the list of targets of the server
|
||||
slurp:
|
||||
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
||||
register: server_tls_targets_file
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
|
||||
- name: Set target variable from file
|
||||
set_fact:
|
||||
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
|
||||
|
||||
- name: Register the endpoint to the prometheus server
|
||||
block:
|
||||
- name: Add the target
|
||||
set_fact:
|
||||
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
|
||||
|
||||
- name: Put the new target list
|
||||
copy:
|
||||
content: "{{ new_server_tls_targets | to_nice_json }}"
|
||||
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
when: target not in server_tls_targets.0.targets
|
1008
roles/grafana/templates/grafana.ini
Normal file
1008
roles/grafana/templates/grafana.ini
Normal file
File diff suppressed because it is too large
Load diff
17
roles/grafana/templates/prometheus_datasource.yaml
Normal file
17
roles/grafana/templates/prometheus_datasource.yaml
Normal file
|
@ -0,0 +1,17 @@
|
|||
{{ ansible_managed | comment }}
|
||||
apiVersion: 1
|
||||
|
||||
datasources:
|
||||
- name: Prometheus
|
||||
type: prometheus
|
||||
# Access mode - proxy (server in the UI) or direct (browser in the UI).
|
||||
access: proxy
|
||||
url: https://{{ lan_address }}:9090
|
||||
jsonData:
|
||||
httpMethod: POST
|
||||
tlsAuth: true
|
||||
tlsAuthWithCACert: true
|
||||
secureJsonData:
|
||||
tlsCACert: $__file{/etc/grafana/ca.crt}
|
||||
tlsClientCert: $__file{/etc/grafana/grafana-{{ lan_address }}.crt}
|
||||
tlsClientKey: $__file{/etc/grafana/grafana-{{ lan_address }}.key}
|
10
roles/prometheus-alert-manager/handlers/main.yml
Normal file
10
roles/prometheus-alert-manager/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: Restart Alertmanager
|
||||
systemd:
|
||||
name: prometheus-alertmanager.service
|
||||
state: restarted
|
||||
|
||||
- name: Restart kassandra
|
||||
systemd:
|
||||
name: kassandra.service
|
||||
state: restarted
|
2
roles/prometheus-alert-manager/meta/main.yml
Normal file
2
roles/prometheus-alert-manager/meta/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
dependencies:
|
||||
- role: install_nginx
|
73
roles/prometheus-alert-manager/tasks/kassandra.yml
Normal file
73
roles/prometheus-alert-manager/tasks/kassandra.yml
Normal file
|
@ -0,0 +1,73 @@
|
|||
---
|
||||
- name: Install dependencies
|
||||
apt:
|
||||
name:
|
||||
- python3.9
|
||||
- python3.9-venv
|
||||
state: latest
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Create the kassandra user
|
||||
user:
|
||||
name: kassandra
|
||||
home: /opt/kassandra
|
||||
password_lock: yes
|
||||
system: yes
|
||||
|
||||
- name: Install kassandra
|
||||
become: yes
|
||||
become_user: kassandra
|
||||
pip:
|
||||
name:
|
||||
- wheel
|
||||
- "kassandra @ git+https://gitea.auro.re/histausse/kassandra.git"
|
||||
virtualenv: /opt/kassandra
|
||||
virtualenv_command: "python3.9 -m venv"
|
||||
|
||||
- name: Configure kassandra
|
||||
template:
|
||||
src: kassandra-config.yaml
|
||||
dest: /opt/kassandra/config.yaml
|
||||
owner: kassandra
|
||||
group: nogroup
|
||||
mode: '0600'
|
||||
notify: Restart kassandra
|
||||
no_log: true
|
||||
|
||||
- name: Copy the CA cert
|
||||
copy:
|
||||
content: "{{ ca_cert }}"
|
||||
dest: /opt/kassandra/ca.crt
|
||||
notify: Restart kassandra
|
||||
|
||||
- name: Generate certificate
|
||||
include_role:
|
||||
name: generate-cert
|
||||
vars:
|
||||
directory: /opt/kassandra/
|
||||
cname: "kassandra-{{ lan_address }}"
|
||||
owner: kassandra
|
||||
group: nogroup
|
||||
key_mode: u=rw,g=,o=
|
||||
subject_alt_name: "IP:{{ lan_address }}"
|
||||
# Need an equivalent to notify here
|
||||
|
||||
- name: Ensured the certificate is monitored
|
||||
import_tasks: register-cert-to-monitoring.yml
|
||||
vars:
|
||||
target: "{{ lan_address }}:8000|kassandra-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
||||
|
||||
- name: Copy the daemon configuration
|
||||
template:
|
||||
src: kassandra.service
|
||||
dest: /etc/systemd/system/kassandra.service
|
||||
notify: Restart kassandra
|
||||
|
||||
- name: Enable the daemon
|
||||
systemd:
|
||||
name: kassandra
|
||||
state: started
|
||||
enabled: yes
|
75
roles/prometheus-alert-manager/tasks/main.yml
Normal file
75
roles/prometheus-alert-manager/tasks/main.yml
Normal file
|
@ -0,0 +1,75 @@
|
|||
---
|
||||
- name: Install Prometheus Alert Manager
|
||||
apt:
|
||||
name:
|
||||
- prometheus-alertmanager
|
||||
state: latest
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Setup the arguments for alertmanager
|
||||
template:
|
||||
src: prometheus-alertmanager
|
||||
dest: /etc/default/prometheus-alertmanager
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: Restart Alertmanager
|
||||
vars:
|
||||
args:
|
||||
- name: web.listen-address
|
||||
value: "127.0.0.1:9093"
|
||||
|
||||
- name: Copy the CA cert
|
||||
copy:
|
||||
content: "{{ ca_cert }}"
|
||||
dest: /etc/prometheus/ca.crt
|
||||
notify:
|
||||
- Restart Alertmanager
|
||||
- Reload nginx
|
||||
|
||||
- name: Generate certificate
|
||||
include_role:
|
||||
name: generate-cert
|
||||
vars:
|
||||
directory: /etc/prometheus/
|
||||
cname: "alertmanager-{{ lan_address }}"
|
||||
owner: prometheus
|
||||
group: prometheus
|
||||
key_mode: u=rw,g=,o=
|
||||
subject_alt_name: "IP:{{ lan_address }}"
|
||||
# Need an equivalent to notify here
|
||||
|
||||
- name: Ensured the certificate is monitored
|
||||
import_tasks: register-cert-to-monitoring.yml
|
||||
vars:
|
||||
target: "{{ lan_address }}:9093|alertmanager-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
||||
|
||||
- name: Setup the alertmanager config
|
||||
template:
|
||||
src: alertmanager.yml
|
||||
dest: /etc/prometheus/alertmanager.yml
|
||||
owner: prometheus
|
||||
group: prometheus
|
||||
mode: '0640'
|
||||
notify: Restart Alertmanager
|
||||
|
||||
# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
|
||||
# Think prometheus, think!
|
||||
- name: Copy the nginx config
|
||||
template:
|
||||
src: atrocious_nginx_stub
|
||||
dest: "/etc/nginx/sites-available/internal-alertmanager"
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Activate the config
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/internal-alertmanager"
|
||||
dest: "/etc/nginx/sites-enabled/internal-alertmanager"
|
||||
state: link
|
||||
force: yes
|
||||
|
||||
- name: Setup the matrix bot
|
||||
import_tasks: kassandra.yml
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
- name: Get the list of targets of the server
|
||||
slurp:
|
||||
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
||||
register: server_tls_targets_file
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
|
||||
- name: Set target variable from file
|
||||
set_fact:
|
||||
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
|
||||
|
||||
- name: Register the endpoint to the prometheus server
|
||||
block:
|
||||
- name: Add the target
|
||||
set_fact:
|
||||
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
|
||||
|
||||
- name: Put the new target list
|
||||
copy:
|
||||
content: "{{ new_server_tls_targets | to_nice_json }}"
|
||||
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
when: target not in server_tls_targets.0.targets
|
32
roles/prometheus-alert-manager/templates/alertmanager.yml
Normal file
32
roles/prometheus-alert-manager/templates/alertmanager.yml
Normal file
|
@ -0,0 +1,32 @@
|
|||
{{ ansible_managed | comment }}
|
||||
# See https://prometheus.io/docs/alerting/configuration/ for documentation.
|
||||
|
||||
global:
|
||||
# Config used by default by the receivers
|
||||
http_config:
|
||||
tls_config:
|
||||
ca_file: "/etc/prometheus/ca.crt"
|
||||
cert_file: "/etc/prometheus/alertmanager-{{ lan_address }}.crt"
|
||||
key_file: "/etc/prometheus/alertmanager-{{ lan_address }}.key"
|
||||
|
||||
# The directory from which notification templates are read.
|
||||
templates:
|
||||
- "/etc/prometheus/alertmanager_templates/*.tmpl"
|
||||
|
||||
# The root route on which each incoming alert enters.
|
||||
route:
|
||||
repeat_interval: 6h
|
||||
|
||||
# A default receiver
|
||||
receiver: kassandra
|
||||
|
||||
# Inhibition rules allow to mute a set of alerts given that another alert is
|
||||
# firing.
|
||||
# We use this to mute any warning-level notifications if the same alert is
|
||||
# already critical.
|
||||
inhibit_rules:
|
||||
|
||||
receivers:
|
||||
- name: kassandra
|
||||
webhook_configs:
|
||||
- url: "https://{{ lan_address }}:8000/webhook"
|
|
@ -0,0 +1,13 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server {
|
||||
listen {{ lan_address }}:9093 ssl;
|
||||
ssl_certificate /etc/prometheus/alertmanager-{{ lan_address }}.crt;
|
||||
ssl_certificate_key /etc/prometheus/alertmanager-{{ lan_address }}.key;
|
||||
ssl_client_certificate /etc/prometheus/ca.crt;
|
||||
ssl_verify_client on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:9093;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
{{ ansible_managed | comment }}
|
||||
username: {{ kassandra_username }}
|
||||
homeserver: https://{{ matrix_server_name}}
|
||||
password: {{ kassandra_password }}
|
||||
tls: yes
|
||||
tls_auth: yes
|
||||
host: {{ lan_address }}
|
||||
tls_crt: kassandra-{{ lan_address }}.crt
|
||||
tls_key: kassandra-{{ lan_address }}.key
|
||||
ca_crt: ca.crt
|
||||
alert_rooms:
|
||||
{% for room in alert_rooms %}
|
||||
- "{{ room }}"
|
||||
{% endfor %}
|
||||
...
|
12
roles/prometheus-alert-manager/templates/kassandra.service
Normal file
12
roles/prometheus-alert-manager/templates/kassandra.service
Normal file
|
@ -0,0 +1,12 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
[Unit]
|
||||
Description=Kassandra bot for alertmanager
|
||||
|
||||
[Service]
|
||||
WorkingDirectory=/opt/kassandra
|
||||
ExecStart=/opt/kassandra/bin/kassandra
|
||||
User=kassandra
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,75 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# Set the command-line arguments to pass to the server.
|
||||
{% if not args %}
|
||||
ARGS=""
|
||||
{% else %}
|
||||
ARGS="\
|
||||
{% for arg in args %}
|
||||
--{{ arg.name }}={{ arg.value }} \
|
||||
{% endfor %}
|
||||
"
|
||||
{% endif %}
|
||||
|
||||
# The alert manager supports the following options:
|
||||
|
||||
# --config.file="/etc/prometheus/alertmanager.yml"
|
||||
# Alertmanager configuration file name.
|
||||
# --storage.path="/var/lib/prometheus/alertmanager/"
|
||||
# Base path for data storage.
|
||||
# --data.retention=120h
|
||||
# How long to keep data for.
|
||||
# --alerts.gc-interval=30m
|
||||
# Interval between alert GC.
|
||||
# --log.level=info
|
||||
# Only log messages with the given severity or above.
|
||||
# --web.external-url=WEB.EXTERNAL-URL
|
||||
# The URL under which Alertmanager is externally reachable (for example,
|
||||
# if Alertmanager is served via a reverse proxy). Used for generating
|
||||
# relative and absolute links back to Alertmanager itself. If the URL has
|
||||
# a path portion, it will be used to prefix all HTTP endpoints served by
|
||||
# Alertmanager. If omitted, relevant URL components will be derived
|
||||
# automatically.
|
||||
# --web.route-prefix=WEB.ROUTE-PREFIX
|
||||
# Prefix for the internal routes of web endpoints. Defaults to path of
|
||||
# --web.external-url.
|
||||
# --web.listen-address=":9093"
|
||||
# Address to listen on for the web interface and API.
|
||||
# --web.ui-path="/usr/share/prometheus/alertmanager/ui/"
|
||||
# Path to static UI directory.
|
||||
# --template.default="/usr/share/prometheus/alertmanager/default.tmpl"
|
||||
# Path to default notification template.
|
||||
# --cluster.listen-address="0.0.0.0:9094"
|
||||
# Listen address for cluster.
|
||||
# --cluster.advertise-address=CLUSTER.ADVERTISE-ADDRESS
|
||||
# Explicit address to advertise in cluster.
|
||||
# --cluster.peer=CLUSTER.PEER ...
|
||||
# Initial peers (may be repeated).
|
||||
# --cluster.peer-timeout=15s
|
||||
# Time to wait between peers to send notifications.
|
||||
# --cluster.gossip-interval=200ms
|
||||
# Interval between sending gossip messages. By lowering this value (more
|
||||
# frequent) gossip messages are propagated across the cluster more
|
||||
# quickly at the expense of increased bandwidth.
|
||||
# --cluster.pushpull-interval=1m0s
|
||||
# Interval for gossip state syncs. Setting this interval lower (more
|
||||
# frequent) will increase convergence speeds across larger clusters at
|
||||
# the expense of increased bandwidth usage.
|
||||
# --cluster.tcp-timeout=10s Timeout for establishing a stream connection
|
||||
# with a remote node for a full state sync, and for stream read and write
|
||||
# operations.
|
||||
# --cluster.probe-timeout=500ms
|
||||
# Timeout to wait for an ack from a probed node before assuming it is
|
||||
# unhealthy. This should be set to 99-percentile of RTT (round-trip time)
|
||||
# on your network.
|
||||
# --cluster.probe-interval=1s
|
||||
# Interval between random node probes. Setting this lower (more frequent)
|
||||
# will cause the cluster to detect failed nodes more quickly at the
|
||||
# expense of increased bandwidth usage.
|
||||
# --cluster.settle-timeout=1m0s
|
||||
# Maximum time to wait for cluster connections to settle before
|
||||
# evaluating notifications.
|
||||
# --cluster.reconnect-interval=10s
|
||||
# Interval between attempting to reconnect to lost peers.
|
||||
# --cluster.reconnect-timeout=6h0m0s
|
||||
# Length of time to attempt to reconnect to a lost peer.
|
47
roles/prometheus-blackbox-exporter/files/alerts-blackbox.yml
Normal file
47
roles/prometheus-blackbox-exporter/files/alerts-blackbox.yml
Normal file
|
@ -0,0 +1,47 @@
|
|||
---
|
||||
groups:
|
||||
- name: BlackBoxAllInstances
|
||||
rules:
|
||||
|
||||
- alert: SiteUp
|
||||
expr: probe_success{job="blackbox http-down"} == 1
|
||||
annotations:
|
||||
title: '{{ $labels.instance }} is UP!'
|
||||
description: '{{ $labels.instance }} is now up!'
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: 'critical'
|
||||
|
||||
- alert: SiteDown
|
||||
expr: probe_success{job="blackbox http-up"} == 0
|
||||
for: 5m
|
||||
annotations:
|
||||
title: '{{ $labels.instance }} is Down'
|
||||
description: >-
|
||||
{{ $labels.instance }} has been down for more than 5 minutes.
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: 'warning'
|
||||
|
||||
- alert: CertExpLess30daysProb
|
||||
expr: (probe_ssl_earliest_cert_expiry{job="blackbox internal tls"}-time()) < 2592000
|
||||
annotations:
|
||||
title: '{{ $labels.cname }} will expire soon'
|
||||
description: >-
|
||||
The certificate {{ $labels.cname }} on {{ $labels.instance }} will expire in
|
||||
{{ $value | humanizeDuration }}, it's time to renew it.
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: 'warning'
|
||||
|
||||
- alert: CertExpLess10daysProb
|
||||
expr: (probe_ssl_earliest_cert_expiry{job="blackbox internal tls"}-time()) < 864000
|
||||
annotations:
|
||||
title: '{{ $labels.cname }} expiracy is imminent!'
|
||||
description: >-
|
||||
The certificate {{ $labels.cname }} on {{ $labels.instance }} will expire in
|
||||
{{ $value | humanizeDuration }}!
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: 'critical'
|
||||
...
|
10
roles/prometheus-blackbox-exporter/handlers/main.yml
Normal file
10
roles/prometheus-blackbox-exporter/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: Restart blackbox-exporter
|
||||
systemd:
|
||||
name: prometheus-blackbox-exporter.service
|
||||
state: restarted
|
||||
|
||||
- name: Restart prometheus
|
||||
systemd:
|
||||
name: prometheus
|
||||
state: restarted
|
2
roles/prometheus-blackbox-exporter/meta/main.yml
Normal file
2
roles/prometheus-blackbox-exporter/meta/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
dependencies:
|
||||
- role: install_nginx
|
96
roles/prometheus-blackbox-exporter/tasks/main.yml
Normal file
96
roles/prometheus-blackbox-exporter/tasks/main.yml
Normal file
|
@ -0,0 +1,96 @@
|
|||
---
|
||||
- name: Install Prometheus Components
|
||||
apt:
|
||||
name:
|
||||
- prometheus-blackbox-exporter
|
||||
state: latest
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Copy the CA cert
|
||||
copy:
|
||||
content: "{{ ca_cert }}"
|
||||
dest: /etc/prometheus/ca.crt
|
||||
notify:
|
||||
- Restart blackbox-exporter
|
||||
- Reload nginx
|
||||
|
||||
- name: Generate certificate
|
||||
include_role:
|
||||
name: generate-cert
|
||||
vars:
|
||||
directory: /etc/prometheus/
|
||||
cname: "blackbox-{{ lan_address }}"
|
||||
owner: prometheus
|
||||
group: prometheus
|
||||
key_mode: u=rw,g=,o=
|
||||
subject_alt_name: "IP:{{ lan_address }}"
|
||||
# Need an equivalent to notify here
|
||||
|
||||
- name: Ensured the certificate is monitored
|
||||
import_tasks: register-cert-to-monitoring.yml
|
||||
vars:
|
||||
target: "{{ lan_address }}:9115|blackbox-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
||||
|
||||
- name: Setup the blackbox config
|
||||
template:
|
||||
src: blackbox.yml
|
||||
dest: /etc/prometheus/blackbox.yml
|
||||
owner: prometheus
|
||||
group: prometheus
|
||||
mode: '0640'
|
||||
notify: Restart blackbox-exporter
|
||||
no_log: true
|
||||
|
||||
#- name: Copy the web-config folder
|
||||
# template:
|
||||
# src: web-config.yaml
|
||||
# dest: /etc/prometheus/web-config-blackbox.yaml
|
||||
# group: prometheus
|
||||
# owner: prometheus
|
||||
# mode: u=rw,g=r,o=r
|
||||
# notify: Restart blackbox-exporter
|
||||
|
||||
- name: Setup the arguments for prometheus
|
||||
template:
|
||||
src: prometheus-blackbox-exporter
|
||||
dest: /etc/default/prometheus-blackbox-exporter
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: Restart blackbox-exporter
|
||||
vars:
|
||||
args:
|
||||
- name: web.listen-address
|
||||
value: "127.0.0.1:9115"
|
||||
# value: "{{ lan_address }}:9115"
|
||||
- name: config.file
|
||||
value: /etc/prometheus/blackbox.yml
|
||||
# - name: web.config.file
|
||||
# value: /etc/prometheus/web-config.yaml
|
||||
|
||||
## Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
|
||||
# Think prometheus, think!
|
||||
- name: Copy the nginx config
|
||||
template:
|
||||
src: atrocious_nginx_stub
|
||||
dest: "/etc/nginx/sites-available/internal-blackbox"
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Activate the config
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/internal-blackbox"
|
||||
dest: "/etc/nginx/sites-enabled/internal-blackbox"
|
||||
state: link
|
||||
force: yes
|
||||
|
||||
- name: Add alert rules for node on the prometheus server
|
||||
copy:
|
||||
src: alerts-blackbox.yml
|
||||
dest: /etc/prometheus/alertsblackbox.yml
|
||||
owner: prometheus
|
||||
group: prometheus
|
||||
mode: u=rw,g=r,o=r
|
||||
notify: Restart prometheus
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
- name: Get the list of targets of the server
|
||||
slurp:
|
||||
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
||||
register: server_tls_targets_file
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
|
||||
- name: Set target variable from file
|
||||
set_fact:
|
||||
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
|
||||
|
||||
- name: Register the endpoint to the prometheus server
|
||||
block:
|
||||
- name: Add the target
|
||||
set_fact:
|
||||
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
|
||||
|
||||
- name: Put the new target list
|
||||
copy:
|
||||
content: "{{ new_server_tls_targets | to_nice_json }}"
|
||||
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
when: target not in server_tls_targets.0.targets
|
|
@ -0,0 +1,13 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server {
|
||||
listen {{ lan_address }}:9115 ssl;
|
||||
ssl_certificate /etc/prometheus/blackbox-{{ lan_address }}.crt;
|
||||
ssl_certificate_key /etc/prometheus/blackbox-{{ lan_address }}.key;
|
||||
ssl_client_certificate /etc/prometheus/ca.crt;
|
||||
ssl_verify_client on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:9115;
|
||||
}
|
||||
}
|
23
roles/prometheus-blackbox-exporter/templates/blackbox.yml
Normal file
23
roles/prometheus-blackbox-exporter/templates/blackbox.yml
Normal file
|
@ -0,0 +1,23 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
modules:
|
||||
http_2xx:
|
||||
prober: http
|
||||
http:
|
||||
http_post_2xx:
|
||||
prober: http
|
||||
http:
|
||||
method: POST
|
||||
tcp_connect:
|
||||
prober: tcp
|
||||
icmp:
|
||||
prober: icmp
|
||||
internal_tls_connect:
|
||||
prober: tcp
|
||||
timeout: 10s
|
||||
tcp:
|
||||
tls: true
|
||||
tls_config:
|
||||
ca_file: '/etc/prometheus/ca.crt'
|
||||
cert_file: '/etc/prometheus/blackbox-{{ lan_address }}.crt'
|
||||
key_file: '/etc/prometheus/blackbox-{{ lan_address }}.key'
|
|
@ -0,0 +1,21 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# Set the command-line arguments to pass to the server.
|
||||
{% if not args %}
|
||||
ARGS=""
|
||||
{% else %}
|
||||
ARGS="\
|
||||
{% for arg in args %}
|
||||
--{{ arg.name }}={{ arg.value }} \
|
||||
{% endfor %}
|
||||
"
|
||||
{% endif %}
|
||||
|
||||
# Usage of prometheus-blackbox-exporter:
|
||||
# --config.file="blackbox.yml"
|
||||
# Blackbox exporter configuration file.
|
||||
# --web.listen-address=":9115"
|
||||
# The address to listen on for HTTP requests.
|
||||
# --timeout-offset=0.5 Offset to subtract from timeout in seconds.
|
||||
# --log.level=info Only log messages with the given severity or above.
|
||||
# One of: [debug, info, warn, error]
|
|
@ -0,0 +1,6 @@
|
|||
[
|
||||
{
|
||||
"targets": [
|
||||
]
|
||||
}
|
||||
]
|
|
@ -0,0 +1,7 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
tls_server_config:
|
||||
cert_file: "/etc/prometheus/blackbox-{{ lan_address }}.crt"
|
||||
key_file: "/etc/prometheus/blackbox-{{ lan_address }}.key"
|
||||
client_auth_type: "RequireAndVerifyClientCert"
|
||||
client_ca_file: "/etc/prometheus/ca.crt"
|
181
roles/prometheus-node-exporter/files/alerts-node.yml
Normal file
181
roles/prometheus-node-exporter/files/alerts-node.yml
Normal file
|
@ -0,0 +1,181 @@
|
|||
---
|
||||
groups:
|
||||
- name: NodeAllInstances
|
||||
rules:
|
||||
|
||||
- alert: InstanceDown
|
||||
expr: up{job='node'} == 0
|
||||
for: 5m
|
||||
annotations:
|
||||
title: 'Instance {{ $labels.instance }} down'
|
||||
description: >-
|
||||
{{ $labels.instance }} has been down for more than 5 minutes.
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: critical
|
||||
|
||||
- alert: OutOfDiskSpace
|
||||
expr: (100 - node_filesystem_avail_bytes{} *100 / node_filesystem_size_bytes{}) > 80
|
||||
for: 1m
|
||||
annotations:
|
||||
title: '`{{ $labels.instance }}:{{ $labels.mountpoint }}` is out of space'
|
||||
description: >-
|
||||
Partition `{{ $labels.mountpoint }}` (`{{ $labels.device }}`) of {{ $labels.instance }}
|
||||
uses {{ $value | printf "%.1f" }}% of its capacity.
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: warning
|
||||
|
||||
- alert: OutOfMemory
|
||||
expr: >-
|
||||
(
|
||||
node_memory_MemTotal_bytes
|
||||
- node_memory_MemFree_bytes
|
||||
- node_memory_Cached_bytes
|
||||
- node_memory_Buffers_bytes
|
||||
) / node_memory_MemTotal_bytes * 100 > 80
|
||||
for: 1m
|
||||
annotations:
|
||||
title: '{{ $labels.instance }} is out of memory'
|
||||
description: >-
|
||||
{{ $labels.instance }} uses {{ $value | printf "%.1f" }}% of its memory capacity.
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: warning
|
||||
|
||||
- alert: OutOfInode
|
||||
expr: >-
|
||||
(
|
||||
node_filesystem_files
|
||||
- node_filesystem_files_free
|
||||
) / node_filesystem_files * 100 >= 90
|
||||
for: 5m
|
||||
annotations:
|
||||
title: '`{{ $labels.instance }}:{{ $labels.mountpoint }}` is out of Inodes'
|
||||
description: >-
|
||||
Partition {{ $labels.mountpoint }} ({{ $labels.device }}) of {{ $labels.instance }}
|
||||
uses {{ $value | printf "%.1f" }}% of its Inodes.
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: warning
|
||||
|
||||
- alert: Swapping
|
||||
expr: >-
|
||||
(
|
||||
node_memory_SwapTotal_bytes
|
||||
- node_memory_SwapFree_bytes
|
||||
) / node_memory_SwapTotal_bytes * 100 >= 50
|
||||
for: 5m
|
||||
annotations:
|
||||
title: '{{ $labels.instance }} is using a lot of swap'
|
||||
description: >-
|
||||
{{ $labels.instance }} uses {{ $value | printf "%.1f" }}% of its memory capacity.
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: warning
|
||||
|
||||
- alert: PhysicalComponentTooHot
|
||||
expr: node_hwmon_temp_celsius > 79
|
||||
for: 5m
|
||||
annotations:
|
||||
title: '{{ $labels.instance }} is heating up'
|
||||
description: >-
|
||||
The internal temperature of {{ $labels.instance }} is {{ $value }}°C!
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: critical
|
||||
|
||||
- alert: PhysicalComponentHeatAlarm
|
||||
expr: node_hwmon_temp_crit_alarm_celsius == 1
|
||||
for: 0m
|
||||
annotations:
|
||||
title: 'The temperature alarm of {{ $labels.instance }} is up'
|
||||
description: >-
|
||||
Do something!
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: critical
|
||||
|
||||
- alert: OOMKill
|
||||
expr: increase(node_vmstat_oom_kill[1m]) > 0
|
||||
for: 0m
|
||||
annotations:
|
||||
title: 'The kernel is killing processes'
|
||||
description: >-
|
||||
The kernel killed {{ $value }} proccesses (OOM killer)
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: warning
|
||||
|
||||
- alert: CorrectableErrorDetected
|
||||
expr: increase(node_edac_correctable_errors_total[1m]) > 0
|
||||
for: 0m
|
||||
annotations:
|
||||
title: 'Memory errors have been corrected'
|
||||
description: >-
|
||||
{{ $value | printf "%.1f" }} error(s) have been corrected (EDAC)
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: warning
|
||||
|
||||
- alert: UncorrectableErrorDetected
|
||||
expr: increase(node_edac_uncorrectable_errors_total[1m]) > 0
|
||||
for: 0m
|
||||
annotations:
|
||||
title: 'Memory errors could not be corrected'
|
||||
description: >-
|
||||
{{ $value | printf "%.1f" }} error(s) could not be corrected (EDAC)
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: warning
|
||||
|
||||
- alert: UnhealthyDisk
|
||||
expr: >-
|
||||
(
|
||||
smartmon_device_smart_healthy
|
||||
and on (instance, disk)
|
||||
smartmon_device_info{product!="QEMU HARDDISK"}
|
||||
) < 1
|
||||
for: 10m
|
||||
annotations:
|
||||
title: '`{{ $labels.instance }}:{{ $labels.disk }}` is unhealthy'
|
||||
description: >-
|
||||
Smartools detected that `{{ $labels.disk }}` on {{ $labels.instance }} is unhealthy
|
||||
and will probably need to be changed.
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: critical
|
||||
|
||||
- alert: ServiceFailed
|
||||
expr: node_systemd_unit_state{state="failed"}==1
|
||||
for: 10m
|
||||
annotations:
|
||||
title: '{{ $labels.name }} failed'
|
||||
description: >-
|
||||
The systemd service {{ $labels.name }} failed on {{ $labels.instance }}
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: warning
|
||||
|
||||
- alert: CertExpLess30days
|
||||
expr: (local_x509_expiry_date{job="blackbox internal tls"}-time()) < 2592000
|
||||
annotations:
|
||||
title: '{{ $labels.cname }} will expire soon'
|
||||
description: >-
|
||||
The certificate {{ $labels.cname }} on {{ $labels.instance }} at {{ $labels.file }}
|
||||
will expire in {{ $value | humanizeDuration }}, it's time to renew it.
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: 'warning'
|
||||
|
||||
- alert: CertExpLess10days
|
||||
expr: (local_x509_expiry_date{job="blackbox internal tls"}-time()) < 864000
|
||||
annotations:
|
||||
title: '{{ $labels.cname }} expiracy is imminent!'
|
||||
description: >-
|
||||
The certificate {{ $labels.cname }} on {{ $labels.instance }} at {{ $labels.file }}
|
||||
will expire in {{ $value | humanizeDuration }}, RENEW IT!!!
|
||||
labels:
|
||||
value: "{{ $value }}"
|
||||
severity: 'critical'
|
||||
...
|
25
roles/prometheus-node-exporter/files/local_x509.sh
Executable file
25
roles/prometheus-node-exporter/files/local_x509.sh
Executable file
|
@ -0,0 +1,25 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
sanitize() {
|
||||
while read -r data; do
|
||||
set -- $data
|
||||
printf %q "$1" | sed -e 's/\\ / /g'
|
||||
done
|
||||
}
|
||||
|
||||
print_metric() {
|
||||
while read -r data; do
|
||||
set -- $data
|
||||
if [ -f "$1" ]; then
|
||||
exp_date=`openssl x509 -enddate --noout -in "$1" | sed -e 's/notAfter=//g'`
|
||||
exp_date_unixtime=`date -d "$exp_date" -u +%s`
|
||||
cname=`openssl x509 -subject --noout -in "$1" | sed -e 's/^.*CN = //' | sed -e 's/,.*$//' | sanitize`
|
||||
filename=`realpath "$1" | sanitize`
|
||||
echo "local_x509_expiry_date{cname=\"$cname\",file=\"$filename\"} $exp_date_unixtime"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
echo '# HELP local_x509_expiry_date The cert expiry date in unixtime'
|
||||
echo '# TYPE local_x509_expiry_date gauge'
|
||||
printf '%s\n' "$@" | print_metric
|
|
@ -0,0 +1,5 @@
|
|||
# The list of certs to monitor
|
||||
ARGS="
|
||||
/etc/letsencrypt/live/**/cert.pem
|
||||
/etc/hackypky/crts/*.crt
|
||||
"
|
|
@ -0,0 +1,8 @@
|
|||
[Unit]
|
||||
Description=Collect local x509 certificate metrics for prometheus-node-exporter
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
EnvironmentFile=/etc/default/prometheus-node-exporter-local_x509
|
||||
Environment=TMPDIR=/var/lib/prometheus/node-exporter
|
||||
ExecStart=/bin/bash -c "/usr/share/prometheus-node-exporter-collectors/local_x509.sh $ARGS | sponge /var/lib/prometheus/node-exporter/local_x509.prom"
|
|
@ -0,0 +1,9 @@
|
|||
[Unit]
|
||||
Description=Run local x509 metrics collection every 15 minutes
|
||||
|
||||
[Timer]
|
||||
OnBootSec=0
|
||||
OnUnitActiveSec=15min
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
10
roles/prometheus-node-exporter/handlers/main.yml
Normal file
10
roles/prometheus-node-exporter/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: Restart prometheus-node-exporter
|
||||
systemd:
|
||||
name: prometheus-node-exporter
|
||||
state: restarted
|
||||
- name: Restart appointed_prometheus_server
|
||||
systemd:
|
||||
name: prometheus
|
||||
state: restarted
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
@ -0,0 +1,69 @@
|
|||
---
|
||||
- name: Install moreutils # we need the sponge command
|
||||
apt:
|
||||
name:
|
||||
- moreutils
|
||||
state: latest
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Ensure /usr/share/prometheus-node-exporter exist
|
||||
file:
|
||||
path: /usr/share/prometheus-node-exporter/
|
||||
state: directory
|
||||
group: root
|
||||
owner: root
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
|
||||
# Optionnal, but used with the hacky_pki role
|
||||
- name: Ensure /etc/hackypky/crts/ exist
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
group: root
|
||||
owner: root
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
loop:
|
||||
- /etc/hackypky
|
||||
- /etc/hackypky/crts
|
||||
|
||||
- name: Add the script
|
||||
copy:
|
||||
src: local_x509.sh
|
||||
dest: /usr/share/prometheus-node-exporter-collectors/local_x509.sh
|
||||
group: root
|
||||
owner: root
|
||||
mode: u=rwx,g=,o=
|
||||
|
||||
- name: Add the env file
|
||||
copy:
|
||||
src: prometheus-node-exporter-local_x509
|
||||
dest: /etc/default/prometheus-node-exporter-local_x509
|
||||
group: root
|
||||
owner: root
|
||||
force: no
|
||||
mode: u=rwx,g=r,o=r
|
||||
|
||||
- name: Add the timer
|
||||
copy:
|
||||
src: prometheus-node-exporter-local_x509.timer
|
||||
dest: /lib/systemd/system/prometheus-node-exporter-local_x509.timer
|
||||
group: root
|
||||
owner: root
|
||||
mode: u=rw,g=r,o=r
|
||||
|
||||
- name: Add the service
|
||||
copy:
|
||||
src: prometheus-node-exporter-local_x509.service
|
||||
dest: /lib/systemd/system/prometheus-node-exporter-local_x509.service
|
||||
group: root
|
||||
owner: root
|
||||
mode: u=rw,g=r,o=r
|
||||
|
||||
- name: Enable the timer
|
||||
systemd:
|
||||
name: prometheus-node-exporter-local_x509.timer
|
||||
enabled: true
|
||||
state: started
|
130
roles/prometheus-node-exporter/tasks/main.yml
Normal file
130
roles/prometheus-node-exporter/tasks/main.yml
Normal file
|
@ -0,0 +1,130 @@
|
|||
---
|
||||
- name: Use a newer version of Node exporter for ubuntu 20.04
|
||||
block:
|
||||
- name: Set the default release
|
||||
lineinfile:
|
||||
path: /etc/apt/apt.conf.d/01-vendor-ubuntu
|
||||
regexp: '^APT::Default-Release '
|
||||
line: "APT::Default-Release \"{{ ansible_facts['lsb']['codename'] }}\";"
|
||||
- name: Pin node exporter
|
||||
copy:
|
||||
dest: /etc/apt/preferences.d/pin-prometheus-node-exporter
|
||||
content: |
|
||||
Package: prometheus-node-exporter
|
||||
Pin: release n={{ ansible_facts['lsb']['codename'] }}
|
||||
Pin-Priority: -10
|
||||
|
||||
Package: prometheus-node-exporter
|
||||
Pin: release n=groovy
|
||||
Pin-Priority: 900
|
||||
- name: Add the repo from groovy
|
||||
apt_repository:
|
||||
repo: deb http://fr.archive.ubuntu.com/ubuntu groovy universe
|
||||
state: present
|
||||
when: ansible_facts['lsb']['id'] == 'Ubuntu' and ansible_facts['lsb']['codename'] == 'focal'
|
||||
|
||||
- name: Install Prometheus Node exporter
|
||||
apt:
|
||||
name:
|
||||
- prometheus-node-exporter
|
||||
- prometheus-node-exporter-collectors
|
||||
state: latest
|
||||
update_cache: true
|
||||
install_recommends: false # Do not install smartmontools
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
|
||||
- name: Install the local_x509 exporter
|
||||
import_tasks: local_x509_collector.yml
|
||||
|
||||
- name: Ensure /etc/node_exporter exist
|
||||
file:
|
||||
path: /etc/node_exporter
|
||||
state: directory
|
||||
group: prometheus
|
||||
owner: prometheus
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
|
||||
- name: Copy the config folder
|
||||
template:
|
||||
src: config.yaml
|
||||
dest: /etc/node_exporter/config.yaml
|
||||
group: prometheus
|
||||
owner: prometheus
|
||||
mode: u=rw,g=r,o=r
|
||||
notify: Restart prometheus-node-exporter
|
||||
|
||||
- name: Copy the CA cert
|
||||
copy:
|
||||
content: "{{ ca_cert }}"
|
||||
dest: /etc/node_exporter/ca.crt
|
||||
notify: Restart prometheus-node-exporter
|
||||
|
||||
- name: Generate certificate
|
||||
include_role:
|
||||
name: generate-cert
|
||||
vars:
|
||||
directory: /etc/node_exporter/
|
||||
cname: "node-exp-{{ lan_address }}"
|
||||
owner: prometheus
|
||||
group: prometheus
|
||||
key_mode: u=rw,g=,o=
|
||||
subject_alt_name: "IP:{{ lan_address }}"
|
||||
# Need an equivalent to notify here
|
||||
|
||||
- name: Ensured the certificate is monitored
|
||||
import_tasks: register-cert-to-monitoring.yml
|
||||
vars:
|
||||
target: "{{ lan_address }}:9100|node-exp-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
||||
|
||||
- name: Setup the arguments for node-exporter
|
||||
template:
|
||||
src: prometheus-node-exporter
|
||||
dest: /etc/default/prometheus-node-exporter
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=r,o=r
|
||||
notify: Restart prometheus-node-exporter
|
||||
vars:
|
||||
args:
|
||||
- name: web.listen-address
|
||||
value: "{{ lan_address }}:9100"
|
||||
- name: web.config
|
||||
value: /etc/node_exporter/config.yaml
|
||||
|
||||
- name: Add the node to the server targets
|
||||
block:
|
||||
- name: Get the list of targets of the server
|
||||
slurp:
|
||||
src: /etc/prometheus/targets/node-targets.json
|
||||
register: server_node_target_file
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
|
||||
- name: Set target variable
|
||||
set_fact:
|
||||
server_node_target: "{{ server_node_target_file['content'] | b64decode | from_json }}"
|
||||
|
||||
- name: Register the node to the prometheus server
|
||||
block:
|
||||
- name: Add the node to the targets
|
||||
set_fact:
|
||||
new_server_node_target: "[{{ server_node_target[0] | combine({'targets': [lan_address + '|' + ansible_facts['nodename']]}, list_merge='append_rp') }}]"
|
||||
|
||||
- name: Put the new target list
|
||||
copy:
|
||||
content: "{{ new_server_node_target | to_nice_json }}"
|
||||
dest: /etc/prometheus/node-targets.json
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
when: (lan_address + '|' + ansible_facts['nodename']) not in server_node_target.0.targets
|
||||
|
||||
- name: Add alert rules for node on the prometheus server
|
||||
copy:
|
||||
src: alerts-node.yml
|
||||
dest: /etc/prometheus/alerts/node.yml
|
||||
owner: prometheus
|
||||
group: prometheus
|
||||
mode: u=rw,g=r,o=r
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
notify: Restart appointed_prometheus_server
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
- name: Get the list of targets of the server
|
||||
slurp:
|
||||
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
||||
register: server_tls_targets_file
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
|
||||
- name: Set target variable from file
|
||||
set_fact:
|
||||
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
|
||||
|
||||
- name: Register the endpoint to the prometheus server
|
||||
block:
|
||||
- name: Add the target
|
||||
set_fact:
|
||||
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
|
||||
|
||||
- name: Put the new target list
|
||||
copy:
|
||||
content: "{{ new_server_tls_targets | to_nice_json }}"
|
||||
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
when: target not in server_tls_targets.0.targets
|
7
roles/prometheus-node-exporter/templates/config.yaml
Normal file
7
roles/prometheus-node-exporter/templates/config.yaml
Normal file
|
@ -0,0 +1,7 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
tls_server_config:
|
||||
cert_file: "/etc/node_exporter/node-exp-{{ lan_address }}.crt"
|
||||
key_file: "/etc/node_exporter/node-exp-{{ lan_address }}.key"
|
||||
client_auth_type: "RequireAndVerifyClientCert"
|
||||
client_ca_file: "/etc/node_exporter/ca.crt"
|
|
@ -0,0 +1,138 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# Set the command-line arguments to pass to the server.
|
||||
# Due to shell scaping, to pass backslashes for regexes, you need to double
|
||||
# them (\\d for \d). If running under systemd, you need to double them again
|
||||
# (\\\\d to mean \d), and escape newlines too.
|
||||
{% if not args %}
|
||||
ARGS=""
|
||||
{% else %}
|
||||
ARGS="\
|
||||
{% for arg in args %}
|
||||
--{{ arg.name }}={{ arg.value }} \
|
||||
{% endfor %}
|
||||
"
|
||||
{% endif %}
|
||||
|
||||
# Prometheus-node-exporter supports the following options:
|
||||
#
|
||||
# --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$"
|
||||
# Regexp of devices to ignore for diskstats.
|
||||
# --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)"
|
||||
# Regexp of mount points to ignore for filesystem
|
||||
# collector.
|
||||
# --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$"
|
||||
# Regexp of filesystem types to ignore for
|
||||
# filesystem collector.
|
||||
# --collector.netdev.ignored-devices="^lo$"
|
||||
# Regexp of net devices to ignore for netdev
|
||||
# collector.
|
||||
# --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$"
|
||||
# Regexp of fields to return for netstat
|
||||
# collector.
|
||||
# --collector.ntp.server="127.0.0.1"
|
||||
# NTP server to use for ntp collector
|
||||
# --collector.ntp.protocol-version=4
|
||||
# NTP protocol version
|
||||
# --collector.ntp.server-is-local
|
||||
# Certify that collector.ntp.server address is the
|
||||
# same local host as this collector.
|
||||
# --collector.ntp.ip-ttl=1 IP TTL to use while sending NTP query
|
||||
# --collector.ntp.max-distance=3.46608s
|
||||
# Max accumulated distance to the root
|
||||
# --collector.ntp.local-offset-tolerance=1ms
|
||||
# Offset between local clock and local ntpd time
|
||||
# to tolerate
|
||||
# --path.procfs="/proc" procfs mountpoint.
|
||||
# --path.sysfs="/sys" sysfs mountpoint.
|
||||
# --collector.qdisc.fixtures=""
|
||||
# test fixtures to use for qdisc collector
|
||||
# end-to-end testing
|
||||
# --collector.runit.servicedir="/etc/service"
|
||||
# Path to runit service directory.
|
||||
# --collector.supervisord.url="http://localhost:9001/RPC2"
|
||||
# XML RPC endpoint.
|
||||
# --collector.systemd.unit-whitelist=".+"
|
||||
# Regexp of systemd units to whitelist. Units must
|
||||
# both match whitelist and not match blacklist to
|
||||
# be included.
|
||||
# --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)"
|
||||
# Regexp of systemd units to blacklist. Units must
|
||||
# both match whitelist and not match blacklist to
|
||||
# be included.
|
||||
# --collector.systemd.private
|
||||
# Establish a private, direct connection to
|
||||
# systemd without dbus.
|
||||
# --collector.textfile.directory="/var/lib/prometheus/node-exporter"
|
||||
# Directory to read text files with metrics from.
|
||||
# --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*"
|
||||
# Regexp of fields to return for vmstat collector.
|
||||
# --collector.wifi.fixtures=""
|
||||
# test fixtures to use for wifi collector metrics
|
||||
# --collector.arp Enable the arp collector (default: enabled).
|
||||
# --collector.bcache Enable the bcache collector (default: enabled).
|
||||
# --collector.bonding Enable the bonding collector (default: enabled).
|
||||
# --collector.buddyinfo Enable the buddyinfo collector (default:
|
||||
# disabled).
|
||||
# --collector.conntrack Enable the conntrack collector (default:
|
||||
# enabled).
|
||||
# --collector.cpu Enable the cpu collector (default: enabled).
|
||||
# --collector.diskstats Enable the diskstats collector (default:
|
||||
# enabled).
|
||||
# --collector.drbd Enable the drbd collector (default: disabled).
|
||||
# --collector.edac Enable the edac collector (default: enabled).
|
||||
# --collector.entropy Enable the entropy collector (default: enabled).
|
||||
# --collector.filefd Enable the filefd collector (default: enabled).
|
||||
# --collector.filesystem Enable the filesystem collector (default:
|
||||
# enabled).
|
||||
# --collector.hwmon Enable the hwmon collector (default: enabled).
|
||||
# --collector.infiniband Enable the infiniband collector (default:
|
||||
# enabled).
|
||||
# --collector.interrupts Enable the interrupts collector (default:
|
||||
# disabled).
|
||||
# --collector.ipvs Enable the ipvs collector (default: enabled).
|
||||
# --collector.ksmd Enable the ksmd collector (default: disabled).
|
||||
# --collector.loadavg Enable the loadavg collector (default: enabled).
|
||||
# --collector.logind Enable the logind collector (default: disabled).
|
||||
# --collector.mdadm Enable the mdadm collector (default: enabled).
|
||||
# --collector.meminfo Enable the meminfo collector (default: enabled).
|
||||
# --collector.meminfo_numa Enable the meminfo_numa collector (default:
|
||||
# disabled).
|
||||
# --collector.mountstats Enable the mountstats collector (default:
|
||||
# disabled).
|
||||
# --collector.netdev Enable the netdev collector (default: enabled).
|
||||
# --collector.netstat Enable the netstat collector (default: enabled).
|
||||
# --collector.nfs Enable the nfs collector (default: enabled).
|
||||
# --collector.nfsd Enable the nfsd collector (default: enabled).
|
||||
# --collector.ntp Enable the ntp collector (default: disabled).
|
||||
# --collector.qdisc Enable the qdisc collector (default: disabled).
|
||||
# --collector.runit Enable the runit collector (default: disabled).
|
||||
# --collector.sockstat Enable the sockstat collector (default:
|
||||
# enabled).
|
||||
# --collector.stat Enable the stat collector (default: enabled).
|
||||
# --collector.supervisord Enable the supervisord collector (default:
|
||||
# disabled).
|
||||
# --collector.systemd Enable the systemd collector (default: enabled).
|
||||
# --collector.tcpstat Enable the tcpstat collector (default:
|
||||
# disabled).
|
||||
# --collector.textfile Enable the textfile collector (default:
|
||||
# enabled).
|
||||
# --collector.time Enable the time collector (default: enabled).
|
||||
# --collector.uname Enable the uname collector (default: enabled).
|
||||
# --collector.vmstat Enable the vmstat collector (default: enabled).
|
||||
# --collector.wifi Enable the wifi collector (default: enabled).
|
||||
# --collector.xfs Enable the xfs collector (default: enabled).
|
||||
# --collector.zfs Enable the zfs collector (default: enabled).
|
||||
# --collector.timex Enable the timex collector (default: enabled).
|
||||
# --web.listen-address=":9100"
|
||||
# Address on which to expose metrics and web
|
||||
# interface.
|
||||
# --web.telemetry-path="/metrics"
|
||||
# Path under which to expose metrics.
|
||||
# --log.level="info" Only log messages with the given severity or
|
||||
# above. Valid levels: [debug, info, warn, error,
|
||||
# fatal]
|
||||
# --log.format="logger:stderr"
|
||||
# Set the log target and format. Example:
|
||||
# "logger:syslog?appname=bob&local=7" or
|
||||
# "logger:stdout?json=true"
|
5
roles/prometheus/handlers/main.yml
Normal file
5
roles/prometheus/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: Restart prometheus
|
||||
systemd:
|
||||
name: prometheus
|
||||
state: restarted
|
2
roles/prometheus/meta/main.yml
Normal file
2
roles/prometheus/meta/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
dependencies:
|
||||
- role: install_nginx
|
117
roles/prometheus/tasks/main.yml
Normal file
117
roles/prometheus/tasks/main.yml
Normal file
|
@ -0,0 +1,117 @@
|
|||
---
|
||||
- name: Install Prometheus Components
|
||||
apt:
|
||||
name:
|
||||
- prometheus
|
||||
- prometheus-pushgateway
|
||||
state: latest
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Ensure the alert folder exist
|
||||
file:
|
||||
path: /etc/prometheus/alerts
|
||||
state: directory
|
||||
group: prometheus
|
||||
owner: prometheus
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
|
||||
- name: Ensure the target folder exist
|
||||
file:
|
||||
path: /etc/prometheus/targets
|
||||
state: directory
|
||||
group: prometheus
|
||||
owner: prometheus
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
|
||||
- name: Copy the CA cert
|
||||
copy:
|
||||
content: "{{ ca_cert }}"
|
||||
dest: /etc/prometheus/ca.crt
|
||||
notify:
|
||||
- Restart prometheus
|
||||
- Reload nginx
|
||||
|
||||
- name: Generate certificate
|
||||
include_role:
|
||||
name: generate-cert
|
||||
vars:
|
||||
directory: /etc/prometheus/
|
||||
cname: "prometheus-{{ lan_address }}"
|
||||
owner: prometheus
|
||||
group: prometheus
|
||||
key_mode: u=rw,g=,o=
|
||||
subject_alt_name: "IP:{{ lan_address }}"
|
||||
# Need an equivalent to notify here
|
||||
|
||||
- name: Ensured the certificate is monitored
|
||||
import_tasks: register-cert-to-monitoring.yml
|
||||
vars:
|
||||
target: "{{ lan_address }}:9090|prometheus-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
||||
|
||||
- name: Setup the prometheus config
|
||||
template:
|
||||
src: prometheus.yml
|
||||
dest: /etc/prometheus/prometheus.yml
|
||||
owner: prometheus
|
||||
group: prometheus
|
||||
mode: '0640'
|
||||
notify: Restart prometheus
|
||||
no_log: true
|
||||
|
||||
- name: Add node targets file
|
||||
template:
|
||||
src: node-targets.json
|
||||
dest: "/etc/prometheus/targets/{{ item }}-targets.json"
|
||||
owner: prometheus
|
||||
group: prometheus
|
||||
mode: '0640'
|
||||
force: no
|
||||
notify: Restart prometheus
|
||||
loop:
|
||||
- blackbox-http-down
|
||||
- blackbox-http-up
|
||||
- blackbox-tls-internal
|
||||
- node
|
||||
|
||||
- name: Copy the web-config folder
|
||||
template:
|
||||
src: web-config.yaml
|
||||
dest: /etc/prometheus/web-config.yaml
|
||||
group: prometheus
|
||||
owner: prometheus
|
||||
mode: u=rw,g=r,o=r
|
||||
notify: Restart prometheus
|
||||
|
||||
- name: Setup the arguments for prometheus
|
||||
template:
|
||||
src: prometheus
|
||||
dest: /etc/default/prometheus
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: Restart prometheus
|
||||
vars:
|
||||
args:
|
||||
- name: web.listen-address
|
||||
value: "127.0.0.1:9090"
|
||||
# value: "{{ lan_address }}:9090"
|
||||
# - name: web.config.file # Not available before 2.24, and it sucks
|
||||
# value: /etc/prometheus/web-config.yaml
|
||||
|
||||
# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
|
||||
# Think prometheus, think!
|
||||
- name: Copy the nginx config
|
||||
template:
|
||||
src: atrocious_nginx_stub
|
||||
dest: "/etc/nginx/sites-available/internal-prometheus"
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Activate the config
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/internal-prometheus"
|
||||
dest: "/etc/nginx/sites-enabled/internal-prometheus"
|
||||
state: link
|
||||
force: yes
|
23
roles/prometheus/tasks/register-cert-to-monitoring.yml
Normal file
23
roles/prometheus/tasks/register-cert-to-monitoring.yml
Normal file
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
- name: Get the list of targets of the server
|
||||
slurp:
|
||||
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
||||
register: server_tls_targets_file
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
|
||||
- name: Set target variable from file
|
||||
set_fact:
|
||||
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
|
||||
|
||||
- name: Register the endpoint to the prometheus server
|
||||
block:
|
||||
- name: Add the target
|
||||
set_fact:
|
||||
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
|
||||
|
||||
- name: Put the new target list
|
||||
copy:
|
||||
content: "{{ new_server_tls_targets | to_nice_json }}"
|
||||
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
||||
delegate_to: "{{ appointed_prometheus_server }}"
|
||||
when: target not in server_tls_targets.0.targets
|
13
roles/prometheus/templates/atrocious_nginx_stub
Normal file
13
roles/prometheus/templates/atrocious_nginx_stub
Normal file
|
@ -0,0 +1,13 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server {
|
||||
listen {{ lan_address }}:9090 ssl;
|
||||
ssl_certificate /etc/prometheus/prometheus-{{ lan_address }}.crt;
|
||||
ssl_certificate_key /etc/prometheus/prometheus-{{ lan_address }}.key;
|
||||
ssl_client_certificate /etc/prometheus/ca.crt;
|
||||
ssl_verify_client on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:9090;
|
||||
}
|
||||
}
|
6
roles/prometheus/templates/node-targets.json
Normal file
6
roles/prometheus/templates/node-targets.json
Normal file
|
@ -0,0 +1,6 @@
|
|||
[
|
||||
{
|
||||
"targets": [
|
||||
]
|
||||
}
|
||||
]
|
67
roles/prometheus/templates/prometheus
Normal file
67
roles/prometheus/templates/prometheus
Normal file
|
@ -0,0 +1,67 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# Set the command-line arguments to pass to the server.
|
||||
{% if not args %}
|
||||
ARGS=""
|
||||
{% else %}
|
||||
ARGS="\
|
||||
{% for arg in args %}
|
||||
--{{ arg.name }}={{ arg.value }} \
|
||||
{% endfor %}
|
||||
"
|
||||
{% endif %}
|
||||
|
||||
# Prometheus supports the following options:
|
||||
# --config.file="/etc/prometheus/prometheus.yml"
|
||||
# Prometheus configuration file path.
|
||||
# --web.listen-address="0.0.0.0:9090"
|
||||
# Address to listen on for UI, API, and telemetry.
|
||||
# --web.read-timeout=5m Maximum duration before timing out read of the
|
||||
# request, and closing idle connections.
|
||||
# --web.max-connections=512 Maximum number of simultaneous connections.
|
||||
# --web.external-url=<URL> The URL under which Prometheus is externally
|
||||
# reachable (for example, if Prometheus is served
|
||||
# via a reverse proxy). Used for generating
|
||||
# relative and absolute links back to Prometheus
|
||||
# itself. If the URL has a path portion, it will
|
||||
# be used to prefix all HTTP endpoints served by
|
||||
# Prometheus. If omitted, relevant URL components
|
||||
# will be derived automatically.
|
||||
# --web.route-prefix=<path> Prefix for the internal routes of web endpoints.
|
||||
# Defaults to path of --web.external-url.
|
||||
# --web.local-assets="/usr/share/prometheus/web/"
|
||||
# Path to static asset/templates directory.
|
||||
# --web.user-assets=<path> Path to static asset directory, available at
|
||||
# /user.
|
||||
# --web.enable-lifecycle Enable shutdown and reload via HTTP request.
|
||||
# --web.enable-admin-api Enables API endpoints for admin control actions.
|
||||
# --web.console.templates="/etc/prometheus/consoles"
|
||||
# Path to the console template directory,
|
||||
# available at /consoles.
|
||||
# --web.console.libraries="/etc/prometheus/console_libraries"
|
||||
# Path to the console library directory.
|
||||
# --storage.tsdb.path="/var/lib/prometheus/metrics2/"
|
||||
# Base path for metrics storage.
|
||||
# --storage.tsdb.min-block-duration=2h
|
||||
# Minimum duration of a data block before being
|
||||
# persisted.
|
||||
# --storage.tsdb.max-block-duration=<duration>
|
||||
# Maximum duration compacted blocks may span.
|
||||
# (Defaults to 10% of the retention period)
|
||||
# --storage.tsdb.retention=15d
|
||||
# How long to retain samples in the storage.
|
||||
# --storage.tsdb.use-lockfile
|
||||
# Create a lockfile in data directory.
|
||||
# --alertmanager.notification-queue-capacity=10000
|
||||
# The capacity of the queue for pending alert
|
||||
# manager notifications.
|
||||
# --alertmanager.timeout=10s
|
||||
# Timeout for sending alerts to Alertmanager.
|
||||
# --query.lookback-delta=5m The delta difference allowed for retrieving
|
||||
# metrics during expression evaluations.
|
||||
# --query.timeout=2m Maximum time a query may take before being
|
||||
# aborted.
|
||||
# --query.max-concurrency=20
|
||||
# Maximum number of queries executed concurrently.
|
||||
# --log.level=info Only log messages with the given severity or
|
||||
# above. One of: [debug, info, warn, error]
|
117
roles/prometheus/templates/prometheus.yml
Normal file
117
roles/prometheus/templates/prometheus.yml
Normal file
|
@ -0,0 +1,117 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
global:
|
||||
# scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
|
||||
# evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
|
||||
# scrape_timeout is set to the global default (10s).
|
||||
|
||||
# Attach these labels to any time series or alerts when communicating with
|
||||
# external systems (federation, remote storage, Alertmanager).
|
||||
external_labels:
|
||||
# monitor: 'example'
|
||||
|
||||
# Alertmanager configuration
|
||||
alerting:
|
||||
alertmanagers:
|
||||
- static_configs:
|
||||
- targets: ['{{ lan_address }}:9093']
|
||||
scheme: https
|
||||
tls_config:
|
||||
ca_file: '/etc/prometheus/ca.crt'
|
||||
cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
|
||||
key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
|
||||
|
||||
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
|
||||
rule_files:
|
||||
- "alerts/*.yml"
|
||||
|
||||
# A scrape configuration containing exactly one endpoint to scrape:
|
||||
# Here it's Prometheus itself.
|
||||
scrape_configs:
|
||||
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
|
||||
- job_name: 'prometheus'
|
||||
|
||||
# metrics_path defaults to '/metrics'
|
||||
# scheme defaults to 'http'.
|
||||
|
||||
static_configs:
|
||||
- targets: ['{{ lan_address }}:9090']
|
||||
scheme: https
|
||||
tls_config:
|
||||
ca_file: '/etc/prometheus/ca.crt'
|
||||
cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
|
||||
key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
|
||||
|
||||
- job_name: node
|
||||
file_sd_configs:
|
||||
- files:
|
||||
- '/etc/prometheus/targets/node-targets.json'
|
||||
relabel_configs:
|
||||
# Use hostnames instead of ip for the instance label
|
||||
- source_labels: [__address__]
|
||||
target_label: __param_target
|
||||
- source_labels: [__param_target]
|
||||
target_label: instance
|
||||
regex: '.*\|(.*)'
|
||||
replacement: '$1'
|
||||
- source_labels: [__param_target]
|
||||
target_label: __address__
|
||||
regex: '(.*)\|.*'
|
||||
replacement: '$1:9100'
|
||||
scheme: https
|
||||
tls_config:
|
||||
ca_file: '/etc/prometheus/ca.crt'
|
||||
cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
|
||||
key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
|
||||
|
||||
{% for target_type in ('http-up', 'http-down') %}
|
||||
- job_name: blackbox {{ target_type }}
|
||||
metrics_path: /probe
|
||||
params:
|
||||
module: [http_2xx]
|
||||
file_sd_configs:
|
||||
- files:
|
||||
- '/etc/prometheus/targets/blackbox-{{ target_type }}-targets.json'
|
||||
relabel_configs:
|
||||
- source_labels: [__address__]
|
||||
target_label: __param_target
|
||||
- source_labels: [__param_target]
|
||||
target_label: instance
|
||||
- target_label: __address__
|
||||
replacement: {{ lan_address }}:9115
|
||||
scheme: https
|
||||
tls_config:
|
||||
ca_file: '/etc/prometheus/ca.crt'
|
||||
cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
|
||||
key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
|
||||
|
||||
{% endfor %}
|
||||
- job_name: blackbox internal tls
|
||||
metrics_path: /probe
|
||||
params:
|
||||
module: [internal_tls_connect]
|
||||
file_sd_configs:
|
||||
- files:
|
||||
- '/etc/prometheus/targets/blackbox-tls-internal-targets.json'
|
||||
relabel_configs:
|
||||
- source_labels: [__address__]
|
||||
target_label: __tmp_address
|
||||
- source_labels: [__tmp_address]
|
||||
target_label: __param_target
|
||||
regex: '(.*)\|.*\|.*'
|
||||
replacement: '$1'
|
||||
- source_labels: [__tmp_address]
|
||||
target_label: cname
|
||||
regex: '.*\|(.*)\|.*'
|
||||
replacement: '$1'
|
||||
- source_labels: [__tmp_address]
|
||||
target_label: instance
|
||||
regex: '.*\|.*\|(.*)'
|
||||
replacement: '$1'
|
||||
- target_label: __address__
|
||||
replacement: 172.20.1.1:9115
|
||||
scheme: https
|
||||
tls_config:
|
||||
ca_file: '/etc/prometheus/ca.crt'
|
||||
cert_file: '/etc/prometheus/prometheus-172.20.1.1.crt'
|
||||
key_file: '/etc/prometheus/prometheus-172.20.1.1.key'
|
7
roles/prometheus/templates/web-config.yaml
Normal file
7
roles/prometheus/templates/web-config.yaml
Normal file
|
@ -0,0 +1,7 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
tls_server_config:
|
||||
cert_file: "/etc/prometheus/prometheus-{{ lan_address }}.crt"
|
||||
key_file: "/etc/prometheus/prometheus-{{ lan_address }}.key"
|
||||
client_auth_type: "RequireAndVerifyClientCert"
|
||||
client_ca_file: "/etc/prometheus/ca.crt"
|
Loading…
Reference in a new issue