Merge branch 'monitoring'

This commit is contained in:
histausse 2022-03-05 00:48:08 +01:00
commit 48ef4bd112
Signed by: histausse
GPG key ID: 67486F107F62E9E9
76 changed files with 3400 additions and 238 deletions

View file

@ -9,6 +9,7 @@
roles: roles:
- networking - networking
- base_config - base_config
- prometheus-node-exporter
- hosts: all, !tests, !no_user, - hosts: all, !tests, !no_user,
roles: roles:

12
books/monitoring.yml Normal file
View file

@ -0,0 +1,12 @@
#!/usr/bin/env ansible-playbook
---
- hosts: prometheus_servers
roles:
- prometheus
- prometheus-alert-manager
- grafana
- prometheus-blackbox-exporter
- hosts: all, !tests,
roles:
- prometheus-node-exporter

57
group_vars/all/ca.yml Normal file
View file

@ -0,0 +1,57 @@
---
ca_passphrase: "{{ vault_ca_passphrase }}"
ca_key: "{{ vault_ca_key }}"
ca_cert: |
-----BEGIN CERTIFICATE-----
MIIFhzCCA2+gAwIBAgIUP+ptXLNUBVsZm5oYpynQd5mhB60wDQYJKoZIhvcNAQEL
BQAwUzELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxFTATBgNVBAoM
DFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0EgUGFpbnMtUGVyZHVzMB4XDTIxMDky
MTE0NDUxNloXDTMxMDkxOTE0NDUxNlowUzELMAkGA1UEBhMCRlIxEzARBgNVBAgM
ClNvbWUtU3RhdGUxFTATBgNVBAoMDFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0Eg
UGFpbnMtUGVyZHVzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4jG+
8N5YN91KghYjYTOBQ+lRYJ45X5S9mfcwwf8OIMGe+NyNkXx2GX4uYpZOitYOApI4
rGnAjhll7tdZevzfdqpUDCYUDT6iR4BzL32k22mIN+iW6zQPaZetOU7VIA9V5TsM
WbDsftqh6fj3N4SwVMpHiuiajMkX8CIELxoXDAJULvwyreWOONlwDMObtVCHBIhM
uf1Jbx2DfRNS/w6lbHPCrZefMCea1FrSaotOANXxNgQfptX3fLZbhH5RiZQLDU8k
ZChAUoW9hE4+uiSOUMd2hl9XgCWHcGEMcKyWG+/lx8UUw3Zl+oOrfb+IWo5IByVZ
8nV5aiTMCuRlcTcMHUuedRaPcWfl5ZaEOVzhYXIYM4Oa8ShqXuWqW0WZ8oIhI2ya
hTE03mIPV1nX3ucE9GsDZpnrj7t+qd8etiZXFGVihKEqVFfhzKRsPh4wgUKH/gwG
AJshPA9NyJ0JpzUaWQ2acUjo3Hg9WPSTaMb46FS7hUdZUcZZiwSq9JjHDNAUKjNY
zudKjTyqJXkqwhNvMfKWFIGYjldvZgQXzuT8XmSHYSKuLfH9Ko28FX0Aujye1TTH
MPljXruyO04Q7NUg/jqtxdsWRpH/qCt12PmRuIiXsNCAeLjSuc75H+AOPbNudJLT
w2AUTkfn3mw/XTwEBfemHAo6GAdtCDKo6GxBqvcCAwEAAaNTMFEwHQYDVR0OBBYE
FIh4sxxlmesmbVKPWKo81BXMFVqVMB8GA1UdIwQYMBaAFIh4sxxlmesmbVKPWKo8
1BXMFVqVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKipx6Nu
QwnYmwYPd3kUVBOj9ia0PVeE4LoUSRapzRTF2HilSIo9Sa7qD1HVxbWrghUPLjW/
Ru04k82hxvAm26gc1XeqIBzpgZmxwF0QibCeuj1vDXsndACXVHd6Atvnl0rW4bEI
pVCqerXNu0T4STk2V/xNqndGMRp/vZX67BlyHAHD4el957R9RYlyxW6fADrHDKqk
tC1eTeQtEi5W7v9X3dNGdtFS+exDrYpUTHPDwM81u25oCGUFGsH3RlG7LUEQ5mYW
SsJ3EKpIkMxSZB3/GqttCIHi+yEMtwDDL3dN8UnVaTkRjVNQxraOUwe66QByGqnJ
9YeQNpUfZxWFW/GW2fBAvD/RaLrLZ4ywhUze38ks4jsLnAIduawjQ8GlNg9i2MqD
zvDat41LWSCDjRUOfCp7fc9lMlI5blTafozrAddMV8YUs3bQ6XD0H31pP59jb7nc
5kmwqH6RivbFZZYBquQVujiiI7d+9m+X9OfTZJTCpRPCGYZcLuqH7txyPhixxrZd
a8lWJ+5jHOdncV/ZWSB5JnjKbaMMEPcaTo3puEPt/yl74CR7UOJXr5oM0bVFKjas
90hY5U+jPAcneCk2oc44R4NWuQ7qbsjPRfcxxi27DoLbhlmPp9jQwYQEqmdflcZ0
zCTEq81KO2mAbJgTc/ahhcvAV/huJ5d8c9R1
-----END CERTIFICATE-----
crl_distribution_points:
- full_name: "URI:https://ca.deso-palaiseau.fr/revocations.crl"
reasons:
- key_compromise
- ca_compromise
- affiliation_changed
- superseded
- cessation_of_operation
- certificate_hold
- privilege_withdrawn
- aa_compromise
- full_name: "URI:https://ca-pains-perdus.intra/revocations.crl"
reasons:
- key_compromise
- ca_compromise
- affiliation_changed
- superseded
- cessation_of_operation
- certificate_hold
- privilege_withdrawn
- aa_compromise

View file

@ -0,0 +1,9 @@
---
reverse_proxy_sites:
- {from: wiki.pains-perdus.fr, to: "https://azerty.fil.sand.auro.re:2443"}
- {from: hindley.pains-perdus.fr, to: "http://127.0.0.1:5000"}
- {from: "{{ grafana_domain_name }}", to: "http://127.0.0.1:3000"}
sharing_sites:
- {from: share.deso-palaiseau.fr, folder: "/home/histausse/www", user: histausse, group: histausse}

View file

@ -2,3 +2,14 @@
# Use python 3 # Use python 3
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3
dns_resolve_server: 1.1.1.1 dns_resolve_server: 1.1.1.1
# Default prometheus serveur, to overide in host_vars or something
appointed_prometheus_server: hindley
grafana_admin_password: "{{ vault_grafana_admin_password }}"
grafana_domain_name: monitoring.deso-palaiseau.fr
kassandra_username: cassandre
kassandra_password: "{{ vault_kassandra_password }}"
alert_rooms:
- "#monitoring:pains-perdus.fr"

View file

@ -1,81 +1,272 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
38386365383032383336346430353334613639636464383235646565306161323463363466383934 66653939356531646231633866643664343439626466393835366664643239356166353639656466
3636386138346634386634373266643937356339373734370a366435343137643330393939353664 3731653736323063643664616534393834666637623438610a653265313233663738326166366234
39386432396430306339326435323862373135323263663139373032646136333064373365313161 64393862363239636533343139663166643331363133343230633032656633663033313032353630
6130343436313762620a633064326538393135626536343062383862366536646239656133366133 3666666439346332350a323239376135383262376661366632363963303433666362316535323664
38616531393837313365643734303062353030333763303132646231376363386239336631643231 31336635356137646565396131396461653630363362356638346266316231383036323632653366
38303230643135653238333132633739363333656534643765623836333936363062613132316339 33323430663863346664653562326330376639623131323936386639303065313738356665613535
31646365623030343433623264633665353432623839393638643039653561623361366630393631 64633663393963666363336265383661366264643931313939666561646134303130353034376530
38333636316432323165316261323337306238633237653733376539323136663231376462623035 63383064373633326263383332303632316135353862333365326439636131366165663636626337
30336463353738373061346431333435626362383134306661343562633437656462333430653663 63383566653331346536626138653733613666356162336163643566623737653337396436313134
30396231336336353535373337343434366536333865623065653238333637383332613338613361 36343535363331366463306335386465643464336339663933323733396437663332303231363237
61653566303962626534636530313238363662316163336532353738313962623835343032643930 39313663656136336466393737323965336430306437336530306361343631396132653230353137
37333864366539363131333538643963353531663132353964306263316437323866666664633435 64316538373532333332643638613736393661336565346364313961613736383063316433623634
39636663383831393534623639343839343931363834383839363837623636643838623536396563 62373137326336663236323463313462313739666162386333653235373763356335393039356638
35396663326661386532303238353461636435366564366534393162663834363539363335393336 64646131313930313438613264303535633137663662613163653165393835303032366462326564
62636465666665643165653130326437393162616433386637613430623466666364333334663132 33386134636231353762363563313137626134393563383838313834396235346364303731653136
35356364646263653131363863303532633562306661636530313766636262386361623630326633 34363964386165323561633138306137613632616437643632656334653138373330346434386262
62653866383864366666663963643138363264363965346538306135386633626439313961623735 65383662366135613939393266633062663665303935663634313735663361333862356565393265
62363864373266333038333430613535633636343631316439353837376331666336326432663135 33373036623232663830623962363139626436616339393863326130333163353038373530643566
33356630353862386166306536643538643163346532663439303764396565323661373136366133 33393733623635333931363932376663613364393832646231616133366264646230633033643062
32373765376331323431386464396137666431613365363866323438663062386365326131616264 37336335383732613837303035376563653638306437393336383565623264316166653437386432
39616632613565323238323133343061303433653539653833653264383165333364323239643466 61336433316531346636356262313534653037336139633839613163356365643466636662616462
32613731393065323066396563363530393264323930653839396438356164356333333137656236 35323135636337353930636463613437326538303736643262663262633330396663303064313933
31346133343336666337633637613064666533613631313335616637653735363462663864636330 32346437643938303265353363353735373862383761326333306138386266363566386336366436
63646163383337323933323664303961346461613065356332383531333336326632316634656231 32386436323564323964346332313363373534626162613033363564646264376662323366353939
64346565363636363066646533303238633465653830613264663963326630366564336330343236 64303663383031613634333333353563333761363134393637633031306561373339663031366466
32623438306238396166666539363539646137643363666332366563663231326632363230666465 63396634396535366461396262663739383861656461383435323936636166623862663130356630
36656662313335656462386463366432656230616232663637303235646664343066363563666261 33646365343564633662663438613338356131383638363930626338393739326336396361356232
32393536666265663038353439623536633363386335326138383565643337353031356432396339 34366363646432316431656439656136633838663066626436383238323165393836386636373039
31323464353338326237646263366262346265643363343761313436396332646237346339346333 64653930666334326237363261666364663531623535373265623638396334636439346465313238
66323636336537303839653962306531643762366230303963636535633537613062366236613131 64356335313731353939313364363534393762616634326262653366303234633338626661663165
39376162363134376135656463626366343537626438656362343838323435316266656637636161 36346430326431656639346161363861396438626661663930396334646339663333366535303438
38623134386532383862303234666338306234646538623464613362623331396339613931653262 65346136396334376530366438613737386535353431396531316265393036623430383735623237
62633364363230353666343562343661316431333664646161616632643736646664396532303633 64663634666564656633643462653962386332623539623933653966323066376536386463336361
62336233316435626230386565383264313062646637313234626135626566343932343563653130 32353732663366643438343862613863373564383638336332353039643833653563396136626131
38313137306331636436633536396539373032393135393336303731633030393139616136366536 63306635386163313131623738363533313131613537363735333337323334353462383039336433
31633936613663303837306632643730613062663262616239343263636463386230313336363237 66636137356462383538303336363439313938666165366434333030396561613833613539383737
31626531303639666464376335366135623063343266663265393635316338306633363561376234 33613332633763343865363034653730336364653461666331353837653637663139306366313663
63653039313532376230626533353136666262663761376432633763636131653162386131366366 61633133633563353132643066366633626435303363616661353138343363363139386232386464
36396534303230353133306331626539623832323462393237633233393865363864656531646632 33636432306366313234373861633762646661333836386462383761643865383231656664646265
36613137366262393163386465656233373365636437616133393862663632636131393563613763 38653266613365366435643934623139336666343265363632386166336433626634656238366663
62376133356430303838386634363963653865336138303831636164626538633066316637643732 32663664336162386336326566396336653831373364383033643331623834643838336635656438
30363561393862623037616232653135663765336134383037346439373335393466646530616166 64393936366238616666333565353530643563656338323763336436636461353963343130666634
33646462313463346535346236363830643130313632366162633866373362653162623035306366 65386430313463623539616537333134323134373836663036663830353435393365653136363566
39623734306636356135393965646534313961306632623531303830343564393361343464653961 66356431663466666562653338623839363438396530653031373538663039353638623838633831
31623562396435616466653232623163393161336434623631313233353736303834333935626138 64636534343263356166373561373864643736653530323530323833356539316232363564616135
35613764633564313961316236623265353037636635656331363937356363323630646537393335 32643138313537356565306433326137623535373963353361393439383030646262393538626636
36396632383865336639393033653738323739396236383535333332396361306131303864616130 37373336313132396465343561363635643633363638356365363935653931316263323261356531
33613762643438393261353335383565316231623963386536653334666634623136343833613137 36636239323362663935356464663737386462306162373336333264333963653537353563383361
37396261623035353038636337323536346334613837343935386132656338633335643265616138 34663030386331643361353033613564363236303364646430313866323836383238366535376230
36663937376231333233646466633162346630653532336536373262313337373261656130643632 38616165626535343939323162303735656630666262336536626334313834333730626433643835
66613534363130313230323665613163356366386664653436363132356664306231356135383266 39353963323364386430366339393162303031643865333839326533333961393036636365353637
66376336323062323863616434323465356439343434646531373365313039303639343735323836 31353863633065306230353665623335353331366333323039646435613537336436373962626137
35613234343563356162326466366638343439333464656434643332663432393730643130623032 39393461373938613432303565323763653130313334313637306534666235643337383333333837
65663237333338323939616565333738306634383038643630376164306530623733623933333064 39353834373666646561626535386239303030633062633565356332653664343337636263363631
62623131323736643832616334383338383634393664653338663436626434306631643966613031 32636264353165343637633436373564313065643236396631366334633365386234636261383066
33616362313039666130613538306561343135626235343765396335396339373630373135313832 35373433353539626661336430663037303839353134613230633363373664363962316630386265
38383062366262663832343563613334623336343639316435386664353636643162636634653535 35663535353466613265616637646130316531643461393965643232366432313561303238393432
39623039643336393733626634363466353437353533373764313565653766663630386234626661 32353266336533633064363039343431333331646132363833303433363632613632646461666366
61393161383565386131636563323038373236663861363339333361646464613836623139366435 31613764313237636236303432613864336532323537333062363066633463393666366331653936
35363463623431343634653565363066623464653961313661343963363464386361306137393763 31653133313862356632383066353361636334303138666361333939646536333137343734343731
64616135633935393566356561363038613134363964356136643734366232366166643564653264 31636130623666386236393462646236393933383235313036383932336665616430333330316634
36613066366266646434323862643735643333613163666334363337643263626639623433663733 62623631373631383434333363376331643664336536636430393962626165646662636637313633
39383562363531656433633033313961303837643765626530383665316433353634396463333662 37316166343834373865353730343733613736643038366233623661636237633136356338356564
38353936633034636461303863356564653939393239316538663838643336346331363230616630 31363139666630656530616334386362393638343331396436633862393031343331613438373236
62353237353733326132646138373737306135653634383032363433663063613430373935653131 66336338623264306237333334623063626431326366643835373832383165663864613530386639
38646664393133363365303130623532373438313831643230396431363333386463643031653262 37303064643034376135303066396164623237623239663962636563353130626332316333396331
64396261303235326530636565353764316236643466623666623165383536333565633064333262 36646238386634623761643135353132326438303566316232653630353332363262643964666561
37316237643863626561613036303061346265613730626137316136623338626564666464333862 32363534653261396136643765613237633761353337376338666238663039656666386137633538
35393831656533616365316334633538626166616263306636313231313234306532636633646665 39373662336231613364393238663566303662643333633532613866643036356163313033313933
33336138333632396530333363613866376535316430656134613339626262666133666264376439 62346532393032323432316361633162373664393363306239366433333766396438633730353533
64303964633165333161613663343438393539643839366331303563613436613730383837356165 39306338303238356638336636306565366339336630643934323665363261303930313435633735
32363231653233346438313262393462313135636566343063626436326166373866356434656561 65363732623666306631613465633034393536326237346639356566643736303937333239626531
65386562666331316232336463373336623733393161666430616165306238616531306266626363 62313061383266316361326339623436373262633238366234353461306432396133383330616432
66636234333231666637616163353361306331393562393938353733303139393930633965373638 30666235646238663631326636396364313565393966373533323464356337326138363233346430
36336266343231366662643134613662643037373638316362653030383866373636386339346466 61393438383737393839653039633762613137353932323730613537653939613861346636653738
64396639353266316264653264343036616634343964646237363036313937323833633863316231 39336331333237613838656531363766343235383938353165653662653439643861323436393833
35363964393863346132373830383032646536356261616265353439316637396563336536373363 65303565356330633764663633613231336166323134653937636133343031343938366639656161
37313936393662353665653134613535393865333362636262656439326331336366303139653034 38666136633564646131333038326237393861326564623338333438313063303661303132323938
35626566333965616162663465613335316462326130396330383236396133383039636335343565 37303162316236666162396363626133306365666533306639383139336330616130313635353034
65386630653033376163 65623934323930383763383466323338373561643538343564303331653961653230643863323937
35306636376530356631303362396439643963363937633266313935343262396565383163353630
32396132316239366231303532306436623330643732393737343636646234656662646366376265
36343034396562633634633663623133396636643634663932393739306435653034333164656336
62373633333938356261663261356161663937366239356464383335613431396339333761323062
32616333656533653939336338393431366439346433396232373934353235653730616230633762
35656533326163316132373038306239663966366465393231646331646333383932336461306438
65636434333433366637663139656630363464663564303166393931363032323633336661326164
36633132363161616466333134343730636166653962623632366535663366653139343230363363
66373432343961393437663466363063333561353637316438653961383966623134336537376130
61353031386435336236346564643064613433666137633437376362626661653733343734346438
35646332643462643631323835376231656464626536393562616466636363386339336564613539
33316637313862356131633636626238633961363065323964353634633462663132653864373365
61306163396532656636346532326131633134346139323566326361323664376633636339643539
64323939336264346638653365663162356365653536333738383064326463313662356266373239
39613439313866333735366639306166336261643938313133633633303432396662373862653736
62313438633063343938313965616337363961303730386432333862383265653061333832306565
66373663643435613639623735373066616236353739333538616535616435643964653936356431
30363364323434376365393639643731663866396163636665626537343433663863363130303866
38356565613334613931343431663862346263643330646263613166636561303038376238656430
66316330326662616634396561366563316632663166383564343935633532633034333138653665
37613964616162373262383338613434663166613862653963636135616265613634323438613463
61393730396164643730393636646630386561303534363731623433363631666561313065373163
63663164383335613565666262383162363732616534363637323566353064343162383231303064
35373765376533383339353339636432633562333730386463633534353639656634636438303163
36653061303036653535643933663131616166666631393836383531643165363265626562623533
65363739663461356565313136663763333630643035383132323335333931333661376166326531
34316166623630386365386632373433383735313563643463333662366335616237303633653763
39633465353166313930353731376639336634633463346334643330646430313039613461333766
65633965613962376637353131373966383034333536616361326364633532353138326535663866
31336664333936393834346138653531313862323938373736383162386633383061373561306338
39626634653338356330373338376332623638336537373932653539353734636336616232306132
33323338653265666262383039393935616366623661653530623662373637356339653565323962
63626461396264356564363238663331653662613337343236333763363461623865636564373037
62376633616131313439343866336363653135363035386534386665323433653366653630646138
30666330363835303664336162343432653235386631616433613262646336626331336532393438
63313737353531316261353437663163383964663561313235393338306362376137383330656162
32373363643466336231633136323264383934666634363933393137323032366564313137356262
62333533363638616639633863663931376364373061323732343934643337383239303631626537
37393032656231303366396233396162626236663230383966306361633233633430623135376132
66393765363931386662326236393865353161633036666465653236393366363534343764316565
66646166656437373231623133303662393461323830363261373566646163626334306265356436
64353930303966303364396166663535336265383536373139396137396130333138393561616632
36393732326136396534366630353731653331636333663965323433643931653033383039363638
66373161326430363831343238656632626564306338636361363530663463363232373139366537
37393162666464353662383564383665343334363463626231316535353738373333313738316138
66383537663363633161346630323330653933356565616639353536386136666265383432646233
65303163393635616539323762633962633165323661663561313061616239373834633937623064
37373864303336323437303563656163303137656230336562336431623665323731326565626238
64656232663363663065636239313030656132396333623332333637303537653534356662353838
34303364636537623735656537613735393334616661373532363935363534356466663134613138
38373437646135356165333336636639313134636136313637333364396335636335313361353265
32396236643133396663383165653131316339616330373034393331373831626339313466363132
34386266363637363562663764393133653732623039663034393539363061633237363737613336
61323538633263666431346532346564353235643037383535373366613831373066636138626366
36356563663339646534353962376436613566666165346135333264373334626530616332333961
34386536666338306632306362343435346666303737613238373863366331646438386538373861
63626361623932326334626630663336323439643666623332613262346535663462643834353231
38303766366461323532356139306264326264343536386535303331376262376431666538626464
61666235643939643334646463623337316565346263613862616263333335613736303366613430
38303461366438363534633036373264303633613964363561346336653136353132666663376363
38633235316666356464636538636337323432643037613762303735333836643861363464366337
33366138396262623530663138353963306164306163303663623438353130646566656332373938
61336337316334303135646461373463643365623235343834636164396366636639633933366561
31386533336261326439386661326462353831393733643065316266376230383839333733396233
63393935306331376336393937616336326263643631353764386164363639626334663032613133
33633436376534373138316466353838663835336634306538313334643036333537653864323162
39663565376331346532656130306632393638663139626334323261643733376636623961323533
32653066326235346130333732396231346136336134383863383864613830313031646664386234
30656333303234663630633237633161393966623562633964393161336335616362323535656136
38666162306162366461303663346562306638353334383630306231346234396566343162323135
35376136346138626130323765626464613537623530616235353537373932626535316566363332
38336533333162643666376232646330613166633535383961666264373530313563386535353434
38333062376634323933336239656138393961633863633537396364333039333262616166613832
30373632333062663730343731663162376238313930376631643163353063663838326434633435
65323465343839616166386435636233306136306563666535633164633430386332323266323038
63653061396662336362646331353062326261376161363662346639373965356266333239613137
35393665636238663262646130356664343033633363303536663538306139336139383864636236
38313834393733316636313862383930343839653662623335393637396363333434646262383465
38313231353862373935316236383135396639643761623035313834353730396330613237316465
66646131326462383662303563646366333630343934376339323936363966393939623031343833
63366333623332623666643932343739363735326361636536656164303365363163633934633730
31306264656535396665386133353366653064363036656135663135373931636566646638356662
39393433363633613437346637383837663864643734643332393833363830616536623933623239
35366530636235643333336261633661636330633535393030313134633834633261363635376234
63643139306632613330346264656434326238383061633837653064663334323762613636353339
38363861356131376230613032353738356134316261613030353932303635383564333664386338
63363033613232386431633531356532653035343466616664626363643734306233393566356663
31643039336332636461366266343865383666356166333566386531626134373038663362306533
34306534623166393561633266333366653261653365326337613436633137373234366234326564
30316231636339366434396131623064353961336666626563613234303034376537646130323637
33386532393339646437366337626463393066653831646337346463356437386333656464393233
64333036663330373662646534653239303831323536346138393939383861303331336630353738
33383838663939393038386438636135396361316438363234313864343731616363336533393738
65343166343335623665653936396362363861636231643432313962333034383337656634666633
61333161643464323562343539633130373065666363393337636664376662313834656232616164
37613062346439326665633236323661646331336333313034306133353732336163656339373335
65303662633039316439343363306637303530323235663261386162363930623233616639333264
62303965636463303166323461376531393031343464663562353537613034613033346336393638
63373165663931346566626437393166626539393866646535393330323335333737353633633764
36643132336430303264633032316634663531666165613037313264303962663337653233346561
63646162343930356464623431333031613464323333323162323265633637313538363963633338
64393566643131666333333263626435613465303862663166303034313430616165656666646432
63363634366434666461613337353765663466396330613230663737613030323531663432363465
61623661666664366664303434373362303431623234393862633639336332316333303664323937
31653462326432633966353138626333306136623735633932323666656632383034633662333635
36303437343361343437643963663536646636626232633063636332353037396264366361336631
39353638643930326166393666663262336232663661383862363731393733336665326637653434
38343362386430363666666239623333623339623862613630663762353835303837663061303432
39366138383263653338393131393532663965666164353963373461373263616565373166303530
64306333343764363264363934393739316133313536353065326632316365396132326235626232
37353562363139386633656437623165623530636138313139643764613230633133386666366437
62333634356362343633643235643537383837343731303036396566396238623939643466373630
64633161636638393732656534346139343230313132613737313565393665613265353562313037
62313362363362623934663564626265363463396366336633313839643134653962656332653639
36353238353264326139386438363438363066396537633963343839616462373838393232333932
63353566663363373636336665393763323237383337343137623063653265393264396361383166
34666332616164633639626537393234316530626461653161393036386161396666386538316366
39393762626663373430646666653233376134343838313034313136303837333233353761353530
31623364333033643035363735396562623965636437613661663736376665393037363966633430
31376334333139613466613238303938663337313239643066353532383132336539353861396538
33333664393764666635326461383737653661643731323935353531653735613263383435366533
61333436386335383634376366666233633833643738646436373664306338643366643035613138
66643661336633666333366438303136316332616638336261353162383266623933316631396232
35306437643133346538323364616638636464613536323334646637333061343332376433346634
31356333633832636437316466343034633266613263336132383336326532363137303861656138
35356635343232313631613638366164303164623530663862653138633065306163343132626430
31633739653666646564323365663961396562333336366130636530393463383461623934343164
36316264363065343563636331373635343638373864646465306566646234643732306530353636
38316437393264643533623338656663343633646265613531623933666432663334646136356265
32326530343938653761333734323563643532363330326531313335323764653239626137613164
61306437663537303561393039623330626530393363653165366236343737653137616539646332
32656363383631393438336434323032343632393736376132656439663962323232336630623466
64373939323832373934373531363838333565396236383661633134303338373030313436303130
37663438336262346164633632653739613766343938303138653330656431396336376461633339
66396565646661346461643035646432643432343435333861366531316265306530653034386265
39303239366633613431333863663034633864373439646236633434333738383662643063373835
31626134323462353965653131656336316265376364636533333631373966306631613566663133
30616162636138303139306436653834366233616631303037393538633735323133346562383736
66306265346266393566613137326132366132366463353330306539653732393963366165353139
66643663643339666137343930633637396263346264643561383162666461346431346532353733
38303863303537646130363066303439623664316666373039613639653133666635356165303831
66653238643265386161393062393763383263656161666162633833336166333538386566323732
63303962313365363939323630386532373938313630633532613331306164356338633137346262
37376665373131316338383265363335646463663534623334303839383965376362643061376133
36323830323938636636356561616238636134616263323633626662396239373531646363336566
65383938656530396361663631613532316262396562323034663763653230646336633263336538
34333866306564313562303930616330653638313031656138343565653161323931356561633264
33313066643461343636623235376636646537663263313234356133376532663439386364326264
30356238613761363638376431623431366131373230373239643066343035356462326533613533
64623438363138636435333963376366656232313435373131313235636265323062333562323436
66313532616131623836373134363033646238313861616334313033326330616631633439613332
32393134643464363337653138336332353531316261316562393532346365666261346534653037
33363363393563636638343265393135663838393263623364366561623934316439306663396665
34323838366463653032303337323434643461323732623464373564613365663037383834353266
66376537623464653433393638623337353233363932656637363661323862663930633931626138
32613436303533353261666131636231353835666138663235386430323161623565333934383364
65393730636438306132663464313331663966346330346437383231646439366631323865376530
37343534616239373739353930313331303537303131653433393338396136313161306432303937
31333535623562656662613762626365306632626461333835346431343766393135653536356536
34653137303162656164373738373264613536663831363662373964306231343239656533353832
32643232333339316539323132663239613731393939316466653464373835303632313436323163
61383338333739363730633162373530626563393938323131323538326430323431623931393030
63353264626465323061663531656131633834353233643962666333383530376233636166636666
30393534613466623031346236643333316336333633646630643164653834353536333461353537
62613038323730363638616437393536636333323237626633343165386230393064666638396332
62653736353238653235356462656266616635613861623762336139656139363966386237393538
62616661613537633232636134373763376465386361313266663133643364356231636232386261
38653935663231323833626635663730623438306134636363633062373738396334393435373632
39343862646464633934643735363332353064396464663761393836353137313536383930653765
64643766616139306335313965376434643637613836373663663131663065663961376661363239
39373563313737396131323465333462346138316131303663336638303838346565633136343964
63633161326361303232613163316434343565623863363662623765376365663337653239376263
61336566336239643033666566316232623966643662386233396438343366303838363661653364
64323065396531363363393433316538386366623839626639373266393432313730646261333830
38383964633036333139383131326361353461346337353436333730656161326361306330373636
31303438356633363332633839616237383334396137623263363030373361623032663363656330
31653464353737336333356635326366316533663839366636393263343963356530663135366435
66656365396565306635656663666434646632353035653138616161383434316232386333623162
30363964666239373361656437363263646239366362316331313234623562363434613137326536
30356436356436333263656338303566356133383034353161383663356236353361623539653466
63663033393733366630356432613238633936306537333136366430303033336532306239336133
35343432633663396165663466626263316434646265363363316436636433656165333839356433
33313838313833333565653233623732316161316566343135323065313166376466613264616163
61383062346235643033363866643838626537363534383162353435343835643563316535663533
33623630383835353339656430633135393364346432663662663934393534366534326137666236
62356136346333653538626433333139353566313831643063626165343437333265633537313261
39613933653362353731353261373230313432303536316664636663396238643665633937623837
38373761663538653232646365333331396565343831343534383230323032373166663033333837
36353163353732313735663065663531646366326332663831623039366566386237333134616638
32323639326431303335396265333539643935613062326438343834376365313565666262623465
363230303264613965363966303463356363

View file

@ -12,3 +12,5 @@ interfaces:
ipv4_forwarding: false ipv4_forwarding: false
ipv6_forwarding: false ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.azerty.ipv4 }}"

View file

@ -22,3 +22,5 @@ interfaces:
ipv4_forwarding: true ipv4_forwarding: true
ipv6_forwarding: false ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.hellman.ipv4 }}"

View file

@ -10,3 +10,5 @@ interfaces:
ipv4_forwarding: true ipv4_forwarding: true
ipv6_forwarding: false ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.hindley.ipv4 }}"

View file

@ -9,3 +9,5 @@ interfaces:
ipv4_forwarding: false ipv4_forwarding: false
ipv6_forwarding: false ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.matrix.ipv4 }}"

View file

@ -1,10 +1,7 @@
--- ---
interfaces: interfaces:
eth0: eth0:
ipv4: 192.168.0.50 type: dhcp
netmaskv4: 24
type: static
gateway: 192.168.0.1
wg0: wg0:
ipv4: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}" ipv4: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}" netmaskv4: "{{ intranet.netmaskv4 }}"
@ -12,3 +9,5 @@ interfaces:
ipv4_forwarding: false ipv4_forwarding: false
ipv6_forwarding: false ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}"

View file

@ -1,2 +0,0 @@
---
ansible_host: "vm1"

View file

@ -1,24 +0,0 @@
---
interfaces:
enp0s3:
type: void
br0:
ipv4: 10.0.2.5
netmaskv4: 24
type: static
bridge: true
gateway: 10.0.2.1
interfaces:
- enp0s3
br1:
type: manual
bridge: true
interfaces:
- enp0s3.42
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm1.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

View file

@ -1,13 +0,0 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm1_key }}"
public_key: "uccS/p19vinH/S2GpVarDTYah4oRiSIABue8uEqKzRs="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

View file

@ -1,2 +0,0 @@
---
ansible_host: "vm2"

View file

@ -1,11 +0,0 @@
---
interfaces:
enp0s3:
type: dhcp
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm2.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

View file

@ -1,13 +0,0 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm2_key }}"
public_key: "pxsYnL8N3VVVLlkXA8NOkqWsrSMrgdL1vj/VnZfKdRo="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

View file

@ -1,2 +0,0 @@
---
ansible_host: "vm3"

View file

@ -1,14 +0,0 @@
---
interfaces:
enp0s3:
ipv4: 10.0.2.7
netmaskv4: 24
type: static
gateway: 10.0.2.1
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm3.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

View file

@ -1,13 +0,0 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm3_key }}"
public_key: "Cj3HAjXXr9DcmJoOkQkHvLWujZm8h6tBt2d54g0pqEg="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

View file

@ -1,2 +0,0 @@
---
ansible_host: "vm4"

View file

@ -1,14 +0,0 @@
---
interfaces:
enp0s3:
ipv4: 10.0.2.8
netmaskv4: 24
type: static
gateway: 10.0.2.1
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm4.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

View file

@ -1,13 +0,0 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm4_key }}"
public_key: "5M84IO6uobYkMPupCI9h9y3iJXVIXAyDY8wkrMPcaRw="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

View file

@ -1,2 +0,0 @@
---
ansible_host: "vm5"

View file

@ -1,15 +0,0 @@
---
interfaces:
enp0s3:
type: void
br0:
ipv4: 10.0.2.9
netmaskv4: 24
type: static
bridge: true
gateway: 10.0.2.1
interfaces:
- enp0s3
ipv4_forwarding: false
ipv6_forwarding: false

19
hosts
View file

@ -4,17 +4,12 @@ all:
ubuntu: ubuntu:
hosts: hosts:
hindley: hindley:
vm5:
debian_buster: debian_buster:
hosts: hosts:
azerty: azerty:
vm1:
vm2:
vm3:
debian_bullseye: debian_bullseye:
hosts: hosts:
matrix_server: matrix_server:
vm4:
proxmox_buster: proxmox_buster:
hosts: hosts:
hellman: hellman:
@ -34,26 +29,22 @@ all:
server_hostname: azerty.fil.sand.auro.re server_hostname: azerty.fil.sand.auro.re
tests: tests:
hosts: hosts:
vm1:
vm2:
vm3:
vm4:
vm5:
rossum: rossum:
azerty:
hellman:
vpn: vpn:
hosts: hosts:
azerty: azerty:
hindley: hindley:
hellman: hellman:
rossum: rossum:
vm1:
vm2:
vm3:
vm4:
matrix_server: matrix_server:
apt_proxies: apt_proxies:
hosts: hosts:
hindley: hindley:
prometheus_servers:
hosts:
hindley:
matrix: matrix:
hosts: hosts:
matrix_server: matrix_server:

View file

@ -16,6 +16,7 @@
- unzip - unzip
- tcpdump - tcpdump
- net-tools - net-tools
- acl
state: latest state: latest
update_cache: true update_cache: true
register: apt_result register: apt_result

167
roles/generate-cert/LICENSE Normal file
View file

@ -0,0 +1,167 @@
GNU LESSER GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
This version of the GNU Lesser General Public License incorporates
the terms and conditions of version 3 of the GNU General Public
License, supplemented by the additional permissions listed below.
0. Additional Definitions.
As used herein, "this License" refers to version 3 of the GNU Lesser
General Public License, and the "GNU GPL" refers to version 3 of the GNU
General Public License.
"The Library" refers to a covered work governed by this License,
other than an Application or a Combined Work as defined below.
An "Application" is any work that makes use of an interface provided
by the Library, but which is not otherwise based on the Library.
Defining a subclass of a class defined by the Library is deemed a mode
of using an interface provided by the Library.
A "Combined Work" is a work produced by combining or linking an
Application with the Library. The particular version of the Library
with which the Combined Work was made is also called the "Linked
Version".
The "Minimal Corresponding Source" for a Combined Work means the
Corresponding Source for the Combined Work, excluding any source code
for portions of the Combined Work that, considered in isolation, are
based on the Application, and not on the Linked Version.
The "Corresponding Application Code" for a Combined Work means the
object code and/or source code for the Application, including any data
and utility programs needed for reproducing the Combined Work from the
Application, but excluding the System Libraries of the Combined Work.
1. Exception to Section 3 of the GNU GPL.
You may convey a covered work under sections 3 and 4 of this License
without being bound by section 3 of the GNU GPL.
2. Conveying Modified Versions.
If you modify a copy of the Library, and, in your modifications, a
facility refers to a function or data to be supplied by an Application
that uses the facility (other than as an argument passed when the
facility is invoked), then you may convey a copy of the modified
version:
a) under this License, provided that you make a good faith effort to
ensure that, in the event an Application does not supply the
function or data, the facility still operates, and performs
whatever part of its purpose remains meaningful, or
b) under the GNU GPL, with none of the additional permissions of
this License applicable to that copy.
3. Object Code Incorporating Material from Library Header Files.
The object code form of an Application may incorporate material from
a header file that is part of the Library. You may convey such object
code under terms of your choice, provided that, if the incorporated
material is not limited to numerical parameters, data structure
layouts and accessors, or small macros, inline functions and templates
(ten or fewer lines in length), you do both of the following:
a) Give prominent notice with each copy of the object code that the
Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the object code with a copy of the GNU GPL and this license
document.
4. Combined Works.
You may convey a Combined Work under terms of your choice that,
taken together, effectively do not restrict modification of the
portions of the Library contained in the Combined Work and reverse
engineering for debugging such modifications, if you also do each of
the following:
a) Give prominent notice with each copy of the Combined Work that
the Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the Combined Work with a copy of the GNU GPL and this license
document.
c) For a Combined Work that displays copyright notices during
execution, include the copyright notice for the Library among
these notices, as well as a reference directing the user to the
copies of the GNU GPL and this license document.
d) Do one of the following:
0) Convey the Minimal Corresponding Source under the terms of this
License, and the Corresponding Application Code in a form
suitable for, and under terms that permit, the user to
recombine or relink the Application with a modified version of
the Linked Version to produce a modified Combined Work, in the
manner specified by section 6 of the GNU GPL for conveying
Corresponding Source.
1) Use a suitable shared library mechanism for linking with the
Library. A suitable mechanism is one that (a) uses at run time
a copy of the Library already present on the user's computer
system, and (b) will operate properly with a modified version
of the Library that is interface-compatible with the Linked
Version.
e) Provide Installation Information, but only if you would otherwise
be required to provide such information under section 6 of the
GNU GPL, and only to the extent that such information is
necessary to install and execute a modified version of the
Combined Work produced by recombining or relinking the
Application with a modified version of the Linked Version. (If
you use option 4d0, the Installation Information must accompany
the Minimal Corresponding Source and Corresponding Application
Code. If you use option 4d1, you must provide the Installation
Information in the manner specified by section 6 of the GNU GPL
for conveying Corresponding Source.)
5. Combined Libraries.
You may place library facilities that are a work based on the
Library side by side in a single library together with other library
facilities that are not Applications and are not covered by this
License, and convey such a combined library under terms of your
choice, if you do both of the following:
a) Accompany the combined library with a copy of the same work based
on the Library, uncombined with any other library facilities,
conveyed under the terms of this License.
b) Give prominent notice with the combined library that part of it
is a work based on the Library, and explaining where to find the
accompanying uncombined form of the same work.
6. Revised Versions of the GNU Lesser General Public License.
The Free Software Foundation may publish revised and/or new versions
of the GNU Lesser General Public License from time to time. Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the
Library as you received it specifies that a certain numbered version
of the GNU Lesser General Public License "or any later version"
applies to it, you have the option of following the terms and
conditions either of that published version or of any later version
published by the Free Software Foundation. If the Library as you
received it does not specify a version number of the GNU Lesser
General Public License, you may choose any version of the GNU Lesser
General Public License ever published by the Free Software Foundation.
If the Library as you received it specifies that a proxy can decide
whether future versions of the GNU Lesser General Public License shall
apply, that proxy's public statement of acceptance of any version is
permanent authorization for you to choose that version for the
Library.

View file

@ -0,0 +1,9 @@
# generate-cert
This role is part of the project [Ansible Hacky PKI](https://gitea.auro.re/histausse/ansible_hacky_pki) licenced under the LGPL 3.
You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**.
In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability,
please contact me to see if we can find a patch.
Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>

View file

@ -0,0 +1,8 @@
---
key_usage:
- digitalSignature
- keyEncipherment
validity_duration: "+365d"
time_before_expiration_for_renewal: "+30d" # need a better name
force_renewal: no
store_directory: /etc/hackypky

View file

@ -0,0 +1,165 @@
---
- name: Ensure the directories used to store certs exist
file:
path: "{{ item }}"
state: directory
group: root
owner: root
mode: u=rwx,g=rx,o=rx
loop:
- "{{ store_directory }}"
- "{{ store_directory }}/crts"
- "{{ store_directory }}/keys"
- name: Ensure the directory containing the cert exist
file:
path: "{{ directory }}"
state: directory
- name: Test if the key already exist
stat:
path: "{{ store_directory}}/keys/{{ cname }}.key"
register: key_file
- name: Test if the cert already exist
stat:
path: "{{ store_directory}}/crts/{{ cname }}.crt"
register: cert_file
- name: Test if we need to renew the certificate
openssl_certificate_info:
path: "{{ store_directory }}/crts/{{ cname }}.crt"
valid_at:
renewal: "{{ time_before_expiration_for_renewal }}"
register: validity
when: cert_file.stat.exists
- name: Generate the certificate
block:
- name: Generate private key
become: false
openssl_privatekey:
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
mode: u=rw,g=,o=
size: "{{ key_size | default(omit) }}"
delegate_to: localhost
- name: Generate a Certificate Signing Request
become: false
openssl_csr:
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
common_name: "{{ cname }}"
country_name: "{{ country_name | default(omit) }}"
locality_name: "{{ locality_name | default(omit) }}"
state_or_province_name: "{{ state_or_province_name | default(omit) }}"
organization_name: "{{ organization_name | default(omit) }}"
organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
email_address: "{{ email_address | default(omit) }}"
basic_constraints:
- CA:FALSE # syntax?
basic_constraints_critical: yes
key_usage: "{{ key_usage }}"
key_usage_critical: yes
subject_alt_name: "{{ subject_alt_name | default(omit) }}"
crl_distribution_points: "{{ crl_distribution_points | default(omit) }}"
delegate_to: localhost
- name: Put the CA in a file
become: false
copy:
content: "{{ ca_cert }}"
dest: "/tmp/ansible_hacky_pki_ca.crt"
delegate_to: localhost
- name: Put the CA key in a file
become: false
copy:
content: "{{ ca_key }}"
dest: "/tmp/ansible_hacky_pki_ca.key"
mode: u=rw,g=,o=
delegate_to: localhost
no_log: yes
- name: Sign the certificate
become: false
openssl_certificate:
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
ownca_not_after: "{{ validity_duration }}"
ownca_path: /tmp/ansible_hacky_pki_ca.crt
ownca_privatekey_passphrase: "{{ ca_passphrase }}"
ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
provider: ownca
delegate_to: localhost
- name: Send private key to the server
copy:
src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
dest: "{{ store_directory }}/keys/{{ cname }}.key"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
no_log: yes
- name: Send certificate to the server
copy:
src: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
dest: "{{ store_directory }}/crts/{{ cname }}.crt"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
# Clean up
- name: Remove the local cert key
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
state: absent
delegate_to: localhost
- name: Remove the CSR
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
state: absent
delegate_to: localhost
- name: Remove the local certificate
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
state: absent
delegate_to: localhost
- name: Remove the CA certificate
become: false
file:
path: /tmp/ansible_hacky_pki_ca.crt
state: absent
delegate_to: localhost
- name: Remove the CA key
become: false
file:
path: /tmp/ansible_hacky_pki_ca.key
state: absent
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Create the link to cert
file:
src: "{{ store_directory }}/crts/{{ cname }}.crt"
dest: "{{ directory }}/{{ cname }}.crt"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
state: link
- name: Create the link to key
file:
src: "{{ store_directory }}/keys/{{ cname }}.key"
dest: "{{ directory }}/{{ cname }}.key"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
state: link

View file

@ -0,0 +1,5 @@
---
- name: Restart Grafana
systemd:
name: grafana-server
state: restarted

View file

@ -0,0 +1,79 @@
---
- name: Install apt transport https
apt:
name:
- apt-transport-https
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Add Graphana Repo Key
apt_key:
url: https://packages.grafana.com/gpg.key
state: present
- name: Add Grafana Repository
apt_repository:
repo: deb https://packages.grafana.com/oss/deb stable main
state: present
- name: Install Grafana
apt:
name:
- grafana
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure Grafana
template:
src: grafana.ini
dest: /etc/grafana/grafana.ini
owner: grafana
group: grafana
mode: u=rw,g=r,o=
no_log: true
notify: Restart Grafana
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /etc/grafana/ca.crt
notify: Restart prometheus
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /etc/grafana/
cname: "grafana-{{ lan_address }}"
owner: grafana
group: grafana
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
## THIS CERT CANNOT BE MONITORED BECAUSE IT IS A CLIENT CERT :'(
#- name: Ensured the certificate is monitored
# import_tasks: register-cert-to-monitoring.yml
# vars:
# target: "{{ lan_address }}:<PORT>|grafana-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Add Prometheus data source
template:
src: prometheus_datasource.yaml
dest: /etc/grafana/provisioning/datasources/prometheus_datasource.yaml
owner: grafana
group: grafana
mode: u=rw,g=r,o=
notify: Restart Grafana
- name: Enable Grafana
systemd:
name: grafana-server
enabled: true
state: started

View file

@ -0,0 +1,23 @@
---
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
register: server_tls_targets_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable from file
set_fact:
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
- name: Register the endpoint to the prometheus server
block:
- name: Add the target
set_fact:
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_tls_targets | to_nice_json }}"
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: target not in server_tls_targets.0.targets

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,17 @@
{{ ansible_managed | comment }}
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
# Access mode - proxy (server in the UI) or direct (browser in the UI).
access: proxy
url: https://{{ lan_address }}:9090
jsonData:
httpMethod: POST
tlsAuth: true
tlsAuthWithCACert: true
secureJsonData:
tlsCACert: $__file{/etc/grafana/ca.crt}
tlsClientCert: $__file{/etc/grafana/grafana-{{ lan_address }}.crt}
tlsClientKey: $__file{/etc/grafana/grafana-{{ lan_address }}.key}

View file

@ -0,0 +1,10 @@
---
- name: Restart Alertmanager
systemd:
name: prometheus-alertmanager.service
state: restarted
- name: Restart kassandra
systemd:
name: kassandra.service
state: restarted

View file

@ -0,0 +1,2 @@
dependencies:
- role: install_nginx

View file

@ -0,0 +1,73 @@
---
- name: Install dependencies
apt:
name:
- python3.9
- python3.9-venv
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Create the kassandra user
user:
name: kassandra
home: /opt/kassandra
password_lock: yes
system: yes
- name: Install kassandra
become: yes
become_user: kassandra
pip:
name:
- wheel
- "kassandra @ git+https://gitea.auro.re/histausse/kassandra.git"
virtualenv: /opt/kassandra
virtualenv_command: "python3.9 -m venv"
- name: Configure kassandra
template:
src: kassandra-config.yaml
dest: /opt/kassandra/config.yaml
owner: kassandra
group: nogroup
mode: '0600'
notify: Restart kassandra
no_log: true
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /opt/kassandra/ca.crt
notify: Restart kassandra
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /opt/kassandra/
cname: "kassandra-{{ lan_address }}"
owner: kassandra
group: nogroup
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
- name: Ensured the certificate is monitored
import_tasks: register-cert-to-monitoring.yml
vars:
target: "{{ lan_address }}:8000|kassandra-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Copy the daemon configuration
template:
src: kassandra.service
dest: /etc/systemd/system/kassandra.service
notify: Restart kassandra
- name: Enable the daemon
systemd:
name: kassandra
state: started
enabled: yes

View file

@ -0,0 +1,75 @@
---
- name: Install Prometheus Alert Manager
apt:
name:
- prometheus-alertmanager
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Setup the arguments for alertmanager
template:
src: prometheus-alertmanager
dest: /etc/default/prometheus-alertmanager
owner: root
group: root
mode: '0644'
notify: Restart Alertmanager
vars:
args:
- name: web.listen-address
value: "127.0.0.1:9093"
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /etc/prometheus/ca.crt
notify:
- Restart Alertmanager
- Reload nginx
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /etc/prometheus/
cname: "alertmanager-{{ lan_address }}"
owner: prometheus
group: prometheus
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
- name: Ensured the certificate is monitored
import_tasks: register-cert-to-monitoring.yml
vars:
target: "{{ lan_address }}:9093|alertmanager-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Setup the alertmanager config
template:
src: alertmanager.yml
dest: /etc/prometheus/alertmanager.yml
owner: prometheus
group: prometheus
mode: '0640'
notify: Restart Alertmanager
# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
# Think prometheus, think!
- name: Copy the nginx config
template:
src: atrocious_nginx_stub
dest: "/etc/nginx/sites-available/internal-alertmanager"
notify: Reload nginx
- name: Activate the config
file:
src: "/etc/nginx/sites-available/internal-alertmanager"
dest: "/etc/nginx/sites-enabled/internal-alertmanager"
state: link
force: yes
- name: Setup the matrix bot
import_tasks: kassandra.yml

View file

@ -0,0 +1,23 @@
---
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
register: server_tls_targets_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable from file
set_fact:
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
- name: Register the endpoint to the prometheus server
block:
- name: Add the target
set_fact:
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_tls_targets | to_nice_json }}"
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: target not in server_tls_targets.0.targets

View file

@ -0,0 +1,32 @@
{{ ansible_managed | comment }}
# See https://prometheus.io/docs/alerting/configuration/ for documentation.
global:
# Config used by default by the receivers
http_config:
tls_config:
ca_file: "/etc/prometheus/ca.crt"
cert_file: "/etc/prometheus/alertmanager-{{ lan_address }}.crt"
key_file: "/etc/prometheus/alertmanager-{{ lan_address }}.key"
# The directory from which notification templates are read.
templates:
- "/etc/prometheus/alertmanager_templates/*.tmpl"
# The root route on which each incoming alert enters.
route:
repeat_interval: 6h
# A default receiver
receiver: kassandra
# Inhibition rules allow to mute a set of alerts given that another alert is
# firing.
# We use this to mute any warning-level notifications if the same alert is
# already critical.
inhibit_rules:
receivers:
- name: kassandra
webhook_configs:
- url: "https://{{ lan_address }}:8000/webhook"

View file

@ -0,0 +1,13 @@
{{ ansible_managed | comment }}
server {
listen {{ lan_address }}:9093 ssl;
ssl_certificate /etc/prometheus/alertmanager-{{ lan_address }}.crt;
ssl_certificate_key /etc/prometheus/alertmanager-{{ lan_address }}.key;
ssl_client_certificate /etc/prometheus/ca.crt;
ssl_verify_client on;
location / {
proxy_pass http://127.0.0.1:9093;
}
}

View file

@ -0,0 +1,16 @@
---
{{ ansible_managed | comment }}
username: {{ kassandra_username }}
homeserver: https://{{ matrix_server_name}}
password: {{ kassandra_password }}
tls: yes
tls_auth: yes
host: {{ lan_address }}
tls_crt: kassandra-{{ lan_address }}.crt
tls_key: kassandra-{{ lan_address }}.key
ca_crt: ca.crt
alert_rooms:
{% for room in alert_rooms %}
- "{{ room }}"
{% endfor %}
...

View file

@ -0,0 +1,12 @@
{{ ansible_managed | comment }}
[Unit]
Description=Kassandra bot for alertmanager
[Service]
WorkingDirectory=/opt/kassandra
ExecStart=/opt/kassandra/bin/kassandra
User=kassandra
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,75 @@
{{ ansible_managed | comment }}
# Set the command-line arguments to pass to the server.
{% if not args %}
ARGS=""
{% else %}
ARGS="\
{% for arg in args %}
--{{ arg.name }}={{ arg.value }} \
{% endfor %}
"
{% endif %}
# The alert manager supports the following options:
# --config.file="/etc/prometheus/alertmanager.yml"
# Alertmanager configuration file name.
# --storage.path="/var/lib/prometheus/alertmanager/"
# Base path for data storage.
# --data.retention=120h
# How long to keep data for.
# --alerts.gc-interval=30m
# Interval between alert GC.
# --log.level=info
# Only log messages with the given severity or above.
# --web.external-url=WEB.EXTERNAL-URL
# The URL under which Alertmanager is externally reachable (for example,
# if Alertmanager is served via a reverse proxy). Used for generating
# relative and absolute links back to Alertmanager itself. If the URL has
# a path portion, it will be used to prefix all HTTP endpoints served by
# Alertmanager. If omitted, relevant URL components will be derived
# automatically.
# --web.route-prefix=WEB.ROUTE-PREFIX
# Prefix for the internal routes of web endpoints. Defaults to path of
# --web.external-url.
# --web.listen-address=":9093"
# Address to listen on for the web interface and API.
# --web.ui-path="/usr/share/prometheus/alertmanager/ui/"
# Path to static UI directory.
# --template.default="/usr/share/prometheus/alertmanager/default.tmpl"
# Path to default notification template.
# --cluster.listen-address="0.0.0.0:9094"
# Listen address for cluster.
# --cluster.advertise-address=CLUSTER.ADVERTISE-ADDRESS
# Explicit address to advertise in cluster.
# --cluster.peer=CLUSTER.PEER ...
# Initial peers (may be repeated).
# --cluster.peer-timeout=15s
# Time to wait between peers to send notifications.
# --cluster.gossip-interval=200ms
# Interval between sending gossip messages. By lowering this value (more
# frequent) gossip messages are propagated across the cluster more
# quickly at the expense of increased bandwidth.
# --cluster.pushpull-interval=1m0s
# Interval for gossip state syncs. Setting this interval lower (more
# frequent) will increase convergence speeds across larger clusters at
# the expense of increased bandwidth usage.
# --cluster.tcp-timeout=10s Timeout for establishing a stream connection
# with a remote node for a full state sync, and for stream read and write
# operations.
# --cluster.probe-timeout=500ms
# Timeout to wait for an ack from a probed node before assuming it is
# unhealthy. This should be set to 99-percentile of RTT (round-trip time)
# on your network.
# --cluster.probe-interval=1s
# Interval between random node probes. Setting this lower (more frequent)
# will cause the cluster to detect failed nodes more quickly at the
# expense of increased bandwidth usage.
# --cluster.settle-timeout=1m0s
# Maximum time to wait for cluster connections to settle before
# evaluating notifications.
# --cluster.reconnect-interval=10s
# Interval between attempting to reconnect to lost peers.
# --cluster.reconnect-timeout=6h0m0s
# Length of time to attempt to reconnect to a lost peer.

View file

@ -0,0 +1,47 @@
---
groups:
- name: BlackBoxAllInstances
rules:
- alert: SiteUp
expr: probe_success{job="blackbox http-down"} == 1
annotations:
title: '{{ $labels.instance }} is UP!'
description: '{{ $labels.instance }} is now up!'
labels:
value: "{{ $value }}"
severity: 'critical'
- alert: SiteDown
expr: probe_success{job="blackbox http-up"} == 0
for: 5m
annotations:
title: '{{ $labels.instance }} is Down'
description: >-
{{ $labels.instance }} has been down for more than 5 minutes.
labels:
value: "{{ $value }}"
severity: 'warning'
- alert: CertExpLess30daysProb
expr: (probe_ssl_earliest_cert_expiry{job="blackbox internal tls"}-time()) < 2592000
annotations:
title: '{{ $labels.cname }} will expire soon'
description: >-
The certificate {{ $labels.cname }} on {{ $labels.instance }} will expire in
{{ $value | humanizeDuration }}, it's time to renew it.
labels:
value: "{{ $value }}"
severity: 'warning'
- alert: CertExpLess10daysProb
expr: (probe_ssl_earliest_cert_expiry{job="blackbox internal tls"}-time()) < 864000
annotations:
title: '{{ $labels.cname }} expiracy is imminent!'
description: >-
The certificate {{ $labels.cname }} on {{ $labels.instance }} will expire in
{{ $value | humanizeDuration }}!
labels:
value: "{{ $value }}"
severity: 'critical'
...

View file

@ -0,0 +1,10 @@
---
- name: Restart blackbox-exporter
systemd:
name: prometheus-blackbox-exporter.service
state: restarted
- name: Restart prometheus
systemd:
name: prometheus
state: restarted

View file

@ -0,0 +1,2 @@
dependencies:
- role: install_nginx

View file

@ -0,0 +1,96 @@
---
- name: Install Prometheus Components
apt:
name:
- prometheus-blackbox-exporter
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /etc/prometheus/ca.crt
notify:
- Restart blackbox-exporter
- Reload nginx
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /etc/prometheus/
cname: "blackbox-{{ lan_address }}"
owner: prometheus
group: prometheus
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
- name: Ensured the certificate is monitored
import_tasks: register-cert-to-monitoring.yml
vars:
target: "{{ lan_address }}:9115|blackbox-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Setup the blackbox config
template:
src: blackbox.yml
dest: /etc/prometheus/blackbox.yml
owner: prometheus
group: prometheus
mode: '0640'
notify: Restart blackbox-exporter
no_log: true
#- name: Copy the web-config folder
# template:
# src: web-config.yaml
# dest: /etc/prometheus/web-config-blackbox.yaml
# group: prometheus
# owner: prometheus
# mode: u=rw,g=r,o=r
# notify: Restart blackbox-exporter
- name: Setup the arguments for prometheus
template:
src: prometheus-blackbox-exporter
dest: /etc/default/prometheus-blackbox-exporter
owner: root
group: root
mode: '0644'
notify: Restart blackbox-exporter
vars:
args:
- name: web.listen-address
value: "127.0.0.1:9115"
# value: "{{ lan_address }}:9115"
- name: config.file
value: /etc/prometheus/blackbox.yml
# - name: web.config.file
# value: /etc/prometheus/web-config.yaml
## Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
# Think prometheus, think!
- name: Copy the nginx config
template:
src: atrocious_nginx_stub
dest: "/etc/nginx/sites-available/internal-blackbox"
notify: Reload nginx
- name: Activate the config
file:
src: "/etc/nginx/sites-available/internal-blackbox"
dest: "/etc/nginx/sites-enabled/internal-blackbox"
state: link
force: yes
- name: Add alert rules for node on the prometheus server
copy:
src: alerts-blackbox.yml
dest: /etc/prometheus/alertsblackbox.yml
owner: prometheus
group: prometheus
mode: u=rw,g=r,o=r
notify: Restart prometheus

View file

@ -0,0 +1,23 @@
---
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
register: server_tls_targets_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable from file
set_fact:
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
- name: Register the endpoint to the prometheus server
block:
- name: Add the target
set_fact:
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_tls_targets | to_nice_json }}"
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: target not in server_tls_targets.0.targets

View file

@ -0,0 +1,13 @@
{{ ansible_managed | comment }}
server {
listen {{ lan_address }}:9115 ssl;
ssl_certificate /etc/prometheus/blackbox-{{ lan_address }}.crt;
ssl_certificate_key /etc/prometheus/blackbox-{{ lan_address }}.key;
ssl_client_certificate /etc/prometheus/ca.crt;
ssl_verify_client on;
location / {
proxy_pass http://127.0.0.1:9115;
}
}

View file

@ -0,0 +1,23 @@
{{ ansible_managed | comment }}
modules:
http_2xx:
prober: http
http:
http_post_2xx:
prober: http
http:
method: POST
tcp_connect:
prober: tcp
icmp:
prober: icmp
internal_tls_connect:
prober: tcp
timeout: 10s
tcp:
tls: true
tls_config:
ca_file: '/etc/prometheus/ca.crt'
cert_file: '/etc/prometheus/blackbox-{{ lan_address }}.crt'
key_file: '/etc/prometheus/blackbox-{{ lan_address }}.key'

View file

@ -0,0 +1,21 @@
{{ ansible_managed | comment }}
# Set the command-line arguments to pass to the server.
{% if not args %}
ARGS=""
{% else %}
ARGS="\
{% for arg in args %}
--{{ arg.name }}={{ arg.value }} \
{% endfor %}
"
{% endif %}
# Usage of prometheus-blackbox-exporter:
# --config.file="blackbox.yml"
# Blackbox exporter configuration file.
# --web.listen-address=":9115"
# The address to listen on for HTTP requests.
# --timeout-offset=0.5 Offset to subtract from timeout in seconds.
# --log.level=info Only log messages with the given severity or above.
# One of: [debug, info, warn, error]

View file

@ -0,0 +1,6 @@
[
{
"targets": [
]
}
]

View file

@ -0,0 +1,7 @@
{{ ansible_managed | comment }}
tls_server_config:
cert_file: "/etc/prometheus/blackbox-{{ lan_address }}.crt"
key_file: "/etc/prometheus/blackbox-{{ lan_address }}.key"
client_auth_type: "RequireAndVerifyClientCert"
client_ca_file: "/etc/prometheus/ca.crt"

View file

@ -0,0 +1,181 @@
---
groups:
- name: NodeAllInstances
rules:
- alert: InstanceDown
expr: up{job='node'} == 0
for: 5m
annotations:
title: 'Instance {{ $labels.instance }} down'
description: >-
{{ $labels.instance }} has been down for more than 5 minutes.
labels:
value: "{{ $value }}"
severity: critical
- alert: OutOfDiskSpace
expr: (100 - node_filesystem_avail_bytes{} *100 / node_filesystem_size_bytes{}) > 80
for: 1m
annotations:
title: '`{{ $labels.instance }}:{{ $labels.mountpoint }}` is out of space'
description: >-
Partition `{{ $labels.mountpoint }}` (`{{ $labels.device }}`) of {{ $labels.instance }}
uses {{ $value | printf "%.1f" }}% of its capacity.
labels:
value: "{{ $value }}"
severity: warning
- alert: OutOfMemory
expr: >-
(
node_memory_MemTotal_bytes
- node_memory_MemFree_bytes
- node_memory_Cached_bytes
- node_memory_Buffers_bytes
) / node_memory_MemTotal_bytes * 100 > 80
for: 1m
annotations:
title: '{{ $labels.instance }} is out of memory'
description: >-
{{ $labels.instance }} uses {{ $value | printf "%.1f" }}% of its memory capacity.
labels:
value: "{{ $value }}"
severity: warning
- alert: OutOfInode
expr: >-
(
node_filesystem_files
- node_filesystem_files_free
) / node_filesystem_files * 100 >= 90
for: 5m
annotations:
title: '`{{ $labels.instance }}:{{ $labels.mountpoint }}` is out of Inodes'
description: >-
Partition {{ $labels.mountpoint }} ({{ $labels.device }}) of {{ $labels.instance }}
uses {{ $value | printf "%.1f" }}% of its Inodes.
labels:
value: "{{ $value }}"
severity: warning
- alert: Swapping
expr: >-
(
node_memory_SwapTotal_bytes
- node_memory_SwapFree_bytes
) / node_memory_SwapTotal_bytes * 100 >= 50
for: 5m
annotations:
title: '{{ $labels.instance }} is using a lot of swap'
description: >-
{{ $labels.instance }} uses {{ $value | printf "%.1f" }}% of its memory capacity.
labels:
value: "{{ $value }}"
severity: warning
- alert: PhysicalComponentTooHot
expr: node_hwmon_temp_celsius > 79
for: 5m
annotations:
title: '{{ $labels.instance }} is heating up'
description: >-
The internal temperature of {{ $labels.instance }} is {{ $value }}°C!
labels:
value: "{{ $value }}"
severity: critical
- alert: PhysicalComponentHeatAlarm
expr: node_hwmon_temp_crit_alarm_celsius == 1
for: 0m
annotations:
title: 'The temperature alarm of {{ $labels.instance }} is up'
description: >-
Do something!
labels:
value: "{{ $value }}"
severity: critical
- alert: OOMKill
expr: increase(node_vmstat_oom_kill[1m]) > 0
for: 0m
annotations:
title: 'The kernel is killing processes'
description: >-
The kernel killed {{ $value }} proccesses (OOM killer)
labels:
value: "{{ $value }}"
severity: warning
- alert: CorrectableErrorDetected
expr: increase(node_edac_correctable_errors_total[1m]) > 0
for: 0m
annotations:
title: 'Memory errors have been corrected'
description: >-
{{ $value | printf "%.1f" }} error(s) have been corrected (EDAC)
labels:
value: "{{ $value }}"
severity: warning
- alert: UncorrectableErrorDetected
expr: increase(node_edac_uncorrectable_errors_total[1m]) > 0
for: 0m
annotations:
title: 'Memory errors could not be corrected'
description: >-
{{ $value | printf "%.1f" }} error(s) could not be corrected (EDAC)
labels:
value: "{{ $value }}"
severity: warning
- alert: UnhealthyDisk
expr: >-
(
smartmon_device_smart_healthy
and on (instance, disk)
smartmon_device_info{product!="QEMU HARDDISK"}
) < 1
for: 10m
annotations:
title: '`{{ $labels.instance }}:{{ $labels.disk }}` is unhealthy'
description: >-
Smartools detected that `{{ $labels.disk }}` on {{ $labels.instance }} is unhealthy
and will probably need to be changed.
labels:
value: "{{ $value }}"
severity: critical
- alert: ServiceFailed
expr: node_systemd_unit_state{state="failed"}==1
for: 10m
annotations:
title: '{{ $labels.name }} failed'
description: >-
The systemd service {{ $labels.name }} failed on {{ $labels.instance }}
labels:
value: "{{ $value }}"
severity: warning
- alert: CertExpLess30days
expr: (local_x509_expiry_date{job="blackbox internal tls"}-time()) < 2592000
annotations:
title: '{{ $labels.cname }} will expire soon'
description: >-
The certificate {{ $labels.cname }} on {{ $labels.instance }} at {{ $labels.file }}
will expire in {{ $value | humanizeDuration }}, it's time to renew it.
labels:
value: "{{ $value }}"
severity: 'warning'
- alert: CertExpLess10days
expr: (local_x509_expiry_date{job="blackbox internal tls"}-time()) < 864000
annotations:
title: '{{ $labels.cname }} expiracy is imminent!'
description: >-
The certificate {{ $labels.cname }} on {{ $labels.instance }} at {{ $labels.file }}
will expire in {{ $value | humanizeDuration }}, RENEW IT!!!
labels:
value: "{{ $value }}"
severity: 'critical'
...

View file

@ -0,0 +1,25 @@
#!/usr/bin/env bash
sanitize() {
while read -r data; do
set -- $data
printf %q "$1" | sed -e 's/\\ / /g'
done
}
print_metric() {
while read -r data; do
set -- $data
if [ -f "$1" ]; then
exp_date=`openssl x509 -enddate --noout -in "$1" | sed -e 's/notAfter=//g'`
exp_date_unixtime=`date -d "$exp_date" -u +%s`
cname=`openssl x509 -subject --noout -in "$1" | sed -e 's/^.*CN = //' | sed -e 's/,.*$//' | sanitize`
filename=`realpath "$1" | sanitize`
echo "local_x509_expiry_date{cname=\"$cname\",file=\"$filename\"} $exp_date_unixtime"
fi
done
}
echo '# HELP local_x509_expiry_date The cert expiry date in unixtime'
echo '# TYPE local_x509_expiry_date gauge'
printf '%s\n' "$@" | print_metric

View file

@ -0,0 +1,5 @@
# The list of certs to monitor
ARGS="
/etc/letsencrypt/live/**/cert.pem
/etc/hackypky/crts/*.crt
"

View file

@ -0,0 +1,8 @@
[Unit]
Description=Collect local x509 certificate metrics for prometheus-node-exporter
[Service]
Type=oneshot
EnvironmentFile=/etc/default/prometheus-node-exporter-local_x509
Environment=TMPDIR=/var/lib/prometheus/node-exporter
ExecStart=/bin/bash -c "/usr/share/prometheus-node-exporter-collectors/local_x509.sh $ARGS | sponge /var/lib/prometheus/node-exporter/local_x509.prom"

View file

@ -0,0 +1,9 @@
[Unit]
Description=Run local x509 metrics collection every 15 minutes
[Timer]
OnBootSec=0
OnUnitActiveSec=15min
[Install]
WantedBy=timers.target

View file

@ -0,0 +1,10 @@
---
- name: Restart prometheus-node-exporter
systemd:
name: prometheus-node-exporter
state: restarted
- name: Restart appointed_prometheus_server
systemd:
name: prometheus
state: restarted
delegate_to: "{{ appointed_prometheus_server }}"

View file

@ -0,0 +1,69 @@
---
- name: Install moreutils # we need the sponge command
apt:
name:
- moreutils
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Ensure /usr/share/prometheus-node-exporter exist
file:
path: /usr/share/prometheus-node-exporter/
state: directory
group: root
owner: root
mode: u=rwx,g=rx,o=rx
# Optionnal, but used with the hacky_pki role
- name: Ensure /etc/hackypky/crts/ exist
file:
path: "{{ item }}"
state: directory
group: root
owner: root
mode: u=rwx,g=rx,o=rx
loop:
- /etc/hackypky
- /etc/hackypky/crts
- name: Add the script
copy:
src: local_x509.sh
dest: /usr/share/prometheus-node-exporter-collectors/local_x509.sh
group: root
owner: root
mode: u=rwx,g=,o=
- name: Add the env file
copy:
src: prometheus-node-exporter-local_x509
dest: /etc/default/prometheus-node-exporter-local_x509
group: root
owner: root
force: no
mode: u=rwx,g=r,o=r
- name: Add the timer
copy:
src: prometheus-node-exporter-local_x509.timer
dest: /lib/systemd/system/prometheus-node-exporter-local_x509.timer
group: root
owner: root
mode: u=rw,g=r,o=r
- name: Add the service
copy:
src: prometheus-node-exporter-local_x509.service
dest: /lib/systemd/system/prometheus-node-exporter-local_x509.service
group: root
owner: root
mode: u=rw,g=r,o=r
- name: Enable the timer
systemd:
name: prometheus-node-exporter-local_x509.timer
enabled: true
state: started

View file

@ -0,0 +1,130 @@
---
- name: Use a newer version of Node exporter for ubuntu 20.04
block:
- name: Set the default release
lineinfile:
path: /etc/apt/apt.conf.d/01-vendor-ubuntu
regexp: '^APT::Default-Release '
line: "APT::Default-Release \"{{ ansible_facts['lsb']['codename'] }}\";"
- name: Pin node exporter
copy:
dest: /etc/apt/preferences.d/pin-prometheus-node-exporter
content: |
Package: prometheus-node-exporter
Pin: release n={{ ansible_facts['lsb']['codename'] }}
Pin-Priority: -10
Package: prometheus-node-exporter
Pin: release n=groovy
Pin-Priority: 900
- name: Add the repo from groovy
apt_repository:
repo: deb http://fr.archive.ubuntu.com/ubuntu groovy universe
state: present
when: ansible_facts['lsb']['id'] == 'Ubuntu' and ansible_facts['lsb']['codename'] == 'focal'
- name: Install Prometheus Node exporter
apt:
name:
- prometheus-node-exporter
- prometheus-node-exporter-collectors
state: latest
update_cache: true
install_recommends: false # Do not install smartmontools
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Install the local_x509 exporter
import_tasks: local_x509_collector.yml
- name: Ensure /etc/node_exporter exist
file:
path: /etc/node_exporter
state: directory
group: prometheus
owner: prometheus
mode: u=rwx,g=rx,o=rx
- name: Copy the config folder
template:
src: config.yaml
dest: /etc/node_exporter/config.yaml
group: prometheus
owner: prometheus
mode: u=rw,g=r,o=r
notify: Restart prometheus-node-exporter
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /etc/node_exporter/ca.crt
notify: Restart prometheus-node-exporter
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /etc/node_exporter/
cname: "node-exp-{{ lan_address }}"
owner: prometheus
group: prometheus
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
- name: Ensured the certificate is monitored
import_tasks: register-cert-to-monitoring.yml
vars:
target: "{{ lan_address }}:9100|node-exp-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Setup the arguments for node-exporter
template:
src: prometheus-node-exporter
dest: /etc/default/prometheus-node-exporter
owner: root
group: root
mode: u=rw,g=r,o=r
notify: Restart prometheus-node-exporter
vars:
args:
- name: web.listen-address
value: "{{ lan_address }}:9100"
- name: web.config
value: /etc/node_exporter/config.yaml
- name: Add the node to the server targets
block:
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/node-targets.json
register: server_node_target_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable
set_fact:
server_node_target: "{{ server_node_target_file['content'] | b64decode | from_json }}"
- name: Register the node to the prometheus server
block:
- name: Add the node to the targets
set_fact:
new_server_node_target: "[{{ server_node_target[0] | combine({'targets': [lan_address + '|' + ansible_facts['nodename']]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_node_target | to_nice_json }}"
dest: /etc/prometheus/node-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: (lan_address + '|' + ansible_facts['nodename']) not in server_node_target.0.targets
- name: Add alert rules for node on the prometheus server
copy:
src: alerts-node.yml
dest: /etc/prometheus/alerts/node.yml
owner: prometheus
group: prometheus
mode: u=rw,g=r,o=r
delegate_to: "{{ appointed_prometheus_server }}"
notify: Restart appointed_prometheus_server

View file

@ -0,0 +1,23 @@
---
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
register: server_tls_targets_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable from file
set_fact:
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
- name: Register the endpoint to the prometheus server
block:
- name: Add the target
set_fact:
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_tls_targets | to_nice_json }}"
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: target not in server_tls_targets.0.targets

View file

@ -0,0 +1,7 @@
{{ ansible_managed | comment }}
tls_server_config:
cert_file: "/etc/node_exporter/node-exp-{{ lan_address }}.crt"
key_file: "/etc/node_exporter/node-exp-{{ lan_address }}.key"
client_auth_type: "RequireAndVerifyClientCert"
client_ca_file: "/etc/node_exporter/ca.crt"

View file

@ -0,0 +1,138 @@
{{ ansible_managed | comment }}
# Set the command-line arguments to pass to the server.
# Due to shell scaping, to pass backslashes for regexes, you need to double
# them (\\d for \d). If running under systemd, you need to double them again
# (\\\\d to mean \d), and escape newlines too.
{% if not args %}
ARGS=""
{% else %}
ARGS="\
{% for arg in args %}
--{{ arg.name }}={{ arg.value }} \
{% endfor %}
"
{% endif %}
# Prometheus-node-exporter supports the following options:
#
# --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$"
# Regexp of devices to ignore for diskstats.
# --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)"
# Regexp of mount points to ignore for filesystem
# collector.
# --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$"
# Regexp of filesystem types to ignore for
# filesystem collector.
# --collector.netdev.ignored-devices="^lo$"
# Regexp of net devices to ignore for netdev
# collector.
# --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$"
# Regexp of fields to return for netstat
# collector.
# --collector.ntp.server="127.0.0.1"
# NTP server to use for ntp collector
# --collector.ntp.protocol-version=4
# NTP protocol version
# --collector.ntp.server-is-local
# Certify that collector.ntp.server address is the
# same local host as this collector.
# --collector.ntp.ip-ttl=1 IP TTL to use while sending NTP query
# --collector.ntp.max-distance=3.46608s
# Max accumulated distance to the root
# --collector.ntp.local-offset-tolerance=1ms
# Offset between local clock and local ntpd time
# to tolerate
# --path.procfs="/proc" procfs mountpoint.
# --path.sysfs="/sys" sysfs mountpoint.
# --collector.qdisc.fixtures=""
# test fixtures to use for qdisc collector
# end-to-end testing
# --collector.runit.servicedir="/etc/service"
# Path to runit service directory.
# --collector.supervisord.url="http://localhost:9001/RPC2"
# XML RPC endpoint.
# --collector.systemd.unit-whitelist=".+"
# Regexp of systemd units to whitelist. Units must
# both match whitelist and not match blacklist to
# be included.
# --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)"
# Regexp of systemd units to blacklist. Units must
# both match whitelist and not match blacklist to
# be included.
# --collector.systemd.private
# Establish a private, direct connection to
# systemd without dbus.
# --collector.textfile.directory="/var/lib/prometheus/node-exporter"
# Directory to read text files with metrics from.
# --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*"
# Regexp of fields to return for vmstat collector.
# --collector.wifi.fixtures=""
# test fixtures to use for wifi collector metrics
# --collector.arp Enable the arp collector (default: enabled).
# --collector.bcache Enable the bcache collector (default: enabled).
# --collector.bonding Enable the bonding collector (default: enabled).
# --collector.buddyinfo Enable the buddyinfo collector (default:
# disabled).
# --collector.conntrack Enable the conntrack collector (default:
# enabled).
# --collector.cpu Enable the cpu collector (default: enabled).
# --collector.diskstats Enable the diskstats collector (default:
# enabled).
# --collector.drbd Enable the drbd collector (default: disabled).
# --collector.edac Enable the edac collector (default: enabled).
# --collector.entropy Enable the entropy collector (default: enabled).
# --collector.filefd Enable the filefd collector (default: enabled).
# --collector.filesystem Enable the filesystem collector (default:
# enabled).
# --collector.hwmon Enable the hwmon collector (default: enabled).
# --collector.infiniband Enable the infiniband collector (default:
# enabled).
# --collector.interrupts Enable the interrupts collector (default:
# disabled).
# --collector.ipvs Enable the ipvs collector (default: enabled).
# --collector.ksmd Enable the ksmd collector (default: disabled).
# --collector.loadavg Enable the loadavg collector (default: enabled).
# --collector.logind Enable the logind collector (default: disabled).
# --collector.mdadm Enable the mdadm collector (default: enabled).
# --collector.meminfo Enable the meminfo collector (default: enabled).
# --collector.meminfo_numa Enable the meminfo_numa collector (default:
# disabled).
# --collector.mountstats Enable the mountstats collector (default:
# disabled).
# --collector.netdev Enable the netdev collector (default: enabled).
# --collector.netstat Enable the netstat collector (default: enabled).
# --collector.nfs Enable the nfs collector (default: enabled).
# --collector.nfsd Enable the nfsd collector (default: enabled).
# --collector.ntp Enable the ntp collector (default: disabled).
# --collector.qdisc Enable the qdisc collector (default: disabled).
# --collector.runit Enable the runit collector (default: disabled).
# --collector.sockstat Enable the sockstat collector (default:
# enabled).
# --collector.stat Enable the stat collector (default: enabled).
# --collector.supervisord Enable the supervisord collector (default:
# disabled).
# --collector.systemd Enable the systemd collector (default: enabled).
# --collector.tcpstat Enable the tcpstat collector (default:
# disabled).
# --collector.textfile Enable the textfile collector (default:
# enabled).
# --collector.time Enable the time collector (default: enabled).
# --collector.uname Enable the uname collector (default: enabled).
# --collector.vmstat Enable the vmstat collector (default: enabled).
# --collector.wifi Enable the wifi collector (default: enabled).
# --collector.xfs Enable the xfs collector (default: enabled).
# --collector.zfs Enable the zfs collector (default: enabled).
# --collector.timex Enable the timex collector (default: enabled).
# --web.listen-address=":9100"
# Address on which to expose metrics and web
# interface.
# --web.telemetry-path="/metrics"
# Path under which to expose metrics.
# --log.level="info" Only log messages with the given severity or
# above. Valid levels: [debug, info, warn, error,
# fatal]
# --log.format="logger:stderr"
# Set the log target and format. Example:
# "logger:syslog?appname=bob&local=7" or
# "logger:stdout?json=true"

View file

@ -0,0 +1,5 @@
---
- name: Restart prometheus
systemd:
name: prometheus
state: restarted

View file

@ -0,0 +1,2 @@
dependencies:
- role: install_nginx

View file

@ -0,0 +1,117 @@
---
- name: Install Prometheus Components
apt:
name:
- prometheus
- prometheus-pushgateway
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Ensure the alert folder exist
file:
path: /etc/prometheus/alerts
state: directory
group: prometheus
owner: prometheus
mode: u=rwx,g=rx,o=rx
- name: Ensure the target folder exist
file:
path: /etc/prometheus/targets
state: directory
group: prometheus
owner: prometheus
mode: u=rwx,g=rx,o=rx
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /etc/prometheus/ca.crt
notify:
- Restart prometheus
- Reload nginx
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /etc/prometheus/
cname: "prometheus-{{ lan_address }}"
owner: prometheus
group: prometheus
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
- name: Ensured the certificate is monitored
import_tasks: register-cert-to-monitoring.yml
vars:
target: "{{ lan_address }}:9090|prometheus-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Setup the prometheus config
template:
src: prometheus.yml
dest: /etc/prometheus/prometheus.yml
owner: prometheus
group: prometheus
mode: '0640'
notify: Restart prometheus
no_log: true
- name: Add node targets file
template:
src: node-targets.json
dest: "/etc/prometheus/targets/{{ item }}-targets.json"
owner: prometheus
group: prometheus
mode: '0640'
force: no
notify: Restart prometheus
loop:
- blackbox-http-down
- blackbox-http-up
- blackbox-tls-internal
- node
- name: Copy the web-config folder
template:
src: web-config.yaml
dest: /etc/prometheus/web-config.yaml
group: prometheus
owner: prometheus
mode: u=rw,g=r,o=r
notify: Restart prometheus
- name: Setup the arguments for prometheus
template:
src: prometheus
dest: /etc/default/prometheus
owner: root
group: root
mode: '0644'
notify: Restart prometheus
vars:
args:
- name: web.listen-address
value: "127.0.0.1:9090"
# value: "{{ lan_address }}:9090"
# - name: web.config.file # Not available before 2.24, and it sucks
# value: /etc/prometheus/web-config.yaml
# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
# Think prometheus, think!
- name: Copy the nginx config
template:
src: atrocious_nginx_stub
dest: "/etc/nginx/sites-available/internal-prometheus"
notify: Reload nginx
- name: Activate the config
file:
src: "/etc/nginx/sites-available/internal-prometheus"
dest: "/etc/nginx/sites-enabled/internal-prometheus"
state: link
force: yes

View file

@ -0,0 +1,23 @@
---
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
register: server_tls_targets_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable from file
set_fact:
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
- name: Register the endpoint to the prometheus server
block:
- name: Add the target
set_fact:
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_tls_targets | to_nice_json }}"
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: target not in server_tls_targets.0.targets

View file

@ -0,0 +1,13 @@
{{ ansible_managed | comment }}
server {
listen {{ lan_address }}:9090 ssl;
ssl_certificate /etc/prometheus/prometheus-{{ lan_address }}.crt;
ssl_certificate_key /etc/prometheus/prometheus-{{ lan_address }}.key;
ssl_client_certificate /etc/prometheus/ca.crt;
ssl_verify_client on;
location / {
proxy_pass http://127.0.0.1:9090;
}
}

View file

@ -0,0 +1,6 @@
[
{
"targets": [
]
}
]

View file

@ -0,0 +1,67 @@
{{ ansible_managed | comment }}
# Set the command-line arguments to pass to the server.
{% if not args %}
ARGS=""
{% else %}
ARGS="\
{% for arg in args %}
--{{ arg.name }}={{ arg.value }} \
{% endfor %}
"
{% endif %}
# Prometheus supports the following options:
# --config.file="/etc/prometheus/prometheus.yml"
# Prometheus configuration file path.
# --web.listen-address="0.0.0.0:9090"
# Address to listen on for UI, API, and telemetry.
# --web.read-timeout=5m Maximum duration before timing out read of the
# request, and closing idle connections.
# --web.max-connections=512 Maximum number of simultaneous connections.
# --web.external-url=<URL> The URL under which Prometheus is externally
# reachable (for example, if Prometheus is served
# via a reverse proxy). Used for generating
# relative and absolute links back to Prometheus
# itself. If the URL has a path portion, it will
# be used to prefix all HTTP endpoints served by
# Prometheus. If omitted, relevant URL components
# will be derived automatically.
# --web.route-prefix=<path> Prefix for the internal routes of web endpoints.
# Defaults to path of --web.external-url.
# --web.local-assets="/usr/share/prometheus/web/"
# Path to static asset/templates directory.
# --web.user-assets=<path> Path to static asset directory, available at
# /user.
# --web.enable-lifecycle Enable shutdown and reload via HTTP request.
# --web.enable-admin-api Enables API endpoints for admin control actions.
# --web.console.templates="/etc/prometheus/consoles"
# Path to the console template directory,
# available at /consoles.
# --web.console.libraries="/etc/prometheus/console_libraries"
# Path to the console library directory.
# --storage.tsdb.path="/var/lib/prometheus/metrics2/"
# Base path for metrics storage.
# --storage.tsdb.min-block-duration=2h
# Minimum duration of a data block before being
# persisted.
# --storage.tsdb.max-block-duration=<duration>
# Maximum duration compacted blocks may span.
# (Defaults to 10% of the retention period)
# --storage.tsdb.retention=15d
# How long to retain samples in the storage.
# --storage.tsdb.use-lockfile
# Create a lockfile in data directory.
# --alertmanager.notification-queue-capacity=10000
# The capacity of the queue for pending alert
# manager notifications.
# --alertmanager.timeout=10s
# Timeout for sending alerts to Alertmanager.
# --query.lookback-delta=5m The delta difference allowed for retrieving
# metrics during expression evaluations.
# --query.timeout=2m Maximum time a query may take before being
# aborted.
# --query.max-concurrency=20
# Maximum number of queries executed concurrently.
# --log.level=info Only log messages with the given severity or
# above. One of: [debug, info, warn, error]

View file

@ -0,0 +1,117 @@
{{ ansible_managed | comment }}
global:
# scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
# evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
# scrape_timeout is set to the global default (10s).
# Attach these labels to any time series or alerts when communicating with
# external systems (federation, remote storage, Alertmanager).
external_labels:
# monitor: 'example'
# Alertmanager configuration
alerting:
alertmanagers:
- static_configs:
- targets: ['{{ lan_address }}:9093']
scheme: https
tls_config:
ca_file: '/etc/prometheus/ca.crt'
cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
- "alerts/*.yml"
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
static_configs:
- targets: ['{{ lan_address }}:9090']
scheme: https
tls_config:
ca_file: '/etc/prometheus/ca.crt'
cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
- job_name: node
file_sd_configs:
- files:
- '/etc/prometheus/targets/node-targets.json'
relabel_configs:
# Use hostnames instead of ip for the instance label
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
regex: '.*\|(.*)'
replacement: '$1'
- source_labels: [__param_target]
target_label: __address__
regex: '(.*)\|.*'
replacement: '$1:9100'
scheme: https
tls_config:
ca_file: '/etc/prometheus/ca.crt'
cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
{% for target_type in ('http-up', 'http-down') %}
- job_name: blackbox {{ target_type }}
metrics_path: /probe
params:
module: [http_2xx]
file_sd_configs:
- files:
- '/etc/prometheus/targets/blackbox-{{ target_type }}-targets.json'
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: {{ lan_address }}:9115
scheme: https
tls_config:
ca_file: '/etc/prometheus/ca.crt'
cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
{% endfor %}
- job_name: blackbox internal tls
metrics_path: /probe
params:
module: [internal_tls_connect]
file_sd_configs:
- files:
- '/etc/prometheus/targets/blackbox-tls-internal-targets.json'
relabel_configs:
- source_labels: [__address__]
target_label: __tmp_address
- source_labels: [__tmp_address]
target_label: __param_target
regex: '(.*)\|.*\|.*'
replacement: '$1'
- source_labels: [__tmp_address]
target_label: cname
regex: '.*\|(.*)\|.*'
replacement: '$1'
- source_labels: [__tmp_address]
target_label: instance
regex: '.*\|.*\|(.*)'
replacement: '$1'
- target_label: __address__
replacement: 172.20.1.1:9115
scheme: https
tls_config:
ca_file: '/etc/prometheus/ca.crt'
cert_file: '/etc/prometheus/prometheus-172.20.1.1.crt'
key_file: '/etc/prometheus/prometheus-172.20.1.1.key'

View file

@ -0,0 +1,7 @@
{{ ansible_managed | comment }}
tls_server_config:
cert_file: "/etc/prometheus/prometheus-{{ lan_address }}.crt"
key_file: "/etc/prometheus/prometheus-{{ lan_address }}.key"
client_auth_type: "RequireAndVerifyClientCert"
client_ca_file: "/etc/prometheus/ca.crt"